I've tested a lot of websites, and I've found that many sites have a "go.example.com" subdomain that returns the following error message:
404 Not Found
The redirect url is empty
This message makes me think that you can somehow add a header/parameter to make this website redirect to any other site. If that is so, that would be an open redirect, which is a valid vulnerability.
Do these "go." subdomains have a header/parameter that they will redirect to?
It really depends on the site. Good ones will have you pass an integer in i.e. go.example.com/1234/ which redirects to support.example.com or some such. An open redirect would accept something like go.example.com/badsite.com which would redirect to badsite.
But it is not so cut and dry, some redirect to a page that is passed in... hard to make a generalization here. The behavior I see most often is the passing an int, which checks a DB for where to redirect to.
No way to know but to test or ask the site owner.
