#42 [RULE] Cloaked URL's

open
nobody
None
9
2007-11-11
2007-11-08
No

Hi,

There are several ways to mask URL's, see here for details: http://www.pc-help.org/obscure.htm

Below are RegEx rules for rulminator to detect each of these. I recommend they be installed by default, in combination with "distrusted_sender".

# dword
http://\[\d]{10,10}/[\S]+/

# octal
http://\(0+[0-9]{3,3}\.){3,3}0+[0-9]{3,3}/

# @ in url
http://\[\S]+@[\S]+/

# Hex
http://\[\S]*0x[\S]+/

# ip address
http://\([\d]{1,3}\.){3,3}[\d]{1,3}/[\S]+

# very long url's (tracking links)
http://\([\S]){60}

Lance

Discussion

  • Lance W. Haverkamp

    Logged In: YES
    user_id=1271859
    Originator: YES

    Actually, we don't want the trailing slash on any of those RegEx rules, so for those that end in slash, just delete that last slash.

    Lance

     
  • Keno Albrecht

    Keno Albrecht - 2007-11-08

    Logged In: YES
    user_id=1217053
    Originator: NO

    thanks for the input. we'll think about it. how many message have you received with such URLs?

     
  • Lance W. Haverkamp

    Logged In: YES
    user_id=1271859
    Originator: YES

    Some spammers use them, many phishers use them. The "@ in URL" is particularly evil because a phisher can use a link that lists the real domain name followed by the phishing link in a hard to read format like this fake link for the paypal.com payment service:

    http://paypal.com@207.46.197.32/

    I see IP address links (http://344.56.234.34/) in spam at least weekly; got 2 today.

    I think I've only seen dword (http://9547238651/) once (ever); I think many http servers have fixed that security hole.

    The "very long url's (tracking links)" will cause problems for some users, but personally I hate link tracking mail, it's an invasion of privacy.

     
  • Keno Albrecht

    Keno Albrecht - 2007-11-11

    Logged In: YES
    user_id=1217053
    Originator: NO

    I knew that these cloaking mechanisms were used in spam emails, but personally never received any.

    dword, octal, and hex really seems to be evil, I wouldn't mind to put them on the "default spam list" of the Ruleminator. The IP addresses are probably not that bad, I often see them for "internal" use in a company or elsewhere. @-signs in URLs, well, yes, can't think of any nice URLs that include them. But "tracking links" again are rather useful also for valid emails, e.g., the SourceForge-links from the forum are usually > 80 characters (such as https://sourceforge.net/tracker/?func=detail&atid=814317&aid=1828365&group_id=136033\).

    So we are going to put the dword, octal, hex, and @-URLs into a new rule. Thanks for the suggestion!

     
  • Keno Albrecht

    Keno Albrecht - 2007-11-11
    • priority: 5 --> 9
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks