--sBvc846/5FzkyDmz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 21, 2008 at 10:26:02PM -0500, Jack Pepper wrote:
> I saw one of these in a phishing email. I didn't know if it was =20
> supposed to be that way or not, but I was quite curious. Firefox =20
> tries to connect to http://www..google.com . (click it and see)


"Firefox can't find the server at www..google.com."

Doesn't seem like a good tactic.

> Firefox will also try to connect to http://www.*.google.com .


"Firefox can't find the server at www.*.google.com."

> So as I pondered it, it seemed plausible that a phisher could create a =

=20
> zero-length subdomain which would evade scanning by regex processors =20
> (like SA) because it would not parse out as a valid URL. But the =20
> browser will still try to connect. Is this SA evasion? Seems quite =20
> plausible.


Doesn't work. I put "http://www..google.com" in both text/plain and
text/html, SA finds it and parses out "google.com".

SA found "http://www.*.google.com", domain of google.com, as a text/html hr=
ef.
It doesn't find it as a parsed URL.

--=20
Randomly Selected Tagline:
Zoidberg: So many memories, so many strange fluids gushing out=20
of patients' bodies....

--sBvc846/5FzkyDmz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFIDWC2RnAwoQckjjoRAg91AKC2BuXd1K2hRQxqiO9aud Ne7yUlyACZAVcB
+McN+ikSrSTxm3O9MyCUS3I=
=7Y0B
-----END PGP SIGNATURE-----

--sBvc846/5FzkyDmz--