May 12th, 2004

Is your web site an open relay?

As if there isn’t enough to worry about. Everyone knows about the dangers of open SMTP relays. But how many people realize the dangers of an open HTTP relay? Many web sites do arbitrary redirection. If I were a spammer, I could create a link to myself that redirects through some well-known web sites, thereby granting my spam link false authenticity. http://rds.yahoo.com/*-http://weblogs.asp.net/oldnewthing/
http://ads.msn.com/ads/adredir.asp?url=/oldnewthing/

With some obfuscatory work, I can make my own URL disappear completely, leaving just yours.

http://rds.yahoo.com/*-http://%77e%62l%6fg%73.%61s%70.%6ee%74/%6fl%64n%65w%74h%69n%67/
http://ads.msn.com/ads/adredir.asp?url=http://%77e%62l%6fg%73.%61s%70.%6ee%74/%6fl%64n%65w%74h%69n%67/

What does this mean for you, the redirector?

  • It creates additional load on your server.
  • It makes Bayesian filters think that your site is spam, since your site’s name appears in spam URLs. This can cause problems if you intend to send legitimate mail to your customers.
  • It can fool people into thinking that your site is the source of the spam.

The two examples I gave above are the big guys who are being attacked by spammers on all sides. In fact, their names are co-opted by spammers so much that some spam redirection URLs probably don’t affect their Bayesian rating significantly. But if you’re a small site that also has unchecked redirection, you may want to take a closer look.

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.