I ran across this in one of my unused filters folders. Some great Declude
user (not me) posted it in August.
So the google redirect has been abused for months.
STOPATFIRSTHIT
BODY 0 contains .google.com/url?q
BODY 0 contains .google.as/url?q
BODY 0 contains .google.com.ar/url?q
BODY 0 contains .google.com.au/url?q
BODY 0 contains .google.at/url?q
BODY 0 contains .google.az/url?q
BODY 0 contains .google.by/url?q
BODY 0 contains .google.be/url?q
BODY 0 contains .google.com.br/url?q
BODY 0 contains .google.vg/url?q
BODY 0 contains .google.bi/url?q
BODY 0 contains .google.ca/url?q
BODY 0 contains .google.td/url?q
BODY 0 contains .google.cl/url?q
BODY 0 contains .google.com.co/url?q
BODY 0 contains .google.co.cr/url?q
BODY 0 contains .google.ci/url?q
BODY 0 contains .google.com.cu/url?q
BODY 0 contains .google.cd/url?q
BODY 0 contains .google.dk/url?q
BODY 0 contains .google.dj/url?q
BODY 0 contains .google.com.do/url?q
BODY 0 contains .google.com.ec/url?q
BODY 0 contains .google.com.sv/url?q
BODY 0 contains .google.ee/url?q
BODY 0 contains .google.com.fj/url?q
BODY 0 contains .google.fi/url?q
BODY 0 contains .google.fr/url?q
BODY 0 contains .google.gm/url?q
BODY 0 contains .google.ge/url?q
BODY 0 contains .google.de/url?q
BODY 0 contains .google.com.gi/url?q
BODY 0 contains .google.com.gr/url?q
BODY 0 contains .google.gl/url?q
BODY 0 contains .google.gg/url?q
BODY 0 contains .google.hn/url?q
BODY 0 contains .google.com.hk/url?q
BODY 0 contains .google.co.hu/url?q
BODY 0 contains .google.co.in/url?q
BODY 0 contains .google.ie/url?q
BODY 0 contains .google.co.il/url?q
BODY 0 contains .google.it/url?q
BODY 0 contains .google.co.jp/url?q
BODY 0 contains .google.je/url?q
BODY 0 contains .google.kz/url?q
BODY 0 contains .google.lv/url?q
BODY 0 contains .google.co.ls/url?q
BODY 0 contains .google.com.ly/url?q
BODY 0 contains .google.li/url?q
BODY 0 contains .google.lt/url?q
BODY 0 contains .google.lu/url?q
BODY 0 contains .google.mw/url?q
BODY 0 contains .google.com.my/url?q
BODY 0 contains .google.com.mt/url?q
BODY 0 contains .google.mu/url?q
BODY 0 contains .google.com.mx/url?q
BODY 0 contains .google.fm/url?q
BODY 0 contains .google.ms/url?q
BODY 0 contains .google.com.na/url?q
BODY 0 contains .google.com.np/url?q
BODY 0 contains .google.nl/url?q
BODY 0 contains .google.co.nz/url?q
BODY 0 contains .google.com.ni/url?q
BODY 0 contains .google.com.nf/url?q
BODY 0 contains .google.com.pk/url?q
BODY 0 contains .google.com.pa/url?q
BODY 0 contains .google.com.py/url?q
BODY 0 contains .google.com.pe/url?q
BODY 0 contains .google.com.ph/url?q
BODY 0 contains .google.pn/url?q
BODY 0 contains .google.pl/url?q
BODY 0 contains .google.pt/url?q
BODY 0 contains .google.com.pr/url?q
BODY 0 contains .google.cg/url?q
BODY 0 contains .google.ro/url?q
BODY 0 contains .google.ru/url?q
BODY 0 contains .google.rw/url?q
BODY 0 contains .google.sh/url?q
BODY 0 contains .google.com.vc/url?q
BODY 0 contains .google.sm/url?q
BODY 0 contains .google.co.yu/url?q
BODY 0 contains .google.com.sg/url?q
BODY 0 contains .google.sk/url?q
BODY 0 contains .google.co.kr/url?q
BODY 0 contains .google.es/url?q
BODY 0 contains .google.se/url?q
BODY 0 contains .google.ch/url?q
BODY 0 contains .google.com.tw/url?q
BODY 0 contains .google.co.th/url?q
BODY 0 contains .google.tt/url?q
BODY 0 contains .google.com.tr/url?q
BODY 0 contains .google.com.ua/url?q
BODY 0 contains .google.ae/url?q
BODY 0 contains .google.co.uk/url?q
BODY 0 contains .google.com.uy/url?q
BODY 0 contains .google.uz/url?q
BODY 0 contains .google.co.ve/url?q
BODY 0 contains .google.com.vn/url?q
----- Original Message -----
From: "Harry Vanderzand" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, November 09, 2005 4:05 PM
Subject: RE: [Declude.JunkMail] Cryptic URL in source
Certainly
Here is what you see in the e-mail
http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0
Here is what is in the source:
href="http://www.google.com/url?q=http://www.google.com/url?q=http://%73%54%
41%09Nd%09%7aA.n%09e%74/%63%67i-b%09%69n%09/%70%6fch/%72e%09di%72.%63g%69?s=
intown.net">http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0</
a>
Not that different from some of the phishing e-mails
This has got to be detectable and should be cause for immediate deletion.
Who has legitimate cause to hide their identity?
Harry Vanderzand
inTown Internet & Computer Services
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Wednesday, November 09, 2005 4:40 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] Cryptic URL in source
Do you have an example?
----- Original Message -----
From: "Harry Vanderzand" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, November 09, 2005 10:18 AM
Subject: RE: [Declude.JunkMail] Cryptic URL in source
> Any ideas on this?
>>
>> When the URL is hidden with cryptic characters in the source
>> code of an e-mail it seems to me that it is obviously not a
>> legitimate e-mail in that deception is being used.
>>
>> Is there not an easy way to stop e-mail where these practises
>> are being used?
>>
>> I am running imail 8.21 and declude 3.05.18, the latest
>> sniffer and Invuribl
>>
>> Assistance is appreciated
>>
>> Thank you
>>
>> Harry Vanderzand
>> inTown Internet & Computer Services
>> 11 Belmont Ave. W., Kitchener, ON,N2M 1L2
>> 519-741-1222
>>
>>
>>
>>
>> ---
>> This E-mail came from the Declude.JunkMail mailing list. To
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> type "unsubscribe Declude.JunkMail". The archives can be found
>> at http://www.mail-archive.com.
>>
>>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
