Which is quite easy to do, is done frequently via .htaccess, and doesn't
work in 99.9% of these cases because they're being served off of the
fake webserver, not linked directly from the real one.
I have seen several where the images are fetched from the "official" server,
though it'd be trivial to serve up copies from a fake server, and it's
probably not worth the overhead of pattern matching given the larger number
of images typically served, and the relatively low effectiveness.
I always used to track these down and forward them to the appropriate
fraud/abuse mailboxes, but it never seemed to do any good, and I got
zero feedback, so I don't bother any more. I just tell everybody I know
that they should never believe this stuff (no matter how authentic looking),
and hope that increased savvy/skeptsicm will help mitigate the damage.
This much your browser would have to decode to do a DNS lookup, and I've
never seen a browser show it encoded. Whether or not it sends it encoded
in the referer, I can't speak with any authority, but I highly doubt it
does. As for anything after the servername and/or port #, I realize it
does send that encoded. I appologize for not making myself clear at
first.
Accoring to my tests (Apache server, I.E 5.0.x on Win2K, and Safari 1.0 on MacOSX 10.2.8), it does strip out username:password@, but leaves the %xx excapes in place in the server name for the referrer. They must decode it to do the DNS lookup, but neither appears to rewrite the URL.
The only Hotmail exploits I've seen have had to do with a username as an argument at the end of a URL. for instance http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1
True, those are fundamentally different exploits, and I stand semi-corrected. I could have sworn I had seen this, but I was probably thinking of form arguments.
-- Mitch
_______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
