Quoting Karsten Br=C3=A4ckelmann :


>> >
>> > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
>> > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./

>>

> Have you ever seen these? Would it work, does any MUA or browser
> silently collapse multiple dots?
>


I saw one of these in a phishing email. I didn't know if it was =20
supposed to be that way or not, but I was quite curious. Firefox =20
tries to connect to http://www..google.com . (click it and see)

Firefox will also try to connect to http://www.*.google.com . On the =20
blackhole DNS discussion boards, there were users reporting seeing =20
wildcard (*) DNS entries in phishing emails. Additionally, Yahoo and =20
Flash both use wildcard DNS entries in their generated URLs. Is this =20
SA evasion?

So as I pondered it, it seemed plausible that a phisher could create a =20
zero-length subdomain which would evade scanning by regex processors =20
(like SA) because it would not parse out as a valid URL. But the =20
browser will still try to connect. Is this SA evasion? Seems quite =20
plausible.

Next up: a SA rule to detect "http://" followed by an invalid URL!

jp



--=20
Framework? I don't need no steenking framework!

----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate =20
http://www.afferentsecurity.com