John D. Hardin wrote:
This wasn't detected as a redirector attack by 3.1.3, running
sa-update weekly:
{snippage}
<a target="_parent"
href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php";>Click
here to cancel your new email
address</a>
Being a simple visible redirector, SA actually does detect it:
[7375] dbg: uri: cleaned html uri,
http://1092229727:9999/https-www.paypal.com/webscrr/index.php
[7375] dbg: uri: html domain, google.com
The problem is that SA doesn't then go on to do checks on the IP
1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it would
if it was in dotted-quad notation. Thus the hit on Sorbs' DUHL is avoided.
This is definitely a bug. Please open a bug report and attach a
complete sample to the bug.
http://issues.apache.org/SpamAssassin/
Daryl
