Thanks from a Seamonkey user

General discussion about the NoScript extension for Firefox
Post Reply
User avatar
AlphaCentauri
Posts: 13
Joined: Fri Mar 27, 2009 12:09 am
Contact:

Thanks from a Seamonkey user

Post by AlphaCentauri »

Hi, I'm new on this forum. I just wanted to say thanks for making NoScript available for Seamonkey, even including the nighly builds. I do a lot of spam investigation, and I am a lot more at ease checking out a spammed domain if I've got some control over scripts that may be hiding there.

I've installed a lot of copies of NoScript on computers of friends and relatives who were previously unaware there was any alternative to IE or Outlook Express, and hopefully I've made the internet a little safer for them and for anyone their computers might have impacted if they became zombified.

If you're looking for new functions for NoScript, there was just a discussion on our antispam forum about how to adjust FF to prevent it from automatically following page redirections -- useful for preventing page refreshes that go to .exe files, but also for us, to allow us to see which marketing firms' sites are inserted in between a spammed URL and the target site, so we can report spamming affiliates. Currently, the process is a bit cumbersome, and some type of add-on that permitted toggling the status would be useful. But I guess that wouldn't have a lot of widespread demand, though.

Also, if you ever get a wild hair and want to include the functionality of UserAgentSwitcher in NoScript for SeaMonkey 2.0, that would be lovely! Apparently, there is no plan to have a UserAgentSwitcher for SM.
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b4pre) Gecko/20090323 SeaMonkey/2.0b1pre
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Thanks from a Seamonkey user

Post by Tom T. »

Note my disclaimer in reply to your welcome post that I'm not an uber-cyber-geek, but doesn't the NS Options > Advanced > Untrusted > "Forbid META redirections inside <NOSCRIPT> elements" accomplish this? Right now, if I go to http://www.wunderground.com (weather site -- OK to visit, scripts disabled), I get a notice that NS blocked a redirection. I get them frequently, and often when I *want* to go somewhere, I have to click "If your browser is not automatically redirected within X seconds, click here". So I assume that NS is doing what you are seeking. If I'm wrong and it's something else you're looking for, sorry.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Thanks from a Seamonkey user

Post by GµårÐïåñ »

AlphaCentauri wrote:If you're looking for new functions for NoScript, there was just a discussion on our antispam forum about how to adjust FF to prevent it from automatically following page redirections -- useful for preventing page refreshes that go to .exe files, but also for us, to allow us to see which marketing firms' sites are inserted in between a spammed URL and the target site, so we can report spamming affiliates. Currently, the process is a bit cumbersome, and some type of add-on that permitted toggling the status would be useful. But I guess that wouldn't have a lot of widespread demand, though.
Well I have to agree with Tom, unless we misunderstood your statement above but not only can you block redirections using NoScript already but even Firefox itself has an option to block redirections. If you want to go even further and create whitelist/blacklists for redirections, you can use RefreshBlocker. Hope that helps.
Last edited by GµårÐïåñ on Fri Mar 27, 2009 5:23 am, edited 1 time in total.
Reason: bbcode malfunction
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Thanks from a Seamonkey user

Post by Alan Baxter »

AlphaCentauri wrote:some type of add-on that permitted toggling the status would be useful.
I see RefreshBlocker has already been mentioned. I use it to block timed redirects or reloads by default. It's not a toggle, but I find it a lot less cumbersome than toggling the Firefox Accessibility option. Have you taken a look at it already?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
User avatar
AlphaCentauri
Posts: 13
Joined: Fri Mar 27, 2009 12:09 am
Contact:

Re: Thanks from a Seamonkey user

Post by AlphaCentauri »

Caveat up front: I'm not a programmer and don't know too much html, so I'm combining a little knowledge with numerous personal observations, and I may be off track here.

There are actually two modes of redirecting to a new page -- "refresh," which is slow enough to stop manually, and "Location:" which doesn't have to load a page in the browser before moving to another URL, it seems.

It's difficult to publicly post these, since they usually encode the recipient's email address. But as an example the spammed URL might look like this:
http://poal.mailrecipientcopy.com/[several long code numbers]&e=myname@mydomain.com&c=69266


The target of a URL like that might have this as the entire source code:

Code: Select all

HTTP/1.1 302 Found
Date: Sat, 28 Mar 2009 02:52:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Location: /dbm83/l.php?[other code numbers]e=myname@mydomain.com&c=69266
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1
When http://poal.mailrecipientcopy.com/dbm83/l.php?[other code numbers]e=myname@mydomain.com&c=69266 loads, the source code looks like this:

Code: Select all

HTTP/1.1 302 Found
Date: Sat, 28 Mar 2009 03:07:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Location: http://www.lynxtrack.com/afclick.php?o=[other code numbers]&e=myname@mydomain.com&c=69266
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1
and so on:

Code: Select all

HTTP/1.1 302 Found
Date: Sat, 28 Mar 2009 03:08:53 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOR DSP COR ADM OUR"
Set-Cookie: afclick_[other code numbers]; expires=Mon, 27-Apr-2009 03:08:53 GMT; path=/; domain=.lynxtrack.com
Location: http://affiliate.lfmtracker.com/rd/r.php?sid=[other code numbers]&EID=myname@mydomain.com
Connection: close
Content-Type: text/html

Code: Select all

HTTP/1.1 302 Found
Date: Sat, 28 Mar 2009 03:09:59 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
P3P: CP="NOI DSP COR NID CUR OUR STP COM"
Set-Cookie: uid[other code numbers]; path=/rd/
Location: http://www.gadgetreviewpanel.com/offer?CID=[other code numbers]&EID=myname@mydomain.com
Content-Length: 0
Connection: close
If you just click the link in the spam, you see a lot of rapid flashing URLs, but there is no way to freeze them midway.

In order to find these intermediate URLs/pages, you can step through them with Malzilla, but these sites often detect that and block Malzilla. I got these by using about:config in Firefox, then temporarily setting network.http.redirection-limit from the default "20" to "1" (I still needed Malzilla to get the source code for the pages.) NoScript doesn't appear to block that when it blocks meta redirections.

I'm sorry I can't post a live link so you can see how it works. You may have something similar in your own spam folders, but you'd have to be prepared to report the affiliate if you don't want the fact that you followed the links to be considered a signal that you want more spam.
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b4pre) Gecko/20090323 SeaMonkey/2.0b1pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Thanks from a Seamonkey user

Post by GµårÐïåñ »

I know what you are referring to and regardless of whether the refresh is accomplished using HTML or JS the process is relatively the same. Now some refreshes occur server side and that is usually out of the user's control.

However, if you set the Firefox's option to block refresh or use RefreshBlocker mentioned before, it WILL stop most anything relevant to the user. Including what you are experiencing. I have used it in the past and it was successful sometimes to the point of making life very miserable. So use with that in mind.

However, when you find a site you don't care refreshing, whitelist it and you won't have to deal with it again.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
AlphaCentauri
Posts: 13
Joined: Fri Mar 27, 2009 12:09 am
Contact:

Re: Thanks from a Seamonkey user

Post by AlphaCentauri »

I had posted that example because the NoScript option to block meta refresh didn't stop it, and I just tried with RefreshBlocker, and that didn't stop it either. It doesn't use the "refresh" tag at any point.
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b4pre) Gecko/20090323 SeaMonkey/2.0b1pre
User avatar
AlphaCentauri
Posts: 13
Joined: Fri Mar 27, 2009 12:09 am
Contact:

Re: Thanks from a Seamonkey user

Post by AlphaCentauri »

I found an example on NANAS (news.admin.net-abuse.sightings, where other people's spam is often posted)

https://www.bestwhole.com/NTIxNHwxMTg0fDEyMzIxO ... 1184%27%5D

[blocks Malzilla from obtaining source code]

redirects to

https://www.btracker.com/r?u=aHR0cDovL3d3dy5jcG ... est_flag=0

Code: Select all

HTTP/1.1 301 Moved Permanently
Date: Sat, 28 Mar 2009 16:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: btracker=tgmmo62fm6rv5qrc62afkths47; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa DEVa PSAa PSDa CONi TELi OUR DELa BUS IND PHY UNI PUR COM NAV INT DEM"
Set-Cookie: REDIRECT_TRACKER5214=2295s1o1; expires=Sun, 29-Mar-2009 16:34:54 GMT; path=/; domain=www.btracker.com
Location: http://www.cpaclicks.com/secure.asp?e=attrtoporrvo&d=0&l=0&o=&p=0&subID1=1184&subID2=1008218110
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

redirects to

http://www.cpaclicks.com/secure.asp?e=attrtopo ... 1008218110

Code: Select all

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Sat, 28 Mar 2009 16:34:07 GMT
P3P: policyref="http://www.cpaclicks.com/w3c/p3p.xml", CP="NOI COR NID ADM DEV OUR STP OTC"
X-Powered-By: ASP.NET
location: http://affiliates.copeac.com/ez/attrtoporrvo/&dp=0&l=0&p=0&subid1=1184&subid2=1008218110
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html
Cache-control: private
redirects to

http://affiliates.copeac.com/ez/attrtoporrvo/&dp=0&l=0&p=0&subid1=1184&subid2=1008218110

Code: Select all

HTTP/1.1 301 Moved Permanently
Date: Sat, 28 Mar 2009 16:36:36 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.6 with Suhosin-Patch
Vary: Host
X-Server-Name: www@dc1dtweb155
X-Powered-By: PHP/5.2.6
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_intermarkmedia=1c0c3dd07b46a78b263ae340840aae83; expires=Sun, 29-Mar-2009 16:36:36 GMT; path=/
Set-Cookie: directtrack_lead_intermarkmedia=1c0c3dd07b46a78b263ae340840aae83; expires=Mon, 30-Mar-2009 16:36:36 GMT; path=/
Set-Cookie: directtrack_lead_intermarkmedia=1c0c3dd07b46a78b263ae340840aae83; expires=Mon, 30-Mar-2009 16:36:36 GMT; path=/; domain=.directtrack.com
Location: http://www.naughtyornice.com/ping/index.asp?dtpid=2286&aid=11092&id=22123-&rid=22123
Connection: close
Content-Type: text/html
redirects to

http://www.naughtyornice.com/ping/index.asp?dt ... &rid=22123

Using about:config to change network.http.redirection-limit to "1" allowed me to step through these, but neither NoScripts's "forbid meta redirections" or RefreshBlocker had any effect.

It's useful to get these intermediate links since they are the ones actually paying the spammers who sent the email. This link on NANAS has been posted since November 2008, Yet none of these organizations is blocking this link from clicking through, meaning either they haven't suspended the spamming affiliate or else they have but wish to continue to profit from his spamming. You'd want to be able to find the entire list of domains involved in this for reporting purposes.

naughtyornice.com is registered with a US registrar (GoDaddy.com), a US proxy domain registration service (DomainsByProxy.com), and hosted by a US ISP (Invision.com, Inc. at 69.18.219.106), so according to the McCain amendment to the CAN-SPAM act, they are legally responsible for the spamming by all the links in the chain here.
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b4pre) Gecko/20090323 SeaMonkey/2.0b1pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Thanks from a Seamonkey user

Post by GµårÐïåñ »

AlphaCentauri wrote:I had posted that example because the NoScript option to block meta refresh didn't stop it, and I just tried with RefreshBlocker, and that didn't stop it either. It doesn't use the "refresh" tag at any point.
Oh, my apologies, I didn't realize that the option didn't stop it. However, still consistent with original suggestion, the NS function blocks specifically inside the code and JS refreshes, it cannot control the server sides I believe. However, the FF built in block and RefreshBlocker will catch that. Now I cannot test it obviously being a private link for you, but I am fairly confident it will help you there.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Thanks from a Seamonkey user

Post by GµårÐïåñ »

The first two links you posted are using Apache 2.0.52 and Apache 2.2.3 accordingly. Now I am not 100% how they handle server side refreshes that maybe out of the control of the client side but the third one is running on IIS 5.0 using ASP and that has a server.redirect function that is completely out of the control of the client side generally, I have developed on it and often used it to avoid credential interceptions, long story. And the last link is on Apache 1.3.41 which again I am not sure how they handle server side refresh. Now the option you used at 1 to step through these is the same one RefreshBlocker uses to intercept based on actual new HTTP path changes which are automatically initiated, so not sure why that didn't work for you. I will look into that and IF I find useful, I will share with everyone, ok? Hope that somehow helps you, if not then sorry. I agree with you on the CAN-SPAM interpretation and you are correct based on legal interpretation of the statute.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
AlphaCentauri
Posts: 13
Joined: Fri Mar 27, 2009 12:09 am
Contact:

Re: Thanks from a Seamonkey user

Post by AlphaCentauri »

Thanks, the bestwhole.com link cascade is from a posting on NANAS, so it works for anyone. I just made the link in the forum non-clickable so as not to provide a search engine boost for them. You should be able to copy and paste into your browser. (There's one reason I like Seamonkey; you can copy a link that is too long for one line on a web page and paste it in the navigator window without the part that runs to a second line sometimes being cut off.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b4pre) Gecko/20090326 SeaMonkey/2.0b1pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Thanks from a Seamonkey user

Post by GµårÐïåñ »

AlphaCentauri wrote:Thanks, the bestwhole.com link cascade is from a posting on NANAS, so it works for anyone. I just made the link in the forum non-clickable so as not to provide a search engine boost for them. You should be able to copy and paste into your browser. (There's one reason I like Seamonkey; you can copy a link that is too long for one line on a web page and paste it in the navigator window without the part that runs to a second line sometimes being cut off.)
Understood, I didn't care about the link and thanks for not making them active, although a harvester can still grab it. I was concerned to find out if the server was employing SS refresh and I won't comment on the Apache ones since I don't know enough about it and anything I say would be a guess and possibly ignorant, so I refrained :) I figured I leave that to those who might ACTUALLY know and can make a more intelligible comment about it. But ASP I can comment :P
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Post Reply