[Bug 3156] New: More redirect rules

11 Mar 2004 11:38:53 -0000 

http://bugzilla.spamassassin.org/show_bug.cgi?id=3156

           Summary: More redirect rules
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
               URL: http://www.exit0.us/index.php/ToAoMsRedirectRules
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Rules
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


I saw that in the current testing.cf file that a lot of redirect rules were
added. I've written a few myself that catch quite some spam in the past few
days, maybe they can be added aswell:

# AOL has a redirect script that accepts any referrer
# Spammers use this in conjunction with illegal url formatting (backslash
instead of forward slash)
uri      TM2_MISC_ILLEGAL_AOL_REDIR           
/https?\:\/\/[a-z0-9-_]+\.aol\.com(\:\d+)?(((\\|%5C)cgi(\\|%5C))||((\\|%5C|\/)cgi(\\|%5C))||((\\|%5C)cgi(\\|%5C|\/)))redir-complex/i
describe TM2_MISC_ILLEGAL_AOL_REDIR            Illegal format for AOL redirect
score    TM2_MISC_ILLEGAL_AOL_REDIR            4.5

# Normal use isn't really nice either.
uri      TM2_MISC_AOL_REDIR                   
/https?\:\/\/[a-z0-9-_]+\.aol\.com(\:\d+)?\/cgi\/redir-complex/i
describe TM2_MISC_AOL_REDIR                    Uses AOL redirect
score    TM2_MISC_AOL_REDIR                    0.75

uri      TM2_MISC_YAHOO_REDIR                 
/https?\:\/\/(rds|srd)\.yahoo\.com(\:\d+)?\/\*-http\:\/\//i
describe TM2_MISC_YAHOO_REDIR                  Uses Yahoo redirect
score    TM2_MISC_YAHOO_REDIR                  0.75

# Recently they're using the IP address of the server instead of its name... 
*sigh*
# upped the score a whole lot, I don't see yahoo using their own redirector 
with its
# Ip addy.
uri      TM2_MISC_YAHOO_REDIR_IP              
/https?\:\/\/(2[0-4][0-9]|25[0-5]|[01]?[0-9][0-9]?)\.(2[0-4][0-9]|25[0-5]|[01]?[0-9][0-9]?)\.(2[0-4][0-9]|25[0-5]|[01]?[0-9][0-9]?)\.(2[0-4][0-9]|25[0-5]|[01]?[0-9][0-9]?)(\:\d+)?\/\*-http\:\/\//i
describe TM2_MISC_YAHOO_REDIR_IP               Uses Yahoo redirect with IP 
address
score    TM2_MISC_YAHOO_REDIR_IP               4.5

# MSN seems to have a redir too, even though you need a valid token, this is
being abused
uri      TM2_MISC_MSN_REDIR                   
/https?\:\/\/r.msn.com\/[^?]+?\?https?\:\/\/
describe TM2_MISC_MSN_REDIR                    Uses msn token redirect service
score    TM2_MISC_MSN_REDIR                    0.75

There are a few rules from others on my wiki page too, but these are the ones
I've written and seen in my own SPAM tests.

Maybe a general rule like:

uri /https?:\/\/.+?https?:\/\//i

could be added aswell for urls that contain urls themselves.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Reply via email to