There has been much discussion about open e-mail relays, but very little about open HTTP redirectors. An open redirector is hosted by foo.com, but will unintentionally send you to bar.com. This can have interesting effects on PageRank or can trick users into clicking on something that isn’t what it seems.
After many months of abuse by spammers, the rd.yahoo.com redirect server is now closed.
Yahoo! has used a redirect server for a long time for tracking clicks from one Yahoo! website to another.
http://rd.yahoo.com/example/?http://travel.yahoo.com/
Last year, spammers started using rd.yahoo.com in email messages to trick unsuspecting users into thinking that they were clicking on a Yahoo! website. They started sending out emails with links that looked like this:
http://rd.yahoo.com/example/?http://204.92.99.152/
Users saw the yahoo.com domain name and figured it must be some official Yahoo! site, not realizing that the server would redirect to another IP address. So we started blocking those types of URLs (easy to do since we’d never use a dotted-quad for anything legit). So the spammers switched to something a little more clever:
http://finance.yahoo.com:80@204.92.99.152/
The trick here was a misuse of the clear-text “username:password@server” authentication feature. It made it look like you were accessing a yahoo.com URL, but in fact were going somewhere else. These were particularly insidious, since they didn’t even go through our redirect servers, so there was nothing we could do to block them. Microsoft got rid of the problem for us with an update to Internet Explorer 5 and 6 that simply disabled the feature altogether. Mozilla followed suit by displaying a warning dialog box when this type of URL is used:
You are about to log into the site “204.92.99.152” with the username “finance.yahoo.com,” but the website does not require authentication. This may be an attempt to trick you.
Is “204.92.99.152” the site you want to visit?
So the spammers went back to abusing Yahoo!, but this time with actual hostnames:
http://rd.yahoo.com/example/?http://www.online-casino.com/
This not only tricks email users, but when used on the web can (in theory) also influence PageRank-type algorithms.
We had no choice but to either maintain a whitelist (lots of server-side state to manage) or implement a digital signature algorithm. We went with the digital signature approach. So now you can safely click through to partner sites:
http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.hp.com/
But if you try to recycle the same signature with a different URL, you’ll get a 403 Forbidden:
http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.online-casino.com/
Finally, rd.yahoo.com does what it’s supposed to do and nothing else. Frustrated spammers out there have probably already started to abuse someone else.
http://www.google.com/url?q=http://204.92.99.152/
http://www.google.com/url?q=http://www.online-casino.com/
🙂
a nice primer on http redirectors:))
For the record, it wasn’t “last year”. It was nearly four years ago that I tried to convince the Paranoid Yahoo Who Sat Near You and I that “fixing rd.yahoo.com was something that needed to be done”, to which I was scoffed at, etc.
I think it had more to do with people simply starting to block mail that contained “rd.yahoo.com” which probably had a detrimental impact on yahoo-originated official spam.
I know you yahoos like to pick on google, but don’t forget about the g.msn.com redirector as well…
Let’s hope they don’t find Yahoo!’s other open redirect servers in India, Taiwan, Japan, Australia…
http://in.rd.yahoo.com/*http://www.radwin.org/
http://au.rd.yahoo.com/*http://www.radwin.org/
http://tw.rd.yahoo.com/*http://www.radwin.org/
http://jp.rd.yahoo.com/*http://www.radwin.org/
Note that links going through the Google redirector do not affect the target site’s Google ranking in any way.
I think it would make more sense for the big search engine sites to document their redirectors publicly and ignore links going through any of them altogether, much like Google do for their own redirector.
Another solution is to use URI blacklists such our SURBL lists, which list spammer web sites and are commonly used to block spam using message body aware programs. Redirection and shorting services such as metamark.net are using SURBLs to deny redirection services to spammers.
http://www.surbl.org/
(One) Yahoo open HTTP redirector gets fixed
The devious spammer trick of duping you into clicking on a Yahoo link, which then redirects you to the spammer’s…
Wait, but then in your example, if the spammer’s website is in fact indexed by yahoo’s search engine, then they can trivially find the appropriate digital signature to include in their URLs so that the redirect will work…
Is the premise supposed to be that URLs which appear in spam are probably not indexed? That seems unlikely to be a safe assumption.
Your ultimate video on demand solutions
Your ultimate video on demand solutions
Your ultimate video on demand solutions
Your ultimate video on demand solutions
Pocket Pussy
Webcam Girls
Acyclovir
Glass Dildo
Jack Rabbit Vibrator
Rabbit Vibrator
Sex Swing
Yahoo Adult Groups
free credit report on line
low interest credit card
eliminate debt
car loan refinancing
free credit report
free experian credit report
debt counseling service
chase credit card
credit card reward program
mobile home loan
debt consolidation california
personal debt consolidation loan
stafford loan
bad credit personal loan
school loan
debt consolidation program
credit report monitoring
free 3 bureau credit report
credit report com
mortgage georgia
online mortgage
household credit card
mortgage interest rate
debt advice
assumable mortgage
bad credit debt consolidation
credit rating report
credit bureau report
reverse mortgage
cendant mortgage
instant credit card
free canadian credit report
capital one credit card
home mortgage
credit card services
credit card debt reduction
home loan
debt to equity ratio
free equifax credit report
mortgage rate calculator
iowa debt consolidation
fair debt collection practice act
three credit report
national debt clock
bad credit report repair
bureau of public debt
debt consolidation services
free credit report and score
free 3 in 1 credit report
mature amateur lingerie webcam security mature man porn free live teen webcam mature women sucking cock free porn webcam chat free porn movie clip of mature free sex webcam site busty mature slut free xxx webcam fat mature porn big tit mature mature naked women mature porn free photo free mature lesbian porn movie mature girl lesbian mature women lingerie free mature women live webcam girl mature vs young lesbian mature sex video clip mature moms gallery milf searcher free teen webcam mature tight pussy orlando webcam free streaming webcam mature adult sex free live webcam girl mature anal sex mature porn video clip free bahamas webcam live free personal webcam amateur mature gay free mature sex thumb hot milf free webcam chat site cam free pic pussy web older mature porn cream mature moms pie mature porn fuck free hairy mature picture pussy free webcam rooms hairy mature mature women in nylons mature amateur naked women montreal webcam amateur gay sex webcam free amateur webcam site mature women porn site