Would it be an idea to warn user about redirect-URLs?
For many years the Notes client has protected users from showing images in incoming mail, like this;
The purpose is probably twofold - first to save some space if you don’t want the mail in the first place, and second to prevent the user to reveal to the originator that the mail has been seen.
- “How can the originator know that the mail has been seen by me, simply by showing the images?”, you ask
Some sites use clever naming conventions on their images, meaning that the image to are about to see, has a file name tailored specifically for you. For example can the file name be “Masthead_5666776544.jpg” where the number actually identifies you. Yes, every mail they send out, has special file names in every mail. So when the originator’s web server delivers that image, it also knows that you have seen the mail - and that the mail address they used, actually is a live mail address.
Could we do something similar to certain redirect URL-styles in the mail?
For years we have been training users to hover over the URL and to see if the URL points to somewhere trustworthy. For example, if you get a mail from IBM Connect 2016 and hover over the Download-link, you see the following;
Note how the URL in the statusbar points to an URL that somewhat seems IBM’ish to me. By the way, it would be nice to copy the URL to the clipboard here so I for example could run the URL through a validating service such as Sucuri.
Well, the URL above is https://portal.ibmeventconnect.com/connect?cmp=ec&cn=thxemailfeb4. I will use this as the base for some URL-hacking soon.
The URL-style I am concerned about is the following:
http://<some user info>@<The real URL>
Note at at-sign. It separates the user info in front of the real URL, and the intention of such URLs is to transport for example user name and password to the real URL like this;
http://myusername:mypassword@www.somewhere.com
However, the real URL may or may not use the user info, and spammers can use this cunningly by making the URL to appear real, and then redirecting to another site. For example
http://portal.ibmeventconnect.com@www.vg.no
The link above is live, and while it look somewhat like it is the IBM link as above, it will go to one of the major Norwegian newspapers, www.vg.no.
It can be worse. According to the URL standard (RFC 3986) , the url address can be encoded in different formats. At the base we can use the IP-address instead of the “www.vg.no”. By simply pinging www.vg.no, we get the URL 195.88.55.16. This means that http://195.88.55.16 is the same as http://www.vg.no . Further the IP-address can be converted to different number formats, such as integers, hexadecimals or octals. By using an ipconverter (such as this one) we can eaily convert any IP. For example 195.88.55.16 converts to:
http://0xC3583610 (hexadecimal)
http://3277338128 (integer)
http://0303.0130.0066.0020 (octal)
All the above links points to the same page http://www.vg.no
Spammers use this knowledge to obfuscate the real URL so we get URLs like this:
http://portal.ibmeventconnect.com@3277338128
Now - that doesn’t look too harmful to an ordinary user, does it? The only way a user can know where the URL above goes, is to decode the number and run the IP address through a DNS-checker. Or use an online tool like the Maxa-Tools Redirection Solver. 
My point is - while URLs with user info (still) has their usage, they also put the user at huge risk. Wouldn’t it be nice it the user was warned about the URL-style in the above link?
IBM could even throw in a redirection solver of their own, to inform the user where the URL goes 
For example;
Update Feb. 9th: Also posted the idea to IDEAJam, click here to open directly. Would also be cool if the dialog box could be controlled via Notes.ini parameters, so the admin could decide what to do
| Permalink | 
Comments
Posted by Lars Olufsen At 13:03:43 On 09.02.2016 | - Website - |