Sometimes I just want to open a malicious url in the browser or wget a file. Then I just c/p the part after hxxp:// and it works fine. I don't have to manually replace spaces in the url or run a script over the mails to get the real links. The only use of obfuscating the urls is to prevent search engines from picking them up and protect people who click on any link they see. Sure we could rot13, add spaces or xor/base64 the links, but that just makes it harder to use them and does not give you more 'protection'. And without heavy obfuscation the search engines will still pick it up as text and people searching for info on the host or url will find the post to the list. If your mail client converts everything that looks like a hostname to a http url and you don't want to accidentially click on a link, use a different client.
nick.. David Harley wrote: > Well, if it's really a problem, the spaces don't have to be random, but it > shouldn't be difficult in most scripting languages to strip spaces in a > string that shouldn't contain any spaces. > > -- > David Harley BA CISSP FBCS CITP > Director of Malware Intelligence > ESET LLC > > >> -----Original Message----- >> From: freed0 [mailto:[EMAIL PROTECTED] >> Sent: 29 August 2008 17:52 >> To: [EMAIL PROTECTED] >> Cc: botnets@whitestar.linuxbox.org >> Subject: Re: [botnets] [URL formats] >> >> Spaces suck because they are never in the same place and then >> you cannot really easily automate the import process into >> whatever system you may have that would work on it. I think >> that the "hxxp[x]" solution is an easy and fine one that it >> easy for everyone to use. >> >> Using any other type of obfuscation is just silly. We are >> all supposed to be professionals here. By doing any form of >> rot13 or otherwise would prevent a quick eye-ball of the >> information to see if there was anything interesting. You >> would have to use an external process. That would eliminate >> those that just want to look for the one or two interesting items. >> >> >> Richard >> >> David Harley wrote: >>> I tend to use hxxp[s]:// -and- some random spaces. Substituting for >>> the xx's and stripping the spaces isn't usually going to be >> a problem for scripting. >>> -- >>> David Harley BA CISSP FBCS CITP >>> Director of Malware Intelligence >>> ESET LLC >>> >>> >>> >>> >>> >>> I think it's better to add some SPACEes in the URL, kind of >> break it, >>> since Gmail will convert it to clickable URL if only >> substitute http to hxxp. >>> >>> >>> >>> >> ---------------------------------------------------------------------- >>> -- >>> >>> _______________________________________________ >>> botnets@, the public's dumping ground for maliciousness All >> list and >>> server information are public and available to law >> enforcement upon request. >>> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ > botnets@, the public's dumping ground for maliciousness > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- Niklas Schiffler Shadowserver Botnet Division http://www.shadowserver.org _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
