On Fri, 5 May 2017 22:02:56 -0400
Alex wrote:
> Am I understanding correctly that redirector_pattern breaks up the one
> encoded URI into multiple URIs that are available for rules to be
> written using them, instead of ?
>
> In other words, if I were to write a uri rule that includes
> www.goog
Hi,
>> >>> I found a local version which maybe did the trick
>> >>>
>> >>> redirector_pattern
>> >>>
>> >>> m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
>> >>
>
>> Yes, but I don't understand how that equates to an eventual score.
>
> I haven't used these, b
On Thursday 04 May 2017 17:07:31 John Hardin wrote:
> I expect a basic accounts.google.com URI rule would be a good idea even if
> a redirector pattern for this was added - is there any legitimate reason
> for a "log in to your google account" URL to be in an email?
>
Not from anyone who isn't wh
On Thu, 4 May 2017, Alex wrote:
Hi,
I found a local version which maybe did the trick
redirector_pattern
m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
Can you explain how to use that? Does it get scored?
see samples in 20_uri_tests.cf
Yes, but I
On Thu, 4 May 2017 18:26:42 -0400
Alex wrote:
> Hi,
>
> >>> I found a local version which maybe did the trick
> >>>
> >>> redirector_pattern
> >>>
> >>> m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
> >>>
> >>
> Yes, but I don't understand how that equat
Hi,
>>> I found a local version which maybe did the trick
>>>
>>> redirector_pattern
>>>
>>> m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
>>
>>
>> Can you explain how to use that? Does it get scored?
>
> see samples in 20_uri_tests.cf
Yes, but I don't under
On Thu, 04 May 2017 12:03:42 +0200
Benny Pedersen wrote:
> Alex skrev den 2017-05-04 03:37:
>
> > https://pastebin.com/aWVaMMni
>
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> this is imho a spam indicator
>
> double encodeing, makes utf-8 see 7
On 05/04/2017 06:57 PM, Alex wrote:
Hi,
Take a look at "redirector_pattern" use in 20_uri_tests.cf and
hstern/20_uri_tests.cf.
It looks like several google redirector patterns are present, but not a
redirect via accounts.google.com, that's new.
FWIW: Using stock redirector_pattern pattern my
Hi,
>>> Take a look at "redirector_pattern" use in 20_uri_tests.cf and
>>> hstern/20_uri_tests.cf.
>>>
>>> It looks like several google redirector patterns are present, but not a
>>> redirect via accounts.google.com, that's new.
>>
>> FWIW: Using stock redirector_pattern pattern my SA detected the
On 05/04/2017 06:42 PM, Axb wrote:
On 05/04/2017 06:34 PM, John Hardin wrote:
On Thu, 4 May 2017, Chip M. wrote:
John, how about a rule against the redirection parameter itself
(i.e. "redirect_uri")? I suspect it'll hit too much ham, however
it would make a great meta combined with obscure/ch
On 05/04/2017 06:34 PM, John Hardin wrote:
On Thu, 4 May 2017, Chip M. wrote:
John, how about a rule against the redirection parameter itself
(i.e. "redirect_uri")? I suspect it'll hit too much ham, however
it would make a great meta combined with obscure/cheap TLDs,
and/or other characteristi
On Thu, 4 May 2017, Chip M. wrote:
John, how about a rule against the redirection parameter itself
(i.e. "redirect_uri")? I suspect it'll hit too much ham, however
it would make a great meta combined with obscure/cheap TLDs,
and/or other characteristics.
I've added that to my own MassCheck que
Hi,
On Thu, May 4, 2017 at 11:54 AM, Chip M. wrote:
> Alex, thanks for the spample!
Gladly.
> I've only received one (so far), containing the same base domain
> with the ".win" TLD, also freshly registered at NameCheap with
> privacy protection and CloudFlare.
Which rules show that? Sounds lik
Alex, thanks for the spample!
I've only received one (so far), containing the same base domain
with the ".win" TLD, also freshly registered at NameCheap with
privacy protection and CloudFlare.
On Thu, 04 May 2017, Axb wrote:
>SA's redirect patterns detected these domains and my logs show
>most
Hi,
On Thu, May 4, 2017 at 3:12 AM, Vincent Fox wrote:
> Sendmail access.src:
>
> From:proREJECT
>
> Guess that's why I haven't heard about this on our campus.
We actually get legitimate mail from at least a few of these.
> I block dozens of these apparently lawless domains.
Dozens? Can yo
Noel Butler skrev den 2017-05-04 12:45:
The SEM fresh* uri lists I dare say.
it could be core part of spamassassin, why ?, since spammers avoid
sending it to sem, and not all new domains come to sem before its
depricatd spam campains :/
who will make it to sa core ?
sad to see your mail
On 04/05/2017 17:38, Merijn van den Kroonenberg wrote:
>> On Wed, 3 May 2017, Alex wrote:
>> That target domain "g-docs . pro" was registered 12 days ago via
>> namecheap.com
>> which was enough to earn it a few extra points at our site.
>
> How do you detect the domain age in SA? I am really int
Alex skrev den 2017-05-04 03:37:
https://pastebin.com/aWVaMMni
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
this is imho a spam indicator
double encodeing, makes utf-8 see 7 bit, no go
its the same with idn phishing domains in other threads
can sa tes
> On Wed, 3 May 2017, Alex wrote:
>
>> Hi,
>>
>> If you haven't heard, there was a huge Google Docs phishing attack
>> today.
[snip]
>> Have you received any of these? Have you done anything to prevent them
>> next time or from being received this time?
>
> That target domain "g-docs . pro" was reg
FTR:
Google closed this hole real fast.
SA's redirect patterns detected these domains and my logs show most were
listed by the domain lists within a few minutes.
On 05/04/2017 03:37 AM, Alex wrote:
Hi,
If you haven't heard, there was a huge Google Docs phishing attack
today. Several hundred
Sendmail access.src:
From:proREJECT
Guess that's why I haven't heard about this on our campus.
I block dozens of these apparently lawless domains.
From: Alex
Sent: Wednesday, May 3, 2017 6:37:49 PM
To: SA Mailing list
Subject: Today's Go
On Wed, 3 May 2017, Alex wrote:
Hi,
If you haven't heard, there was a huge Google Docs phishing attack
today. Several hundred bypassed our filters in the hour or so before
we were able to identify them. The To address is always
"h...@mailinator.com" and the subject is always " has s
On Wed, 3 May 2017, Alex wrote:
If you haven't heard, there was a huge Google Docs phishing attack
today.
Our IT department actually warned us of this one...
I wanted to provide an example in case it helps, even though chances
are the campaign is dead. We've seen Google proxy and redirect at
Hi,
If you haven't heard, there was a huge Google Docs phishing attack
today. Several hundred bypassed our filters in the hour or so before
we were able to identify them. The To address is always
"h...@mailinator.com" and the subject is always " has shared a document on Google Docs wit
24 matches
Mail list logo