Hi, >>> I suggested converting the rawbody rule John was working on into a >>> redirector_pattern >> >> >> Note that the following rule as posted by John: >> >> uri __GOOG_MALWARE_DNLD >> m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&]download=1;i >> >> would not currently work as a redirector_pattern due to the problem >> I posted in my today's reply (Re: redirector_pattern question); >> i.e. where the redirector target contains "http:", followed >> by other URI arguments (like "&download=1" here). > > Right, and I would take that into account when composing the > redirector_pattern. That extra bit is there to avoid treating *all* google > redirects as malware downloads. > > Question: has anyone ever seen a *legit* (non-spam, non-phishing, > non-malware) google redirect like that in an email? Maybe this rule is too > restrictive and we should be suspicious of *all* google redirects?
I've forwarded you a few samples. I'm not entirely sure I've kept up with the pieces of this. Has a rule yet been developed? Is both a rule and Marc's patch required? After the patch was posted, there was a comment about the redirector_pattern not being necessary... Thanks, Alex
