On 5/20/26 10:15 AM, Kent Oyer wrote:
Hi Giovanni,You make a fair point about this being an unexpected change for users running 4.0.2 pre-1934332. After a bit of pondering, I have two responses/concerns (both IMHO): 1. Probing URLs we haven't vetted is risky and equally unexpected. If SA's probe ends up unsubscribing a user from a list, or approving/denying a request on their behalf, that's a far worse surprise than a missing redirector match. An argument could even be made that a lenient allowlist is itself an attack surface. A crafted spam message can direct SA to fire HTTP requests at attacker-chosen URLs on any allowlisted host, from the recipient's mail-server IP. The narrower the allowlist, the smaller the risk. 2. The .cf file is a curated allowlist, not part of the API. I think users expect us to maintain it as we learn more about which hosts are abusable and how they operate. Pruning entries that don't meet the standard for inclusion is part of that maintenance. For instance, the documentation in the .cf file states: # Please only add entries that you manually verified as actual working # redirectors that can have abusable custom URLs. Adding non-abusable # services only generates unnecessary HTTP requests. So the criteria for inclusion are: (1) actual working redirector and (2) from an abusable service. Including hosts that may-or-may-not be working redirectors seems contrary to that advice. Here are a few examples for discussion: 1. google[.]com/search It may be abused, but it's not a redirector. It returns a 200 response along with a search results page. There's no Location header to follow or a meta refresh tag in the returned HTML. Probing it from this plugin is wasted network traffic.
"I'feeling lucky" has been abused until ~1 month ago afaik
2. msn[.]com Thus far no evidence to suggest this domain hosts a redirector or is abusable. 3. Actual email from MailChimp Click tracking link (302 redirect): https://redacted[.]us21[.]list-manage[.]com/track/click?u=... Tracking pixel (200, harmless but wasted): https://us[.]list-manage[.]com/... Unsubscribe link (200, wasted with potential side-effects) https://redacted.us21[.]list-manage[.]com/unsubscribe?u=... All three URLs match a bare .list-manage[.]com entry. So without the path element, it's impossible to probe the redirect without probing the other two. You could say that the risk of side-effects is small because it's a HEAD request, but if someone enables url_redirector_use_selenium, every probe turns into a full GET with JavaScript execution. Happy to revisit any of these specific points if you have further ideas. Perhaps we could add back some but not all?
perhaps we could re-enable some of them while improving the list, I will check what I have on my spam corpus. Thanks Giovanni
Thanks Kent On Tue, May 19, 2026 at 04:07 PM, [email protected] wrote: On 5/19/26 6:24 PM, Kent Oyer wrote: That was sort of intentional. I feel that probing every URL from bing.com, msn.com, and google.com just to see if it's a redirector is wasteful and potentially dangerous. at least google[.]com/search is abused and other urls as well, listing all of them might be a very long task. The other domains (list-manage.com, etc.) are less dangerous, but you still run the risk of hitting unsubscribe links and tracking pixels. The only "safe" way to probe them is if the path matches a known redirector pattern. I'm happy to discuss it further if there is a better solution. no real solution for the moment, disabling most redirector's rules for many users is unexpected from a user's pov IMHO. P.S. I couldn't find any examples of a redirector URL from msn.com. Are you aware of any? I cannot find any atm but I bet to have seen one. Thanks Giovanni Thanks Kent On Tue, May 19, 2026 at 02:53 AM, [email protected] <mailto:[email protected]> wrote: On 5/19/26 8:16 AM, [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> wrote: Author: fkento Date: Tue May 19 06:16:49 2026 New Revision: 1934386 Log: Prevent wasted HTTP traffic to non-redirect URLs I think this commit will disable redirector checks for some domains for all users that are not running trunk. We need a `if !can(Mail::SpamAssassin::Plugin::Redirectors::has_url_redirector_path)` to cover previous versions IMHO. Cheers Giovanni * awstrack.me * exactag.com * cc.rs6.net * mandrillapp.com * list-manage.com * bing.com * msn.com * msn.com.br Modified: spamassassin/trunk/rules/25_url_redirectors.cf Modified: spamassassin/trunk/rules/25_url_redirectors.cf ============================================================================== --- spamassassin/trunk/rules/25_url_redirectors.cf Tue May 19 06:12:45 2026 (r1934385) +++ spamassassin/trunk/rules/25_url_redirectors.cf Tue May 19 06:16:49 2026 (r1934386) @@ -52,22 +52,16 @@ score REDIR_URL_LOOP 0.01 url_redirector .allaincemh.com url_redirector .australia4wdrentals.com -url_redirector .awstrack.me url_redirector .benchurl.com url_redirector .blob.core.windows.net -url_redirector .cc.rs6.net url_redirector .ct.sendgrid.net -url_redirector .exactag.com url_redirector .hosted.phplist.com url_redirector .href.li url_redirector .maverickcrm.com -url_redirector .msn.com -url_redirector .msn.com.br url_redirector .yandex.net url_redirector .yandex.ru url_redirector auctiva.com url_redirector awin1.com -url_redirector bing.com url_redirector cqbbs.cc url_redirector cdn.dragon.cere.network url_redirector channelchief.varindia.com @@ -81,7 +75,6 @@ url_redirector link.sowl.to url_redirector linklock.titanhq.com url_redirector links.e.shopmyexchange.com url_redirector mccarthysearch.com -url_redirector mandrillapp.com url_redirector notifications.googleapis.com url_redirector post.spmailtechnolo.com url_redirector secure-web.cisco.com @@ -111,19 +104,12 @@ url_redirector_get t.nypost.com url_redirector_get track.pstmrk.it if can(Mail::SpamAssassin::Plugin::Redirectors::has_url_redirector_path) - clear_url_redirector .awstrack.me url_redirector .awstrack.me/L0/ - - clear_url_redirector .exactag.com url_redirector .exactag.com/cl.aspx - - clear_url_redirector .cc.rs6.net url_redirector .cc.rs6.net/tn.jsp - - clear_url_redirector mandrillapp.com url_redirector mandrillapp.com/track/click - url_redirector .list-manage.com/track/click + url_redirector bing.com/ck/a url_redirector substack.com/redirect/ url_redirector go.pardot.com/e/
OpenPGP_signature.asc
Description: OpenPGP digital signature
