Spotted a new exploited forwarder of some sort at LinkedIn -
full spample:
http://puffin.net/software/spam/samples/0041_linked_forward.txt
Except for the munged "To" and "From" email addresses, that's the
pristine network image.
It came From a known friend at "swbell", who normally sends thru
Yahoo, and has previously been cracked.
At first I assumed the URL was for an actual webpage, so I ran a
raw GET on it/this:
https://www.linkedin.com/slink?code=ecPnYgf?152=ofobakj&2643&pjrytop==45612858
and got a zero length document with these headers (cookie redacted):
HTTP/1.0 301 Moved Permanently
Server: Apache-Coyote/1.1
Location:
http://www.shopinoklahomacity.com/redirect.aspx?url=http://icynybo.freedom007.top/free/dom/?gelaxo
Content-Length: 0
Vary: Accept-Encoding
Date: Tue, 17 May 2016 20:25:17 GMT
X-Li-Fabric: prod-lva1
Connection: keep-alive
X-Li-Pop: prod-ech2
X-LI-UUID: hNLOXbN0TxQQdMWE/SoAAA==
The redirect in the Location URL should have been a red flag to
any automated security scanner. :\
I re-ran it as a HEAD with a User-Agent that should have
screamed "spam", waited a couple hours, repeated, rinsed, stewed,
then decided to post here.
*** Does anyone have a contact at LinkedIn ops? ***
Sadly, LinkedIn follows the Google/Gmail model of failing to make
core functionality (like reporting spam) useable without
disabling/lowering one's browser security settings/shields. :(
- "Chip"
