anomy-list

Re: Re: html links to executables

From: Alexey Lobanov (123797@xyz.molar.is)
Date: Sun 25 Apr 2004 - 16:10:43 GMT

  • Next message: Claudemir Todo Bom: "Re: html links to executables"

    Hello all.

    Bjarni R. Einarsson wrote:

    > Also, this sort of sanitization WILL cause problems with legitimate web
    > sites. Some sites, including some pretty big and respectable companies, use
    > the .exe ending on their server-side CGI scripts. Also, there's no reason
    > the scam mails have to use .exe in their URLs - the could simply point to a
    > generic URL - even one ending in .html or .gif - which would then redirect
    > the browser to a .exe download.
    >
    > For this reason defanging like this isn't enabled by default, it's not
    > likely to work well and will break legitimate URLs. However, if the scam
    > mails are using simple, easy to block URLS, then it may be worth the effort
    > to try anyway... I haven't much experience with these messages, so I'd be
    > interested in hearing peoples' opinions on this.
    >
    > Anyone?

    Important technigue in modern scam mails are complex, obfuscated URL's. Asterisk, @,
    recent "0x01 bug" in MSIE, backslash, etc.

    http://ads.msn.com/ads/adredir.asp?image=/ads/IMGSFS/eceu22kqjgep72ll8.gif&url=http://www.%75swh%6Fl%65s%61l%65g%6F%6Fd.%69nf%6F%2F%78/?AFF%5FID=%78ssv547avg

    http://rd.yahoo.com/M=870714.9122867.6211631.4658908/D=yahoo_top/S=8626944:LCC/A=9620582/R=0/*http://www.homeloanace.com/?partid=jrr

    Seems to be quite easy for detection and killing? Legitimate URL's shouldn't have all
    this shit.

    Alexey



    hosted by molar.is