Re: UnsafeRedirectUnknown

Thanks, Luke, for taking it out of the realm of hypothetical.  

I wonder if a simple warning like I proposed ("The destination is not owned by this institution, exercise
caution before continuing") would be enough of a deterrent so phishers would pass over EZ Proxy.  URL
shorteners seem more of an "attack vector" anyhow.

Mike

On 16 Jun 2012, at 08:50, "Rosenberger, Luke E" <rosenberger <at> uthscsa.edu> wrote:

> I can speak to that, at least anecdotally, for the part of my library.  I'm going to use bit.ly bundles in this
message to hopefully prevent it from landing in spam purgatory for most of you; if you go to the bundles,
you'll be able to inspect any URLs there before going to them.
> 
> Like many of you, I do an occasional websearch for the domain name of our ezproxy server just to make sure
there isn't some joker out there posting usernames and passwords for our server on blogs or forums, like
those shown in the following bundle: http://bit.ly/M9KHOF

> 
> In doing so, I have found plenty of instances in the wild of our ezproxy prefix being prepended to all sorts
of unsavory-looking URLs, purveying everything from pharmaceuticals to phone cards to porn.  In the
bundle at http://bit.ly/LOBHNW you can find just a few examples of blog/forum comment spam that include
URLs that redirect not just through _our_ ezproxy but through _others_ as well.  
> 
> Fortunately, as you'll notice, those posts/comments attempting to redirect spam via ezproxy
installations all appear to date from 2008 or earlier.  The RedirectSafe and UnsafeRedirectUnknown
directives were introduced in EZproxy 5.1c, released on 19 January 2009.  It seems the spammers figured
out pretty quickly that they'd have to move on to a different trick.
> 
> Thanks,
>