[vox-tech] OT: one of the most pernicious spams i've ever seen.

Larry Ozeran vox-tech@lists.lugod.org
Thu, 25 Sep 2003 12:26:09 -0700 

Hi all -

This is really interesting and really concerning. I would like to take
selected parts of the discussion (for brevity and clarity) and send it to
my local paper. Please indicate (offline is fine) if you would prefer to be
named or kept anonymous.

If you do not want your comments included, or you want to see what I plan
to send to the paper before I send it, please note that. I would prefer
"opt-in", but if I don't hear anything negative for 3 days, I'll assume
it's OK. If there is a preponderance of interest in seeing my summary, I'll
post it back to this thread.

Thanks,

- Larry

At 02:23 PM 9/25/03 -0400, you wrote:
>On Thu, Sep 25, 2003 at 11:04:54AM -0700, Michael J Wenk wrote:
>> On Thu, Sep 25, 2003 at 10:23:11AM -0700, Mitch Patenaude wrote:
>> > On Thu, Sep 25, 2003 at 06:30:32AM -0700, p@dirac.org wrote:
>> > >http:// 
>> > >www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/ 
>> > >?IYTEw
>> > >4eVTtbH1w6CpDrT
>> > 
>> > Maybe a way for places like Citibank, Paypal and other fraud prone sites
>> > to help prevent this would be to check the referer, and if it's a  
>> > strangely
>> > formed url that looks like it might be fraudulent (uses username, lots  
>> > of
>> > encoded characters, etc), put up a fraud warning instead of the main  
>> > page.
>> > 
>> > What do you guys think?
>> 
>> My only question/concern would be... What controls the referrer?  Is it
>> mutable?  If so, its just another layer for a cracker to hit.  I guess
>> for every layer added, some lazy crackers stop doing it is probably a
>> good enough reason... 
>
>The referrer is controlled by the browser (and is definitely not
>required). It was brought up at a LUGOD meeting a while back (the Don
>Marti DMCA meeting) that doing a 302 redirect (page has temporarily
>moved) was one way of avoiding sending a referer. I don't know if that
>was specific to any certain browser, but it wouldn't be hard to test for
>anyone who is running a webserver.
>
>I see a couple other problems with this idea too. First, this is the
>first phishing scheme I've seen that loaded the actual homepage. Most
>just steal their logos. Secondly, I'm almost potitive that your browser
>wouldn't send encoded characters in the referer. Your browser would have
>already decoded them, and it would send them unencoded. As for
>usernames, I don't think your browser would EVER send that as part of
>the referer. That would be a MAJOR security flaw.
>_______________________________________________
>vox-tech mailing list
>vox-tech@lists.lugod.org
>http://lists.lugod.org/mailman/listinfo/vox-tech
>
>