I have a private website that every week sends e-mails with two different http links to a group of around 30 people. When a link is clicked, the answer is registered in a database. Starting last week, one of the recipient's links is automatically followed by either a network sniffer or some malware on the recipient's computer.
Each e-mail is sent individually since the links contain each recipient's e-mail adress:
Yes, I will attend:
http://mywebsite.com/[email protected]&answer=yes
No, I can't attend:
http://mywebsite.com/[email protected]&answer=no
Around 20 minutes after the e-mail has been sent, I get the following request to my website:
UserHostName: 209.133.77.166
UserHostAddress: 209.133.77.166
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; MS-RTC LM 8)
Browser: IE 7.0
Platform: WinXP
HttpMethod: GET
Path: /default.aspx
Url: http://mywebsite.com/default.aspx?answer=ab&[email protected]
UrlReferrer:
There are some strange things to observe here:
- The e-mail adress and answer are both ROT13-encoded (but not the parameter names).
- The order of the parameters are reversed.
- Only the second link, with answer=no, is followed.
Also:
- The IP-adress, UserAgent, Browser and Platform fields do not match those of the recipient's computer (but they might be spoofed, of course).
- The IP-address used last week was 209.133.77.167. Both addresses seems to be dynamically allocated at the above.net domain, performing a tracert yields the hostname 209.133.77.166.T01713-01.above.net.
- Checking the e-mail headers, the e-mail was sent from my web hotel binero.net via messagelabs.com to the recipients mailserver.
- It is only this single recipient that have these problems.
Does anyone recognize the pattern of following e-mail links and encoding the parameters with ROT13?
Hah, 5 minutes after posting the question I found the answer myself. Ever had that happen to you? :-)
https://security.stackexchange.com/questions/48684/help-investigating-potential-website-attack-url-rewriting-and-rot-13-obfuscatio
Essentially: