On 2004-04-23, 17:40:00 (-0300), Claudemir Todo Bom wrote:
> there is an enormous quantity of scam-mail, coming with html links to
> .exe files, the great majority of then are bank account's passwords
> stealer, and I know some cases where bank accounts has been wiped
> because of this. Some of these emails came under a mask of web virtual
> postcards, and a lot of users are being caught by this trick.
>
> is there a way to sanityze links that match these criteria: <a
> href="http://some.site/stealer.exe"> in a way that the link became
> invalid?
I haven't looked at the code recently, but if I recall it would only require
a very minor change to the tables in HTMLCleaner.pm to implement this, and
it may infact already be implemented in the cleaner's "paranoid" mode. The
obvious strategy is to simply tell the cleaner to defang URLS ending in
".exe".
Unfortunately, there's no way to tell from the URL alone whether fetching it
will actually cause the browser to download an executable or whether it will
simply invoke a CGI which will send html, text or an image.
Also, this sort of sanitization WILL cause problems with legitimate web
sites. Some sites, including some pretty big and respectable companies, use
the .exe ending on their server-side CGI scripts. Also, there's no reason
the scam mails have to use .exe in their URLs - the could simply point to a
generic URL - even one ending in .html or .gif - which would then redirect
the browser to a .exe download.
For this reason defanging like this isn't enabled by default, it's not
likely to work well and will break legitimate URLs. However, if the scam
mails are using simple, easy to block URLS, then it may be worth the effort
to try anyway... I haven't much experience with these messages, so I'd be
interested in hearing peoples' opinions on this.
Anyone?
-- Bjarni Rúnar Einarsson 123670@xyz.molar.is http://bre.klaki.net/PGP: 02764305, B7A3AB89