Just recently I received on my personal email address an email which was quite strange. An Online Pharmacy spam (aka Canadian Pharmacy) which contained two parts:
- A plain-text part containing the obfuscated text “B|uepi|u|e” and a link
- A text-html part containing the plain text part and a link to a picture hosted on a hacked website. The interesting here is that the image is hosted on the same website as the link, but it is addressed through the same redirect: http://de.rd.yahoo.com/SIG=11307ffem/**http%3A//sawhill209.eltlempo.es/2?lsky.jpg
This way the spammers go one level safer and prevent the spam filters to block the email based on the URL.
At first sight it seems a classical redirect through a Yahoo service, but when changing the link after /** I’ve seen that this is not as I originally thought.
Apparently, the spammers arranged somehow with Yahoo to use their redirecting service. They registered the base URL http://de.rd.yahoo.com/SIG=11307ffem/**http%3A//sawhill209.eltlempo.es/c – because if I remove something from this base URL I get the error above and when I add something after it, it is ignored and redirected to the online pharmacy.
I wonder only if the link was registered by the spammers or by the Spanish weather service. The Avira Antispam is detecting this email as spam because we consider quite spammy to send an email from a provider different than Yahoo containing redirectors of Yahoo.
Sorin Mustaca
Data Security Expert
techblog.avira.com
Leave a reply