[Dshield] New Paypal scam

John Hardin johnh at aproposretail.com
Tue Sep 23 00:17:48 GMT 2003

On Mon, 2003-09-22 at 15:42, John Dalton wrote:
> John, Interesting enough, this is from the source on the original (which I
> think I attached to the original post. Did the person get mixed up in
> obfuscating the address and do it wrong/
> href="http://www.paypal.com%2f@%32%31%31%2E%31%31%33%2E%31%38%36%2E%34%32/%7
> 0%70/%70%72%6F%63%65%73%73%69%6E%67%2E%68%74%6D">click

That's probably an attack on a URL-canonicalization bug, where the URL
parser does not convert %xx to printable characters before parsing the
URL. Note that in the uncanonicalized form the @... *is* before the
first forward slash.

I would wager that the reason I didn't see it as an attack is that the
original email was HTML format, and my email sanitizer decodes printable
characters in HTML mail to prevent just this sort of attack.

Unfortunately I didn't keep a copy of the original message...

John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  There is no problem that cannot be solved by the appropriate
  application of high explosives.
 44 days until Matrix Revolutions

More information about the list mailing list