Slashdot Mirror

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1
Page 2: http://www.example.com/asd.php?id=2
Page 3: http://www.example.com/asd.php?id=1%2B1
Page 4: http://www.example.com/asd.php?id=1'

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe
Page 2: http://www.example.com/asd.php?id=qwe' /*
Page 3: http://www.example.com/asd.php?id=qwe' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe'"
Page 7: http://www.example.com/asd.php?id=qwe' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to auto

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

You're doing something wrong if Gallery2 can't handle that. I admin a sports photography site using G2 with 130,000+ pictures and it's sharp and responsive, even with 50+ concurrent users.

There's a little trick with G1 to keep it quick, force caching. By default it scans the whole gallery tree every time someone visits the front page, but if you throw in an hourly cron job (or longer, depending on frequency of updates) to do something like this:
wget -O /var/www/html/gallery/cache.html.new http://gallery.example.com/gallery?gallery_nocache =yes; mv /var/www/html/gallery/cache.html.new /var/www/html/gallery/cache.html; chmod a+rx /var/www/html/gallery/cache.html .. you'll find it remains sharp and responsive all the time.

1. • URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
             * If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     Search
     Always do right. This will gratify some people and astonish the rest. -- Mark Twain
     
     All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2007 OSTG.
     
             * home
             * awards
             * contribute story
             * older articles
             * OSTG
             * advertise
             * about
             * terms of service
             * privacy
             * faq
             * rss
     
     

I'm a fan of RESTful systems and, while I introduced the XRI folk to SAML, I've also been helping to show how all that SOAP bloat isn't necessary.

And I'm also not a big fan of global name spaces, which @, + and = are used for. They can be a useful shorthand, but =bob and http://xri.neustar.net/bob could be defined to mean the same thing - and there are proposals for this on the table.

The real win comes when you want to do things that just can't be done with URLs such as alternate resolution protocols (say, use Freenet-style DHTs instead of DNS), provide for symbolic links and back-references, and - most importantly - enable trusted, negotiated resolution and access to services according to source and destination without disclosing any unnecessary information about either party.

Yeah, it looks complicated, but http://example.com:8008?q=43&foo\0e=72 looks kinda foreboding too. But we're used to the "://" syntax and we have browsers that make it easier for us. Don't throw away the tech because you don't understand it - there's some very real benefits to XRI, and you can bet that if it catches on, the most useful applications will quickly be sheathed in Web 2.0 GUIs that hide the complexity as they realize the power.

Finally, one can always delegate XRI resolution to a proxy resolver, so apps that need to stay lightweight can remain so.

URLs
http://example.com/ will auto-link a URL
Important Stuff

        * Please try to keep posts on topic.
        * Try to reply to other people's comments instead of starting new threads.
        * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
        * Use a clear subject that describes what your message is about.
        * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

1. Slashdot will autolink any valid URL format, whether it ends with a slash or not. It does not verify that the target exists on the web (if it did, you probably wouldn't be able to post links that are currently down but will be up later).
2. In this case, Wikipedia has a URL format that ends with an identifier (not a directory). Wikipedia does not handle slashes after the identifier. Note that they may do this because they have another URL format that uses the trailing slash to indicate different processing (possibly at the mod_rewrite level).

1. Slashdot will autolink any valid URL format, whether it ends with a slash or not. It does not verify that the target exists on the web (if it did, you probably wouldn't be able to post links that are currently down but will be up later).
2. In this case, Wikipedia has a URL format that ends with an identifier (not a directory). Wikipedia does not handle slashes after the identifier. Note that they may do this because they have another URL format that uses the trailing slash to indicate different processing (possibly at the mod_rewrite level).

1. Slashdot will autolink any valid URL format, whether it ends with a slash or not. It does not verify that the target exists on the web (if it did, you probably wouldn't be able to post links that are currently down but will be up later).
2. In this case, Wikipedia has a URL format that ends with an identifier (not a directory). Wikipedia does not handle slashes after the identifier. Note that they may do this because they have another URL format that uses the trailing slash to indicate different processing (possibly at the mod_rewrite level).

URLs http://example.com/ will auto-link a URL

Kind of like Example.com. That was set up in RFC-2606.

1 isn't a prime

Yes, it is.

A few years ago, I applied for a job at a well known company using their online application site. When I finished filling in the form, the site redirected to a page with a URL like https://www.example.com/viewapplication.asp?applic antid=12345 that displayed all of my details.

I wondered what would happen if I changed the number in the URL and found that the site would happily show me the details for all the other applicants (including quite sensitive information).

Was changing the URL "trying to discover a vulnerability" or "discovering a vulnerability"?
What if the values had been sent using a HTTP POST (so I couldn't see them or edit them by just changing a URL)? What if they had been lightly encrypted or included a check-digit?

Note: The following comments are legitimate information, designed to help people help themselves. I am not an Acer fanboy (I reserve that for SanDisk), but I like my laptop. YMMV.
Actually, I have an Acer Aspire 1640. It's a nice machine for the $799 I got it for about 6 months ago. And Acer doesn't load a bunch of AOL/WildTangent/EarthLink/etc useless "applications" that are bundled because they can't stand on their own, like certain other manufacturers *cough*Dell*cough*HP*cough*. The few things that were bundled (counted on *maybe* 2 hands) were actually useful.
Once I got to college (where I have access to $10 Win XP Pro discs) I wiped it, reinstalled Windows (gasp!) *and* Ubuntu Linux. Works great, and with 120GB HD, plenty of space for both OS's. The Windows works great, since it's very light (only Windows-only stuff, everything else is on Ubuntu+Wine).
Hardware support on Linux is pretty decent. After some elbow grease, wireless, ethernet, widescreen, CPU power stepping, Sansa m250, even hardware buttons are working. Sound is the only thing I'm not sure about, output works fine, input seems finicky. I could probably fix it, but I don't care that much yet.

So...I'm not that concerned. Besides, who uses Internet Explorer anyway?
(That was sarcasm. I know the correct answer is "98% of everyone, luser!")
(That was sarcasm too. I know the correct answer is really "No, it's 89%, n00b!!11!!BBQ!! Look at my fancy link!!")
(Other appropriate comments include "I for one welcome our new Acer-invited overlords", "In soviet russia, computers bug Acer!", "I use lynx, you insensitive clod", "Ubuntu sux. [Insert Distro Name Here] is sooo, like, better because [insert unsubtantiated claim here].", etc., ad infinitum.)

There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.

The way it works is:

• Google sends the a form to you with a hidden "auth string".
• When you make a request back you send the same auth-string/token with the request.
• If the login cookie is invalid then the request is denied.
• If the login cookie is valid and the auth-string was correct the results are sent back.
• If the auth-string was missing then you know the request was forged.

This is the difference between http://example.com/logout and http://example.com/logout/124rkjfldf for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.

I wrote about this here, when I updated my site to work like this.

There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.

The way it works is:

• Google sends the a form to you with a hidden "auth string".
• When you make a request back you send the same auth-string/token with the request.
• If the login cookie is invalid then the request is denied.
• If the login cookie is valid and the auth-string was correct the results are sent back.
• If the auth-string was missing then you know the request was forged.

This is the difference between http://example.com/logout and http://example.com/logout/124rkjfldf for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.

I wrote about this here, when I updated my site to work like this.

gagagagabooom
saksljdf
adfae
adURLs
http://example.com/ will auto-link a URL
Important Stuff

        * Please try to keep posts on topic.
        * Try to reply to other people's comments instead of starting new threads.
        * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
        * Use a clear subject that describes what your message is about.
        * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
        * If you want replies to your comments sent to you, consider logging in or creating an account.

Problems regarding accounts or comment posting should be sent to CowboyNeal.

It is trivial to defeat referrers. Especially if you're determined, as this peson proved he is.

It is trivial for surfers to defeat referers. (Note the correct incorrect spelling.) There are lots of anonymizing proxies that will serve http://example.com/ as the referer for any item on example.com, thus passing almost all referer checks. (1)

However, it's completely impossible for another web site to defeat referer checks, without getting all their end users to download said proxies and install them.

Referers are stupid to use for security. Anything the web browser hands you is stupid to use for security. However, they are fine to use to stop people at other web sites from leeching your site's content. (And by 'content', I mostly mean images and stuff. Web site operates who block deep linking to web pages are, well, fairly dumb and not quite following how the internet works. But they can if they want to, although even there a better solution is to use cookies and session ids.)

1) Of course, you can break the proxies in all circumstances, even when they are legitimately on your site, by putting all your web pages on example.com, with no referer checks, and images and everything else on, say, images.example.com, with a referer block of everything but example.com. The proxy will always use images.example.com when getting stuff from the image server, and hence it will never work. If people with referer blocking start annoying you, go ahead.

As an added bonus, it's probably easier to set up than actually trying to figure out how to tell the web server which content you want people to be able to link to and which you don't. PDFs? flash? With my method, you just stick them on different virtual server. The only rule is that nothing on the image server can link to or include anything else on the image server.

I'm collecting donations to buy reiserfs so I can release it under the GPL. Paypal me at mailto:slash@example.com!

Yes, but escape sequences in English look barbarous! May I suggest either avoiding the problem, by using square brackets:
    "[that was funny:)]"
or at least regaining clarity by inserting an extra space:
    "(that was funny:) )"
It's a similar problem in English to ending a sentence with a URL. I usually insert spaces:
    "Please visit http://www.example.com/ ."

All the above are, of course, quote-delimited. Actually, it would be nice if we had separate ASCII for all 5 of:
  {open,close}{single,double}-quote,apostrophe.

1. • URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     

1. • URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
             * If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
             * If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     

I have found that using SPAM as your username works wonders

just post it right there on the webpage or leave it as a mailto:spam@example.com

So many people use NOSPAMjohn@NOSPAMexample.com (remove the NOSPAM to reply)
or some variation of that, I tried using spam@example.com as my email address on Google Groups and previously on Usenet.

I got pretty much nothing. No spam. Not then, not now.

Since the email harvesters apparently filter out variations of addresses with SPAM, NOSPAM, DIESPAMMERS etc in them, once they filter out the "SPAM" part of spam@example.com they are left with @example.com which is not a valid email address.

Needless to say, I get a lot of spam in the queue. I check the contents of the spam to set up filters to detect and autonuke frequently occuring phrases or website addresses.

In the last month, I have noticed a serious rise in spam that is a list of URLs that are hosted on wikis and forums that obviously have nothing to do with the content of the spam (usually it's technical-related wikis and pr0n- and drug-related spam). Here's an edited sample:

http://example.com/wiki/lib/exe/fetch.php?w=120&h= 120&media=8-somedumbchick-nude.html

I've been notifying admins of the sites being abused when I have time (and when there is a contact address on the site). Some respond and some don't. One interesting response - "I'm surprised at how sophisticated the bot was - it arrived, appeared to look around, tried to edit, failed because it wasn't logged in, created a user, then proceeded to post things. I'll have to set up some kind of CAPTCHA."

Keep an eye on activity on your wikis and forums. And please don't require creating an account to get access to your contact info!

Very well SAID. I couldn't agree more.

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own t

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own t

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own t

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people'sAllowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal. messages before posting your own t

You know that there are a number of products that automatically strip HTTP Referers, right? Nortons Antivirus is one - it thinks that this adds some privacy value for the user. Or what happens if I bookmark your comment page to come write an insightful comment later?

Whilst I agree that checking for referers is a good thing (90% of the spam I've seen doesn't have them - they find the comment page, work out the form structure then hammer it using some app.), automatically DENY'ing users without refererers may be a bit harsh :-)

Aside: one thing I have noticed is that my spam requests generally look for http://www.example.com/comment.php (i.e. GET http://www.example.com/comment.php) whilst regular users who've browsed there have a relative URL (i.e. GET /comment.php). I've been toying with the idea of filtering on that.

You know that there are a number of products that automatically strip HTTP Referers, right? Nortons Antivirus is one - it thinks that this adds some privacy value for the user. Or what happens if I bookmark your comment page to come write an insightful comment later?

Whilst I agree that checking for referers is a good thing (90% of the spam I've seen doesn't have them - they find the comment page, work out the form structure then hammer it using some app.), automatically DENY'ing users without refererers may be a bit harsh :-)

Aside: one thing I have noticed is that my spam requests generally look for http://www.example.com/comment.php (i.e. GET http://www.example.com/comment.php) whilst regular users who've browsed there have a relative URL (i.e. GET /comment.php). I've been toying with the idea of filtering on that.

You don't need an autopilot effect. You just need the user to believe that they are protected. (My son said he'd turned on antiphishing, so this message from paypal must be genuine.)

Wouldn't it be hard to make enough reasonable looking URLs?

Phishers don't seem to rely on reasonable-looking URLs. I've been getting variations on the same "paypal suspension notice" scam for the last three or four months. In every case the URL is obfuscated in the HTML, sometimes by trying to hack the statusbar in javascript, sometimes by throwing gibberish before the real URL. But the actual URL the browser goes to is not reasonable looking: it's either an IP address or a domain name of some poorly secured site (eg, http://www.example.com/php-admin/examples/%20/www. paypal.com/complaints.php). Now, I can read a URL and figure out that doesn't below to Paypal, but I doubt my Dad could. At the moment it's actual webhosts that are used, but move to blacklisting and you'll find all those spambots suddenly start responding on port 80.

Phishing, like spamming, is a numbers game. They can send out millions of these things and even if they only get a handful of usernames and passwords still turn a profit. If innovations like Firefox's antiphishing scheme can reduce that to a loss then we can put these people out of business. But given the lag between a phishing site going live and being blacklisted, all you'll do is reduce the profit a little bit.

The only way to defeat phishing is through education and law enforcement. Educate users to verify a site themselves and never submit a password if requested to do so: always go to the site by typing in the address of your bank, paypal, yourself. And law enforcement authorities need to treat this as what it is: a particularly nasty form of automated fraud. Phishing (like spamming) has to have a payoff: follow the money and you'll find the perpetrator.

2. FF fails CSS rendering because it uses an antique CSS engine. http://www.webstandards.org/action/acid2/

Um, acid2 represents one faction's idea on what an ideal, future-proof CSS implementation should do. It's not be-all end-all test of absolute must-have features of CSS. Gecko doesn't fall too far from the goal, and rest assured they're working on the issues.

Those are my FF issues. What are yours?

I'm not using the beta yet. Um... I would terribly appreciate it if middle-click would do nothing. Currently, on Linux, middle-clicking goes into the URL that I have on selection buffer. Middle click gets clicked by accident awfully often when scrolling and I end up staring at http://www.whateverthecrapihadonclipboardwhenmymou seslipped.com/ (see below).

Um... seems like this can be fixed in about:config. middlemouse.contentLoadURL = false. I think. Didn't know this. Very cool.

Another beef is the automatic expansion of example => http://www.example.com/ which just gives me bunch of false alarms. If I find myself looking at http://www.whateverthecrapihadonclipboardwhenmymou seslipped.com/, I'm going to scream. While I'm at it, it shouldn't even assume I want http:/// there; it should demand full URLs. And above the heck all, if I want to use this as a search engine, I type "g (keywords)", not the plain address - I don't want a search bar, I don't want an intelligent search bar;I just want an ordinary address bar that also has this keyword support thing. Is it too much to ask?

I think this is at least the latter is somehow fixable through about:config, but I forgot the instructions (didn't try it at first because it appeared to have side effects). Setting keyword.url = about:blank, keyword.enabled = false has little effect...

So all the spammer has to do is set up wildcard DNS so *.phishing.example.com all points to the same place, then send e-mails with unique URLs:

http://001.phishing.example.com/clickme.php
http://002.phishing.example.com/clickme.php
http://003.phishing.example.com/clickme.php

Or, without using DNS at all, just use unique paths:

http://172.16.255.42/001/clickme.php
http://172.16.255.42/002/clickme.php
http://172.16.255.42/003/clickme.php

As an added bonus, if the spammer keeps a database of which unique URLs were sent to which e-mail addresses, then if they receive a hit at a particular URL (even if you submit bogus information, or don't submit anything at all), they can check off the corresponding e-mail address as "verified".

I really can't see URL hashes working out too well, once everyone starts using them (all four major browsers will soon support anti-phishing, as do a plethora of toolbars for IE6; I'll assume they all work the same way until I hear otherwise). Spammers will adapt - some of them probably already have. If you send the full URL, then you've got a chance, because the server can do pattern matching on it, but of course then you've got (even worse) privacy issues.

Downloading a list (which may include wildcards) instead of sending URLs sounds like a good idea, especially if you can use something like rsync to only download the modifications instead of re-downloading the list all the time. The problem here is speed: if you only update your list once every 24 hours, then if a new round of spam is sent out at 9am and gets caught by the anti-phishing team at noon, even if you don't check your mail until 5pm you still won't get any warning if your definitions don't update until midnight. Of course, there's still that 9am to noon window either way...

So all the spammer has to do is set up wildcard DNS so *.phishing.example.com all points to the same place, then send e-mails with unique URLs:

http://001.phishing.example.com/clickme.php
http://002.phishing.example.com/clickme.php
http://003.phishing.example.com/clickme.php

Or, without using DNS at all, just use unique paths:

http://172.16.255.42/001/clickme.php
http://172.16.255.42/002/clickme.php
http://172.16.255.42/003/clickme.php

As an added bonus, if the spammer keeps a database of which unique URLs were sent to which e-mail addresses, then if they receive a hit at a particular URL (even if you submit bogus information, or don't submit anything at all), they can check off the corresponding e-mail address as "verified".

I really can't see URL hashes working out too well, once everyone starts using them (all four major browsers will soon support anti-phishing, as do a plethora of toolbars for IE6; I'll assume they all work the same way until I hear otherwise). Spammers will adapt - some of them probably already have. If you send the full URL, then you've got a chance, because the server can do pattern matching on it, but of course then you've got (even worse) privacy issues.

Downloading a list (which may include wildcards) instead of sending URLs sounds like a good idea, especially if you can use something like rsync to only download the modifications instead of re-downloading the list all the time. The problem here is speed: if you only update your list once every 24 hours, then if a new round of spam is sent out at 9am and gets caught by the anti-phishing team at noon, even if you don't check your mail until 5pm you still won't get any warning if your definitions don't update until midnight. Of course, there's still that 9am to noon window either way...

So all the spammer has to do is set up wildcard DNS so *.phishing.example.com all points to the same place, then send e-mails with unique URLs:

http://001.phishing.example.com/clickme.php
http://002.phishing.example.com/clickme.php
http://003.phishing.example.com/clickme.php

Or, without using DNS at all, just use unique paths:

http://172.16.255.42/001/clickme.php
http://172.16.255.42/002/clickme.php
http://172.16.255.42/003/clickme.php

As an added bonus, if the spammer keeps a database of which unique URLs were sent to which e-mail addresses, then if they receive a hit at a particular URL (even if you submit bogus information, or don't submit anything at all), they can check off the corresponding e-mail address as "verified".

I really can't see URL hashes working out too well, once everyone starts using them (all four major browsers will soon support anti-phishing, as do a plethora of toolbars for IE6; I'll assume they all work the same way until I hear otherwise). Spammers will adapt - some of them probably already have. If you send the full URL, then you've got a chance, because the server can do pattern matching on it, but of course then you've got (even worse) privacy issues.

Downloading a list (which may include wildcards) instead of sending URLs sounds like a good idea, especially if you can use something like rsync to only download the modifications instead of re-downloading the list all the time. The problem here is speed: if you only update your list once every 24 hours, then if a new round of spam is sent out at 9am and gets caught by the anti-phishing team at noon, even if you don't check your mail until 5pm you still won't get any warning if your definitions don't update until midnight. Of course, there's still that 9am to noon window either way...

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments in

BOTNETS R TEH

      1.
                    *

                                URLs
                                http://example.com/ will auto-link a URL
                                Important Stuff

                                                * Please try to keep posts on topic.

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.

1. • URLs http://example.com/ will auto-link a URL Important Stuff * Please try to keep posts on topic. * Try to reply to other people's comments instead of starting new threads. * Read other people's messages before posting your own to avoid simply duplicating what has already been said. * Use a clear subject that describes what your message is about. * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal.