On Wed, 10 Jun 2015, John Hardin wrote:
On Wed, 10 Jun 2015, Ben wrote:
Hi,
Does SA have pre-existing tests that look for this sort of thing (so I can
just boost the score a little bit), or does anyone have any ideas how I
might counter such spam ?
Look at this fine specimen as an example :
http://pastebin.com/raw.php?i=XjV94PMW
See how they cunningly use "http://www.google.com/url?q="; in order to
obfuscate their URLs, as a DBL check countermeasure I suspect.
__GOOG_REDIR and GOOG_REDIR_SHORT in my sandbox are being published. However,
if the message is long then it probably isn't hitting GOOG_REDIR_SHORT and
another meta using __GOOG_REDIR would be needed.
...hit SEND too quickly...
It doesn't look like anything else in that message is really usable for a
base meta. __GOOG_REDIR && RDNS_NONE might be useful locally but it
wouldn't perform well in masschecks, there's zero overlap with current
corpora so it wouldn't get promoted. I'll drop it in, though, in case it
starts showing up in the masscheck corpora.
The URL parser should pick out the target URL by itself as well, so it
should be checked against URIBLs. Unfortunately dsfv4.pillsforyou.ru isn't
listed in URIBL.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XI: Everything is air-droppable at least once.
-----------------------------------------------------------------------
