[vox-tech] OT: one of the most pernicious spams i've ever seen.

[Mitch Patenaude]

On Thursday, Sep 25, 2003, at 21:53 US/Pacific, Rob Rogers wrote:
> Which is quite easy to do, is done frequently via .htaccess, and 
> doesn't
> work in 99.9% of these cases because they're being served off of the
> fake webserver, not linked directly from the real one.

I have seen several where the images are fetched from the "official" 
server,
though it'd be trivial to serve up copies from a fake server, and it's
probably not worth the overhead of pattern matching given the larger 
number
of images typically served, and the relatively low effectiveness.

I always used to track these down and forward them to the appropriate
fraud/abuse mailboxes, but it never seemed to do any good, and I got
zero feedback, so I don't bother any more.  I just tell everybody I know
that they should never believe this stuff (no matter how authentic 
looking),
and hope that increased savvy/skeptsicm will help mitigate the damage.

> This much your browser would have to decode to do a DNS lookup, and 
> I've
> never seen a browser show it encoded. Whether or not it sends it 
> encoded
> in the referer, I can't speak with any authority, but I highly doubt it
> does. As for anything after the servername and/or port #, I realize it
> does send that encoded. I appologize for not making myself clear at
> first.

Accoring to my tests (Apache server, I.E 5.0.x on Win2K, and Safari 1.0
on MacOSX 10.2.8), it does strip out username:password@, but leaves the
%xx excapes in place in the server name for the referrer.  They must
decode it to do the DNS lookup, but neither appears to rewrite the URL.

> The only Hotmail exploits I've seen have had to do with a username as
> an argument at the end of a URL. for instance
> http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1

True, those are fundamentally different exploits, and I stand
semi-corrected.  I could have sworn I had seen this, but I was
probably thinking of form arguments.

   -- Mitch