Dave, thanks for this. Yet another redirector to sigh about. :( I was poking around and some variations of this apply, but don't hit your rule.
Such as: SSL sites: http://www.google.com/url?q=https://www.etrade.com No www: http://google.com/url?q=http://cardtraffic.com Apparently any of Google's sub domains (Except labs.google.com) http://groups.google.com/url?q=http://cardtraffic.com http://images.google.com/url?q=http://cardtraffic.com IE will gladly take a \ and use it after the .com http://images.google.com\url?q=http://cardtraffic.com or after the http part http:\\images.google.com\url?q=http://cardtraffic.com White space after the q will be taken <http://images.google.com/url?q= http://cardtraffic.com> If you changed the rule to: /http:(?:\/|\\)(?:\/|\\).{0,10}\.google\.com(?:\/|\\)url\?q=\s?https?:/i It should match all of these variations. Also, I think your question mark that comes after url and before q needed to be escaped. I have a question about URI tests that hopefully some could answer. Are they decoded, or is it possible to decode them? For example would: http://images.google.com\url?%71=http://cardtraffic.com Now will the rule above or below fail since the q is represented by it's hex code in the URL? Or is the hex code translated to q for the uri test? Mike > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David B Funk > Sent: Friday, January 09, 2004 1:32 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Oh Joy, another abusable URI redirector > > > Oh Joy, another abusable URI redirector. Saw this in a > recent spam: > http://www.google.com/url?q=http://cardtraffic.com Proposed rule: uri L_URI_REDIR3 /http:\/\/www\.google\.com\/url?q=http:/i describe L_URI_REDIR3 open URI redirector #3 score L_URI_REDIR3 1.5 Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{ ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
