3888 – URIBL open redirector checking misses http-equiv "Refresh"

Bug 3888 - URIBL open redirector checking misses http-equiv "Refresh"

Summary: URIBL open redirector checking misses http-equiv "Refresh"

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Plugins (show other bugs)
Version:	3.0.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	Future
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-10-09 07:42 UTC by Nick Leverton
Modified:	2005-06-07 09:36 UTC (History)
CC List:	0 users

Attachment	Type	Actions	Submitter/CLA Status
The spam	text/plain	None	Nick Leverton
the page from Geocities	text/plain	None	Nick Leverton
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nick Leverton 2004-10-09 07:42:37 UTC

Received a spam this morning, using Geocities sites redirecting with Meta 
http-equiv=Refresh to the spamsite. I'll attach the spam and the current 
contents of the site. I can see the request for the Geocities URL, and the 
response coming back, so the open redirect check is happening - it just misses 
this way of doing it.

Comment 1 Nick Leverton 2004-10-09 07:44:24 UTC

Created attachment 2433 [details]
The spam

Comment 2 Nick Leverton 2004-10-09 07:45:03 UTC

Created attachment 2434 [details]
the page from Geocities

Comment 3 Jeff Chan 2004-10-09 07:49:19 UTC

Be sure to report these to the redirection sites.  I'm sure Yahoo doesn't
particularly want to have their services used to redirect spam traffic.

Comment 4 Bob Menschel 2005-04-11 21:57:33 UTC

Setting milestone to Future, since this is something that'll take a bit of
thinking and discussion before implementing.  First thought is that this plugin
should run after all RBL plugins. If there are multiple unflagged (and not
whitelisted) URI, different pages, then don't do this test. If there is only one
unflagged (and not whitelisted) page, then do an http query on that page, and
determine whether it contains a redirector. If so, score it.

Comment 5 Theo Van Dinter 2005-06-07 11:58:13 UTC

I don't think there's really anything we can do about this without SA becoming a web browser, which we 
don't want.

Comment 6 Justin Mason 2005-06-07 14:06:28 UTC

yeah, agreed

Comment 7 Sidney Markowitz 2005-06-07 17:36:14 UTC

I may be beating a dead horse, but just to make it clear to anyone who finds
this while searching for similar things in the future:

The only way to detect this is to use the URL to fetch the page from the browser
to see if it has a refresh header.

That would let spammers insert web bugs which SpamAssassin would obligingly
trigger, i.e., URL's of the form
http://example.com/your_email_address_encoded_here...

That would also let spammers cause SpamAssassin to waste arbitrary amounts of
time and bandwidth following URLs they hide in spam.

We already have a way of detecting "bad" URLs without following them. If you
report your confirmed spam to SpamCop, the URLs in the spam end up in a database
that is one of the sources for some of the URIDNSBL blacklists that SpamAssassin
can use. If a URL can't be handled that way, then c'est la vie.

And that's why any proposal that requires following a URL should be a WONTFIX.