Is your web site an open relay?


As if there isn't enough to worry about.

Everyone knows about the dangers of open SMTP relays. But how many people realize the dangers of an open HTTP relay?

Many web sites do arbitrary redirection. If I were a spammer, I could create a link to myself that redirects through some well-known web sites, thereby granting my spam link false authenticity.

http://rds.yahoo.com/*-http://weblogs.asp.net/oldnewthing/
http://ads.msn.com/ads/adredir.asp?url=/oldnewthing/

With some obfuscatory work, I can make my own URL disappear completely, leaving just yours.

http://rds.yahoo.com/*-http://%77e%62l%6fg%73.%61s%70.%6ee%74/%6fl%64n%65w%74h%69n%67/
http://ads.msn.com/ads/adredir.asp?url=http://%77e%62l%6fg%73.%61s%70.%6ee%74/%6fl%64n%65w%74h%69n%67/

What does this mean for you, the redirector?

  • It creates additional load on your server.
  • It makes Bayesian filters think that your site is spam, since your site's name appears in spam URLs. This can cause problems if you intend to send legitimate mail to your customers.
  • It can fool people into thinking that your site is the source of the spam.

The two examples I gave above are the big guys who are being attacked by spammers on all sides. In fact, their names are co-opted by spammers so much that some spam redirection URLs probably don't affect their Bayesian rating significantly. But if you're a small site that also has unchecked redirection, you may want to take a closer look.

Comments (20)
  1. Henk Devos says:

    This seems like a good place to report the problems i had with internet connection sharing.

    I turned this on on Windows 2000, and because of that i had an open SMTP relay. Of course very soon spammers found and uused it.

    I have until today not found any way to disable the open relay without turning the internet connection sharing off completely. Which is the solution i have chosen.

  2. Chetan says:

    SpamAssassin gives a high spammy score to a mail with a Yahoo redirect URI. None of the non-spam mails have a Yahoo redirection (almost).

    <http://www.google.co.in/search?q=YAHOO_REDIR+inurl%3Arules&gt;

  3. Doug says:

    Yet another feature that webservers have that shouldn’t be there in the first place.

    I’m sure someone, somewhere, can come up with some legitimate sounding reason/excuse of why a webserver would want to support redirection. But I can’t think of any reason why it should be turned on by default.

    Click tracking for search engines. Click tracking for Ads.

    The advertising model for the web creates such stupid problems.

  4. Henk,

    how about configuring the smtp relay in the smtp servers properties (which can be found in the iis admin console?)

    works just fine. :)

    WM_CHEERS

    thomas woelfer

  5. Marc Wallace says:

    If you really want to obfuscate your URL, use hex, octal, or binary encodings, rather than just URL-encoding the letters. Binary looks really cool. ;-)

    Another great one is the ‘@" trick:

    http://www.wallace.net@weblogs.asp.net/oldnewthing/archive/2004/05/12/130454.aspx#FeedBack

    If you extend the URL part way way out (400 characters), the user may not be able to see it, even if the URL is tooltipped or in the status bar)

    This link has lots of fun tricks:

    http://www.searchlores.org/obscure.htm

    (the rest of the site is amazing as well)

  6. Henk Devos says:

    Thomas:

    are you sure it works?

    I had disabled SMTP completely, but still had an open SMTP relay.

    Reminds me of a company where i used to work, where we has proxy server installed.

    There was a whole load of hackers (mostly from Pakistan) using our server for spoofing.

    They were using the socks proxy.

    The permissions on the proxy were set correctly, but they could still get in.

    We disabled the socks proxy service, but this service was in the same exacutable of the other proxies, and even with socks proxy disabled, they could still use it.

  7. Alex Bishop says:

    In reply to Mark Wallace:

    The problem with the @ trick is that it doesn’t work in IE if you have the latest patches applied (a hotfix from a couple of months completely removed support for usernames and passwords encoded in URLs).

    In my recent Mozilla nightly, going to http://www.wallace.net@weblogs.asp.net/oldnewthing/archive/2004/05/12/130454.aspx#FeedBack presents the following dialogue:

    You are about to log into the site "weblogs.asp.net" with the user "www%2Ewallace%2Enet," but the website does not require authentication. This may be an attempt to trick you.

    Is "weblogs.asp.net" the site you want to visit?

    [Yes] [No]

  8. Marc Wallace says:

    Ayup, Opera does the same thing, prompting you about the @ thing. Of course, your average clueless user might just say "yes".

    What happens if the web site does send back an authentication request (but a bogus one which allows any username/password in, as long as you provide one)?

  9. Marc Wallace says:

    I hated it when sites started redirecting through themselves (mostly search engines) in order to determine what links were "best"… because every redirection was another two seconds on my slow connection… so I started coding Proxomitron filters to explicitly remove those.

    But not to remove all: Yahoo self-links are removed only for content that came from *.yahoo.com.

    Here’s the Yahoo filter:

    Name = "Remove self-links: Yahoo"

    Active = TRUE

    URL = "*.yahoo.com"

    Bounds = "<as*>"

    Limit = 512

    Match = "1 href="*yahoo.com/*(*|?)([a-zA-Z]+://*)2’3"

    Replace = "1 href="2"3"

    Perfect? No. But it’s picky enough it shouldn’t have false positives. And it means when I look at the URL a link is about to take me to, I can see the real URL — unless it’s something like the relay, in which case I’ll see a really long thing and think twice.

    But really, it’s just like not opening email from random people. Think before you click. (*shudder* that sounds way too clicheesque)

  10. Catatonic says:

    I’d have to say that IE does the right thing by not even giving you a choice. Too many people would just say yes. Very few users can really make an informed decision when any kind of security dialog comes up.

  11. Raymond (and many others) already written a LOT about people who blindly click yes to dialog boxes.

    We’ve actually done usability studies on this: When a dialog like this comes up, people don’t actually read the words in the dialog box. Instead, they either dismiss the dialog box without even reading it, or their mind sees "Do you want get your work done?".

    The answer to that question is always "Yes".

    So they make the wrong choice.

    It’s become distressingly clear that any interaction that involves security is too important to involve user choice.

  12. Norman Diamond says:

    Microsoft and Yahoo are not merely victims of spammers using Microsoft’s and Yahoo’s redirectors. Microsoft replies to complaints by saying that the spam doesn’t reference an MSN account, so Microsoft will not take any action. Yahoo replies with different garbage. Microsoft and Yahoo then become active cooperators with the spammers, continuing to provide redirection service instead of excluding those sites even when they have been informed of it.

    (Also Microsoft and Yahoo have hosted spammers’ web sites on their own servers and have sent replies stating their refusal to stop. But someone will probably say the base note is about redirection not spamming…)

  13. Norman Diamond says:

    Microsoft replies to complaints by saying

    > that the spam doesn’t reference an MSN

    > account, so Microsoft will not take any

    > action.

    And it didn’t take long for them to do it again. Yup I have two in a row in Mr. Chen’s blog, but in between these two, there was yet another Microsoft reply saying that they will not do anything to discourage their spamming partners and Microsoft will not disable the redirection service to their spamming partners.

    (By the way ads.msn.com was only used this way by Microsoft and spamming partners for a short time, but g.msn.com was in use before and continues in use now.)

  14. Henk,

    i’m pretty sure it works over here cause i verified this multiple times.

    however, i am not using this with internet connection sharing but with rras/nat (on 2003 server) – which does the same thing, but (imo) has more flebility in how the beast is set up.

    i did have a 2k box /w smtp services running and relaying disabled which also worked reliably.

    WM_FYI

    thomas woelfer

  15. Doug,

    It’s not "another feature that webservers have that shouldn’t be there in the first place", since it’s not specifically a "feature" of the webserver.

    Sure, you can cause a redirect by returning a 3xx HTTP result code from the server, but there are other ways to do it, for example META REFRESH in your HTML page.

    As for legitimate reasons: disallowing transparent redirections (via 3xx codes) would discourage a website from periodically reorganising its pages.

    I’ll agree that using a redirection script for click-tracking is hard to justify, but the real problem here is that the redirection script doesn’t validate the destination. A potentially more sensible redirection script would take a unique ID and map it to the URL using a database. This would prevent abuse by third parties.

  16. Raymond Chen says:

    You don’t even need to generate IDs. Just keep a list of valid redirection targets. The redirection script can check whether the target is on the list (or, if you want to save space, use hashes). This is not unreasonable for smaller sites which may have only a few thousand redirection targets.

    Norman: I’m not sure why you’re complaining to me.

  17. Henk Devos says:

    Thomas:

    Are you really sure it works?

    Because the situation i had was like this:

    Utilities that list open ports said the port was not open.

    I could connect ot the port with telnet, but then the connection was closed instantatiously.

    But running a port scanner did indicate the port as open, and i got a complaint from my ISP that i had an open relay. On my request they send me a copy of an email that had actually ben relayed through my computer (because first i didn’t believe them).

    Of course if you have Windows 2003, it could very well be fixed by now.

  18. Ricky Dhatt says:

    About a year or so ago, Slashdot made a change whereas a link within a comment would automatically have the domain printed next to it, like so:

    <a>link</a> [microsoft.com].

    This was to protect people from the trolls who would trick people into visiting distasteful sites, a la goatse.cx (no longer).

    Now days, the trolls are using the redirectors from a trusted domain to fool people all over again.

  19. Favor revisar si somos un rele abierto

    Gracias,

  20. FAvor revisar si somos un rele abierto

Comments are closed.

Skip to main content