Mailing List Archive: An interesting bit of HTML from a spam

An interesting bit of HTML from a spam

Sep 12, 2021, 5:13 PM

Post #1 of 3 (386 views)

I found this little wonder in a bunch of spams I've been getting for the
last few days:

<a amzon-work to=http://" http://" http://" http://" http://" http://"
href="http:/mi.wey.vandalized655bccemetries.cleaning/<tracking
id>">unsubscribe here</a>

I have no idea if that actually works, since I'm not about to try it.

Loren

---
This email has been checked for viruses by AVG.
https://www.avg.com

Re: An interesting bit of HTML from a spam [ In reply to ]

dbfunk at engineering

Sep 12, 2021, 6:34 PM

Post #2 of 3 (386 views)

Permalink

On Sun, 12 Sep 2021, Loren Wilton wrote:

> I found this little wonder in a bunch of spams I've been getting for the last
> few days:
>
> <a amzon-work to=http://" http://" http://" http://" http://" http://"
> href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/<tracking
> id>">unsubscribe here</a>
>
> I have no idea if that actually works, since I'm not about to try it.

The base hostname in that URL (I bowdlerized it in this message) is listed in a
couple different URIBLs.

SA 3.4.1 is able to spot/extract that name from the garbage and trigger URIBL
rules.
In debug mode for this message its 'URIDOMAINS' contains:
ARY:[oxsus-vadesecure.net,uiowa.edu,uiowa.edu,avg.com,vandalized655bccemetries.cleaning,oxsus-vadesecure.net]

SA 3.4.6 not so much. it doesn't seem to "see" that href/URL at all.
Its 'URIDOMAINS' contains: value: avg.com

So why is SA 3.4.6 much less sensitive about picking up hosts in URLs?

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: An interesting bit of HTML from a spam [ In reply to ]

hege at hege

Sep 12, 2021, 9:10 PM

Post #3 of 3 (386 views)

Permalink

On Sun, Sep 12, 2021 at 08:34:28PM -0500, Dave Funk wrote:
> On Sun, 12 Sep 2021, Loren Wilton wrote:
>
> > I found this little wonder in a bunch of spams I've been getting for the
> > last few days:
> >
> > <a amzon-work to=http://" http://" http://" http://" http://" http://"
> > href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/<tracking
> > id>">unsubscribe here</a>
> >
> > I have no idea if that actually works, since I'm not about to try it.
>
> The base hostname in that URL (I bowdlerized it in this message) is listed
> in a couple different URIBLs.
>
> SA 3.4.1 is able to spot/extract that name from the garbage and trigger
> URIBL rules.
> In debug mode for this message its 'URIDOMAINS' contains: ARY:[...]
>
> SA 3.4.6 not so much. it doesn't seem to "see" that href/URL at all.
> Its 'URIDOMAINS' contains: value: avg.com
>
> So why is SA 3.4.6 much less sensitive about picking up hosts in URLs?

Because newer works more sensibly if you feed it crap?

As we don't have an original pastebin to test, we can simply assume to fake
it as a text/html message:

printf 'Content-Type: text/html\n\n<a amzon-work to=http://"
http://" http://" http://" http://" http://"
href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/foo">
unsubscribe here</a>' | spamassassin -D -L 2>&1 | grep uri:

You will find it parses it fine. (replace -dot-)