l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2003 Sep 26 17:15

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.



On Thursday, Sep 25, 2003, at 21:53 US/Pacific, Rob Rogers wrote:
Which is quite easy to do, is done frequently via .htaccess, and doesn't
work in 99.9% of these cases because they're being served off of the
fake webserver, not linked directly from the real one.
I have seen several where the images are fetched from the "official" server,
though it'd be trivial to serve up copies from a fake server, and it's
probably not worth the overhead of pattern matching given the larger number
of images typically served, and the relatively low effectiveness.

I always used to track these down and forward them to the appropriate
fraud/abuse mailboxes, but it never seemed to do any good, and I got
zero feedback, so I don't bother any more. I just tell everybody I know
that they should never believe this stuff (no matter how authentic looking),
and hope that increased savvy/skeptsicm will help mitigate the damage.

This much your browser would have to decode to do a DNS lookup, and I've
never seen a browser show it encoded. Whether or not it sends it encoded
in the referer, I can't speak with any authority, but I highly doubt it
does. As for anything after the servername and/or port #, I realize it
does send that encoded. I appologize for not making myself clear at
first.
Accoring to my tests (Apache server, I.E 5.0.x on Win2K, and Safari 1.0
on MacOSX 10.2.8), it does strip out username:password@, but leaves the
%xx excapes in place in the server name for the referrer.  They must
decode it to do the DNS lookup, but neither appears to rewrite the URL.

The only Hotmail exploits I've seen have had to do with a username as
an argument at the end of a URL. for instance
http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1
True, those are fundamentally different exploits, and I stand
semi-corrected.  I could have sworn I had seen this, but I was
probably thinking of form arguments.

  -- Mitch

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!