Is your web site an open relay?

Raymond Chen

Raymond

As if there isn’t enough to worry about. Everyone knows about the dangers of open SMTP relays. But how many people realize the dangers of an open HTTP relay? Many web sites do arbitrary redirection. If I were a spammer, I could create a link to myself that redirects through some well-known web sites, thereby granting my spam link false authenticity. http://rds.yahoo.com/*-http://weblogs.asp.net/oldnewthing/
http://ads.msn.com/ads/adredir.asp?url=/oldnewthing/

With some obfuscatory work, I can make my own URL disappear completely, leaving just yours.

http://rds.yahoo.com/*-http://%77e%62l%6fg%73.%61s%70.%6ee%74/%6fl%64n%65w%74h%69n%67/
http://ads.msn.com/ads/adredir.asp?url=http://%77e%62l%6fg%73.%61s%70.%6ee%74/%6fl%64n%65w%74h%69n%67/

What does this mean for you, the redirector?

  • It creates additional load on your server.
  • It makes Bayesian filters think that your site is spam, since your site’s name appears in spam URLs. This can cause problems if you intend to send legitimate mail to your customers.
  • It can fool people into thinking that your site is the source of the spam.

The two examples I gave above are the big guys who are being attacked by spammers on all sides. In fact, their names are co-opted by spammers so much that some spam redirection URLs probably don’t affect their Bayesian rating significantly. But if you’re a small site that also has unchecked redirection, you may want to take a closer look.

0 comments

Comments are closed. Login to edit/delete your existing comments