I think I found the problem: https://opia.illinois.edu/content/targeted-attack-protection-tuning UIUC is apparently rewriting HTML links in emails to redirect through urldefense.proofpoint.com. This is visible in my version of Rui's email. On Wed, May 27, 2015 at 9:36 AM, Rui Ueyama <ruiu at google.com> wrote:> I sent the mail from Gmail. I checked the source using the Gmail "show > original" mode (which displays a mail in plain text including headers and > all MIME sections) from a different computer, but I cannot find that URL. I > cannot check an email copy that the mailing list server sent back because > Gmail automatically de-dup emails, which is annoying, but I think it's > unlikely that my machine is infected from evidences I've seen so far. Maybe > a mail transfer agent in between Gmail to you inserted the link? I'd > appreciate if you can forward the mail including headers to me. > > On Wed, May 27, 2015 at 9:12 AM, David Chisnall < > David.Chisnall at cl.cam.ac.uk> wrote: > >> On 27 May 2015, at 16:49, Rui Ueyama <ruiu at google.com> wrote: >> > >> > David, >> > >> > The link works fine with my Mac and Android. The source of the mail >> looks okay to me (I verified that from a different machine than the one I >> sent the mail). You may want to check your browser or proxy? >> >> It’s correct in the plain-text version of the mail. The HTML MIME part >> contains this: >> >> <a href=3D"https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__reviews>> >> .llvm.org_D10036&d=3DAwMFaQ&c=3D8hUWFZcy2Z-Za5rBPlktOQ&r=3DMfk2qtn1LTDThVkh>> >> 6-oGglNfMADXfJdty4_bhmuhMHA&m=3D8dYF1obzqNfZvfOxlk7H-g8VUfu1ZyS0GdcCWRkWxCk>> &s=3DRu6670O4y8SpAwlp17gVmI7BLz3mIY7gs1Irvo9iDRw&e=3D"> >> http://reviews.llvm. >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__reviews.llvm.&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Mfk2qtn1LTDThVkh6-oGglNfMADXfJdty4_bhmuhMHA&m=UxTA9_ALGj6dP9lASAs-vE6FoBX_s9ZbD803t-a4XQA&s=Ubr9G2mEli5qzBQAq5lmtafexJu4OZ_lw4HIpfG_QKM&e=> >> >> org/D10036</a> >> >> Apparently they’re not malicious, but I find it somewhat unnerving when >> the URL that I click on turns out not to be the one that the mouseover text >> pops up. If you feel the need to insert a redirection link, I’d very much >> appreciate it if you would post the full link in the text version, as well >> as the href. If, on the other hand, you are unaware that your computer is >> doing this, then I would encourage you to work out what it is and that it >> is not malicious. >> >> The archives only include the plain text version, not the HTML copy, so >> will not see this. >> >> David >> >> > > _______________________________________________ > LLVM Developers mailing list > LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu > http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150527/3f7ac324/attachment.html>
On Wed, May 27, 2015 at 9:56 AM, Reid Kleckner <rnk at google.com> wrote:> I think I found the problem: > https://opia.illinois.edu/content/targeted-attack-protection-tuning > <https://urldefense.proofpoint.com/v2/url?u=https-3A__opia.illinois.edu_content_targeted-2Dattack-2Dprotection-2Dtuning&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Mfk2qtn1LTDThVkh6-oGglNfMADXfJdty4_bhmuhMHA&m=pyqOZZ6H4FRzC6FoXgbrqI80GKcuvyHIFfCMdrDHDIk&s=NIkJf2Vrf1men7PeqZKFwdcO7M-9jKFpHyNop3y0eww&e=> > > UIUC is apparently rewriting HTML links in emails to redirect through > urldefense.proofpoint.com. This is visible in my version of Rui's email. >Richard Trieu filed a bug in llvm.org/bugs that emails from the bug database are getting similar treatment, FWIW. I don't think it's assuming maliciousness, just tracking everything most likely.> > On Wed, May 27, 2015 at 9:36 AM, Rui Ueyama <ruiu at google.com> wrote: > >> I sent the mail from Gmail. I checked the source using the Gmail "show >> original" mode (which displays a mail in plain text including headers and >> all MIME sections) from a different computer, but I cannot find that URL. I >> cannot check an email copy that the mailing list server sent back because >> Gmail automatically de-dup emails, which is annoying, but I think it's >> unlikely that my machine is infected from evidences I've seen so far. Maybe >> a mail transfer agent in between Gmail to you inserted the link? I'd >> appreciate if you can forward the mail including headers to me. >> >> On Wed, May 27, 2015 at 9:12 AM, David Chisnall < >> David.Chisnall at cl.cam.ac.uk> wrote: >> >>> On 27 May 2015, at 16:49, Rui Ueyama <ruiu at google.com> wrote: >>> > >>> > David, >>> > >>> > The link works fine with my Mac and Android. The source of the mail >>> looks okay to me (I verified that from a different machine than the one I >>> sent the mail). You may want to check your browser or proxy? >>> >>> It’s correct in the plain-text version of the mail. The HTML MIME part >>> contains this: >>> >>> <a href=3D" >>> https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__reviews>>> >>> .llvm.org_D10036&d=3DAwMFaQ&c=3D8hUWFZcy2Z-Za5rBPlktOQ&r=3DMfk2qtn1LTDThVkh>>> >>> 6-oGglNfMADXfJdty4_bhmuhMHA&m=3D8dYF1obzqNfZvfOxlk7H-g8VUfu1ZyS0GdcCWRkWxCk>>> &s=3DRu6670O4y8SpAwlp17gVmI7BLz3mIY7gs1Irvo9iDRw&e=3D"> >>> http://reviews.llvm. >>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__reviews.llvm.&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Mfk2qtn1LTDThVkh6-oGglNfMADXfJdty4_bhmuhMHA&m=UxTA9_ALGj6dP9lASAs-vE6FoBX_s9ZbD803t-a4XQA&s=Ubr9G2mEli5qzBQAq5lmtafexJu4OZ_lw4HIpfG_QKM&e=> >>> >>> org/D10036</a> >>> >>> Apparently they’re not malicious, but I find it somewhat unnerving when >>> the URL that I click on turns out not to be the one that the mouseover text >>> pops up. If you feel the need to insert a redirection link, I’d very much >>> appreciate it if you would post the full link in the text version, as well >>> as the href. If, on the other hand, you are unaware that your computer is >>> doing this, then I would encourage you to work out what it is and that it >>> is not malicious. >>> >>> The archives only include the plain text version, not the HTML copy, so >>> will not see this. >>> >>> David >>> >>> >> >> _______________________________________________ >> LLVM Developers mailing list >> LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu >> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev >> >> > > _______________________________________________ > LLVM Developers mailing list > LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu > http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150527/07f4655e/attachment.html>
On 27 May 2015, at 17:56, Reid Kleckner <rnk at google.com> wrote:> > I think I found the problem: > https://opia.illinois.edu/content/targeted-attack-protection-tuning > > UIUC is apparently rewriting HTML links in emails to redirect through urldefense.proofpoint.com. This is visible in my version of Rui's email.Thanks for the investigation. Can we turn this off? Having emails with text containing URLs that is not the same as the link target URL is a big red flag for phishing and this is an absolutely terrible idea. This would also explain why I’ve seen a number of LLVMdev emails show up in my spam folder - I hadn’t thought to check where their links were going. Rui: sorry for assuming that it was your fault, David
On Wed, May 27, 2015 at 12:24 PM, David Chisnall < David.Chisnall at cl.cam.ac.uk> wrote:> On 27 May 2015, at 17:56, Reid Kleckner <rnk at google.com> wrote: > > > > I think I found the problem: > > https://opia.illinois.edu/content/targeted-attack-protection-tuning > > > > UIUC is apparently rewriting HTML links in emails to redirect through > urldefense.proofpoint.com. This is visible in my version of Rui's email. > > Thanks for the investigation. Can we turn this off? Having emails with > text containing URLs that is not the same as the link target URL is a big > red flag for phishing and this is an absolutely terrible idea. This would > also explain why I’ve seen a number of LLVMdev emails show up in my spam > folder - I hadn’t thought to check where their links were going. > > Rui: sorry for assuming that it was your fault, > > David > > David,The bug https://llvm.org/bugs/show_bug.cgi?id=23643 is tracking this issue. The URL rewriting is happening because we use the UIUC mail servers. Tanya is contacting UIUC about getting llvm.org links whitelisted. Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150527/930d7bdb/attachment.html>