Re: Google redirects

John Hardin Fri, 18 Dec 2015 08:25:23 -0800

On Thu, 17 Dec 2015, Axb wrote:

On 12/17/2015 10:38 PM, John Hardin wrote:
 On Thu, 17 Dec 2015, Axb wrote:
>  On 12/17/2015 09:15 PM, John Hardin wrote:
> >   On Thu, 17 Dec 2015, Alex wrote:
> >> > > Hi,
> > > >   Can someone explain why spamassassin is allowing apparent google
> > >   redirects? Cryptolocker :-( This one's blocked now.
> > > >   <td align="left" style="font-family: 'merriweather sans', tahoma,
> > >   arial, sans-serif; color: rgb(54, 54, 54); font-size: 14px;"><a
> > >> > href="https://www.google.com/url?q=http://www.mediafire.com/download/{snip}";> >> > > > style="color: rgb(89, 143, 222);
> > >   outline: 0px;" target="_blank">1Z4566W50378875...</a></td>
> > > >   #
> > >> > href="https://www.google.com/url?q=http://www.mediafire.com/download/izdqjzml6> >> > > > rawbody GOOG_VIEW1
> > >   m;https?://www\.google\.com/url\?(q=http(s)?|sa=t\&amp\;url=http);
> > >   describe    GOOG_VIEW1            Using google url
> > >   score       GOOG_VIEW1            6.0
> > > >   Ideas for improving the rule or making it more flexible would be
> > >   appreciated.
> >> > There are google rules. I'll take a look at why this wasn't scored> > when
> >   I get a chance later today or tomorrow.
>> there's a bunch of Henry Stern's google redirector_pattern rules but
>  they're all made for http only.
>  Adding and commiting s? now

 And this in my sandbox, with a different pattern:

 uri __GOOG_MALWARE_DNLD
 m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&]download=1;i

 I will broaden that a bit.
could you make a version using redirector_pattern so the redirected targetcan be looked up via URIBL plugin?

Sadly, there's nothing in the corpus that matches that rule. I think it'llbe published, but with a low score.


http://ruleqa.spamassassin.org/20151218-r1720729-n/GOOG_MALWARE_DNLD/detail

Alex, if you still have some of those around, send them to me as RFC822attachments and I'll add them to my masscheck spam corpora.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
                                           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 7 days until Christmas

Re: Google redirects

Reply via email to