obfuscated URLs

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Thu May 27 09:13:08 IST 2004 

Hi

there's some rules on rulesemporium.com that handle this stuff and the
surbl.org RBL's so as well..

--
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


hermit921 wrote:
> We are getting a lot of emails that look like this (slightly changed to
> protect the victims:
>
> ==================================
> If the message will not displayed automatically, follow the link to read
> the delivered message.
>
> Received message is available at:
> www.mydomain.com/inbox/recipient.name/read.php?sessionid-24885
> ==================================
>
> When I put my cursor over the URL, it shows something like this:
>
> cid:013401Mfdab4$3r3dL7780$73383912 at 57W81ff70Re
>
> I paste it into a URL de-obfuscator and it shows an IP address of 127.0.0.1
> and a name and password.
>
> I think what it is trying to do is deliver a virus to a local file and use
> the Microsoft cid function to execute it when the user clicks on the
> link.  Meanwhile MailScanner has usually stripped out the virus.  I hope.
>
> I was asked to find a way to either have the URL show the real link instead
> of showing the recipients name and domain, or to inactivate these URLs.  I
> don't think either one is feasible, but I thought I would ask more
> knowledgable people.
>
> Thanks,
> hermit921
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>



**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list