It seems that this isn’t a new thing (see others noticing it here and here), however I’ve been just hit by a couple of these today, so I blog about it 🙂
Google offers a service which creates redirects with arbitrary targets. Just enter
http://www.google.com/url?q=<an-url-of-your-wish< and it will issue a 302 permanently moved header and redirect your browser to the site of your choice. What’s the big deal you ask? The big deal is that (a) people trust Google (b) there might be some white-lists in anti-spam filters which contain the link to Google.
How this should be fixed (IMHO): links should be encrypted before sending them as parameter. For example instead of
http://www.google.com/url?q=http://www.example.com, one should use
e86d9f95ad063cf36eb8e7 is the encrypted version of
http://www.example.com. For added security the encryption key should be dependent on the current time (the day of the year for example) and also the redirector should check the current and the previous key (so that if it was Nov 19 when the user clicked the link, but when the request arrived at the Google server, it was already Nov 20, s/he shouldn’t receive an error).