Problem History

We received an seemingly ordinary spam e.mail and just before deleting it the 'odd' link address caught the eye. It looked like Yahoo, almost, but it had two URLs.

The email received was:

   Date: Sun, 26 Jan 2003 13:26:34 +0000 (GMT)
   From: Felix Fields 
   Subject: LEGAL HELP IS HERE a
   To:  ...

   Here is the website you requested:

   http://rd.yahoo.com/^Random/96691/*http://198.170.236.87
   The link to be deleted from our list is this:
   legalsys_rem88@yahoo.co.in
   jo kogojcrzz xmaqxkepqsovuwtoiwqw

To someone in Infosec this has several hallmarks of a suspicious or hostile message.

• Never heard of Felix Fields

• the FROM: contains an odd return

• Not having requested a web site raises bells, the message lies

• There is some garbage at the bottom

One can deduce that a program at the first URL uses, does something with, or goes to the second URL.

Guessing 'goes to' one can take the first part of the URL and plug a safe target after it. Trying www.wwf.org as the last half and feeding it to a browser, as in:

http://rd.yahoo.com/^Random/96691/*http://www.wwf.org

Bingo, the World Wildlife Fund site appeared.

Ergo: The Yahoo yahoos had implemented a transparent URL forwarder. Sloppy.