[RULE] Cloaked URL's

Status: Beta

Brought to you by: kemil, simschla, skandi

#42 [RULE] Cloaked URL's

Status: open

Owner: nobody

Labels: None

Priority: 9

Updated: 2007-11-11

Created: 2007-11-08

Creator: Lance W. Haverkamp

Private: No

Hi,

There are several ways to mask URL's, see here for details: http://www.pc-help.org/obscure.htm

Below are RegEx rules for rulminator to detect each of these. I recommend they be installed by default, in combination with "distrusted_sender".

# dword
http://\[\d]{10,10}/[\S]+/

# octal
http://\(0+[0-9]{3,3}\.){3,3}0+[0-9]{3,3}/

# @ in url
http://\[\S]+@[\S]+/

# Hex
http://\[\S]*0x[\S]+/

# ip address
http://\([\d]{1,3}\.){3,3}[\d]{1,3}/[\S]+

# very long url's (tracking links)
http://\([\S]){60}

Lance

Discussion

Lance W. Haverkamp - 2007-11-08

Logged In: YES
user_id=1271859
Originator: YES

Actually, we don't want the trailing slash on any of those RegEx rules, so for those that end in slash, just delete that last slash.

Lance

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Keno Albrecht - 2007-11-08

Logged In: YES
user_id=1217053
Originator: NO

thanks for the input. we'll think about it. how many message have you received with such URLs?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Lance W. Haverkamp - 2007-11-09

Logged In: YES
user_id=1271859
Originator: YES

Some spammers use them, many phishers use them. The "@ in URL" is particularly evil because a phisher can use a link that lists the real domain name followed by the phishing link in a hard to read format like this fake link for the paypal.com payment service:

http://paypal.com@207.46.197.32/

I see IP address links (http://344.56.234.34/) in spam at least weekly; got 2 today.

I think I've only seen dword (http://9547238651/) once (ever); I think many http servers have fixed that security hole.

The "very long url's (tracking links)" will cause problems for some users, but personally I hate link tracking mail, it's an invasion of privacy.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Keno Albrecht - 2007-11-11

Logged In: YES
user_id=1217053
Originator: NO

I knew that these cloaking mechanisms were used in spam emails, but personally never received any.

dword, octal, and hex really seems to be evil, I wouldn't mind to put them on the "default spam list" of the Ruleminator. The IP addresses are probably not that bad, I often see them for "internal" use in a company or elsewhere. @-signs in URLs, well, yes, can't think of any nice URLs that include them. But "tracking links" again are rather useful also for valid emails, e.g., the SourceForge-links from the forum are usually > 80 characters (such as https://sourceforge.net/tracker/?func=detail&atid=814317&aid=1828365&group_id=136033\).

So we are going to put the dword, octal, hex, and @-URLs into a new rule. Thanks for the suggestion!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Keno Albrecht - 2007-11-11

priority: 5 --> 9
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.