On 5/2/23 14:34, Abuse Department - Advision via mailop wrote: > I'm starting to think that this is not a malicious activity but some > kind of anonymization/url checking action from some Microsoft or anti > Malware system. > > Those are some example of the encoded parameters > > [...] > > uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg > applying rot13 twice give > https://www.instagram.com/moreschi_srl/?nl=vg
Surely, rot13 was only applied once... :) except for the 'vg' part. There are many strange things happening on line, and only the originator can answer as to intent. We once came across a distant cousin of who you describe here, rot13 applied to HTTP requests. So, instead of sending: GET /url HTTP/1.1 they sent us: TRG /hey UGGC/1.1 This failed, of course, but someone suggested handling the TRG verb, and wrapping the response in rot13, to see what would happen. We never did. Daniel K. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop