Mailing List Archive

exploitable LinkedIn forwarder/whatever
Spotted a new exploited forwarder of some sort at LinkedIn -
full spample:
http://puffin.net/software/spam/samples/0041_linked_forward.txt
Except for the munged "To" and "From" email addresses, that's the
pristine network image.

It came From a known friend at "swbell", who normally sends thru
Yahoo, and has previously been cracked.

At first I assumed the URL was for an actual webpage, so I ran a
raw GET on it/this:
https://www.linkedin.com/slink?code=ecPnYgf?152=ofobakj&2643&pjrytop==45612858

and got a zero length document with these headers (cookie redacted):

HTTP/1.0 301 Moved Permanently
Server: Apache-Coyote/1.1
Location: http://www.shopinoklahomacity.com/redirect.aspx?url=http://icynybo.freedom007.top/free/dom/?gelaxo
Content-Length: 0
Vary: Accept-Encoding
Date: Tue, 17 May 2016 20:25:17 GMT
X-Li-Fabric: prod-lva1
Connection: keep-alive
X-Li-Pop: prod-ech2
X-LI-UUID: hNLOXbN0TxQQdMWE/SoAAA==

The redirect in the Location URL should have been a red flag to
any automated security scanner. :\

I re-ran it as a HEAD with a User-Agent that should have
screamed "spam", waited a couple hours, repeated, rinsed, stewed,
then decided to post here.

*** Does anyone have a contact at LinkedIn ops? ***

Sadly, LinkedIn follows the Google/Gmail model of failing to make
core functionality (like reporting spam) useable without
disabling/lowering one's browser security settings/shields. :(
- "Chip"
Re: exploitable LinkedIn forwarder/whatever [ In reply to ]
Chip M.:

> *** Does anyone have a contact at LinkedIn ops? ***

I informed LinkedIn and was asked to send the following response on
behalf of Franck Martin:

----
This email was not sent by Linkedin.
Linkedin uses several lists to ensure the redirection does not end up to a
known bad site. In all cases, please report it to abuse@linkedin.com (as
well as the major URL anti-phishing lists) and we will take the appropriate
actions.
----

Andreas
re: exploitable LinkedIn forwarder/whatever [ In reply to ]
Thanks Andreas! :)

Wednesday am, after re-checking that the specific spam URL was
still forwarding to the spam payload destination, I emailed that
role account... and to my (VERY pleasant) shock, received an
auto-reply which did NOT direct me to an unuseable web form
(i.e. the Google model of preventing reports).

Three hours later, I re-checked the original URL, and it no
longer was forwarding. :)

I don't know if they did anything to the actual forwarder, but
at least I know it's NOT a waste of time to send reports. :)

I will definitely submit directly, in future.


And now, the bad news:
1. The original destination was just the first hop in a
forwarding chain, with a total of six (6) hops. :(
That should have been trivially easy to detect, automatically.
The first Location feels rather brazen (i.e. an obvious redirect).
My gut feeling is that the spammer may have been testing
LinkedIn's defenses.

2. The original spam was submitted to SpamCop, which
printed (in red):
"ISP does not wish to receive reports regarding http://www.linkedin.com/slink - no date available"

As a precaution, I'm now outright killing "linkedin.com/slink".

I'm particularly annoyed at this forwarder, because LI has a
Shortener service. If the spammer had been restricted to
using a Shortener, my system would have caught it easily
(technically that spam was blocked, but just barely).

*** Question:
Are there any good public lists of, um, "weakly defended"
forwarders/redirectors?

One of the reasons I posted that spample, is that it is an
excellent example of a terse spam exploiting only well known
services. This pattern recurs regularly, though always at
low volumes.

We educate our users to be cautious with unknown URLs, but I
wouldn't blame any non-techie who succumbed to the double-whammy
of a URL with a very familiar domain sent from the cracked account
of a bona fide friend. :(
- "Chip"