OT: spamming tech question

Benjamin Scott dragonhawk at iname.com
Sun Apr 10 19:29:00 EDT 2005 

On Sun, 10 Apr 2005, Michael ODonnell wrote:
> Lately I've been getting SPAM with URLs laid out like this:
>
> (note the ampersands in the hostname portions of these URLs)
>
>   http://yZyvb&bllZvotZw%2eZr%2esoftpyp%2einfo/in.php?aid=11&bZpaZtx

   Googling for "spam ampersand url" found this:

http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/65134

   It would appear that a popular anti-spam tool which scans for URLs known to 
be used by spammers is confused the presence of the ampersands.

   I expect that the spammers are taking advantage of the fact that some 
fraction of current implementations (DNS, mail agents, browsers, etc.) will 
not choke on the ampersands.  Or not; the fact that something doesn't work 
doesn't usually stop a spammer.

> Is my browser expected to interpret them?

   Bill McGonigle answered that question; apparently not.  Of course, what the 
spec says should be done, and what is actually done, are two entirely 
different things, most times.

> Or are they passed unmodified to my DNS lookup code where they have special 
> meaning?

   If they *are* passed to a DNS resolver, one of two things might happen:

   One, the resolver might impose Internet syntax rules on the domain name, and 
reject the name as invalid.  Internet host names can contain only 
alphanumerics (letters and digits) and the dash (-), and must start and end 
with an alphanumeric.  Thus, an ampersand is an invalid character in an 
Internet host name.

   Two, the DNS resolver might not care about Internet name requirements, and 
pass the name along as per normal.  The ampersand would then have no more or 
less significance then any other character.

> Or do they get passed all the way to the spammers DNS where only they know 
> what they mean?

   They may well have some special significance to the spammer, or they could 
just be using them because they foul up URIDNSBL.  I suspect the latter; why 
complicate matters when they've already got you tracked seven ways from 
Sunday?

   FWIW, as a DNS query is not guaranteed to hit the authoritative nameserver 
every time, spammers are more likely looking at the "Host:" header your 
HTTP/1.0-compliant User Agent is sending to their web server when you request 
the resource.

-- 
Ben <dragonhawk at iname.com>

More information about the gnhlug-discuss mailing list