On Thu, 17 Dec 2015, Axb wrote:
On 12/17/2015 10:38 PM, John Hardin wrote:
On Thu, 17 Dec 2015, Axb wrote:
> On 12/17/2015 09:15 PM, John Hardin wrote:
> > On Thu, 17 Dec 2015, Alex wrote:
> >
> > > Hi,
> > > > Can someone explain why spamassassin is allowing apparent google
> > > redirects? Cryptolocker :-( This one's blocked now.
> > > > <td align="left" style="font-family: 'merriweather sans', tahoma,
> > > arial, sans-serif; color: rgb(54, 54, 54); font-size: 14px;"><a
> > >
> > href="https://www.google.com/url?q=http://www.mediafire.com/download/{snip}"
> >
> > > > style="color: rgb(89, 143, 222);
> > > outline: 0px;" target="_blank">1Z4566W50378875...</a></td>
> > > > #
> > >
> > href="https://www.google.com/url?q=http://www.mediafire.com/download/izdqjzml6
> >
> > > > rawbody GOOG_VIEW1
> > > m;https?://www\.google\.com/url\?(q=http(s)?|sa=t\&\;url=http);
> > > describe GOOG_VIEW1 Using google url
> > > score GOOG_VIEW1 6.0
> > > > Ideas for improving the rule or making it more flexible would be
> > > appreciated.
> >
> > There are google rules. I'll take a look at why this wasn't scored
> > when
> > I get a chance later today or tomorrow.
>
> there's a bunch of Henry Stern's google redirector_pattern rules but
> they're all made for http only.
> Adding and commiting s? now
And this in my sandbox, with a different pattern:
uri __GOOG_MALWARE_DNLD
m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&]download=1;i
I will broaden that a bit.
could you make a version using redirector_pattern so the redirected target
can be looked up via URIBL plugin?
Sadly, there's nothing in the corpus that matches that rule. I think it'll
be published, but with a low score.
http://ruleqa.spamassassin.org/20151218-r1720729-n/GOOG_MALWARE_DNLD/detail
Alex, if you still have some of those around, send them to me as RFC822
attachments and I'll add them to my masscheck spam corpora.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
7 days until Christmas