On 9/12/2017 9:28 AM, Chip M. wrote:
I added a rule called FAKEBBB to KAM.cf yesterday for these issues. If you have variants not caught, please let me know. I haven't seen one since. Good idea to contact bit.ly as well as Google. I'll see if I can backchannel to google about the appengine misuse.There's a new campaign that uses Bitly shorteners to some sort of Google forwarder ("appengine").Here's some sample Locations returned by HEADing the shorteners: appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/report.php?mn=###################### appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbtax.com/getreport.php?ne=######################## appengine.google.com/_ah/logout?continue=http://bbbwork.com/abuse.php?number=##################### appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcompliancenetwork.com/compliance.php?ne=###################### appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbb-compliance.com/abuse.php?rt=################### I've hashed out the parts that look like tracking IDs, all of which have been pure numeric chars. Here's the corresponding Subjects: 752566913589:407 8260420930:36 Incident:062881374904:149 Incident:22677610925:290 Incident:5858851682625:543 The message text is a fake BBB complaint. I'll put a sample online tonight, if practical. The SA scores have ranged from -2.2 to 1.5, with no useful patterns. Does anyone have a contact at BitLy? These would be trivially easy for them to block. - "Chip"
Regards, KAM
