Having seen a few of these, I wonder whether there's any reason not to write a rule to catch them all at once. That is, could someone with access to a mass check try out the rule
uri URI_REDIRECT /.https?:\/\//i describe URI_REDIRECT URI redirect score URI_REDIRECT 1.5 (that is, if someone is pointing you to ANY redirector, what are the odds that they're up to any good?) On Fri, 9 Jan 2004, Mike Kuentz (2) wrote: > Dave, thanks for this. Yet another redirector to sigh about. :( I was > poking around and some variations of this apply, but don't hit your > rule. > > Such as: > > SSL sites: > http://www.google.com/url?q=https://www.etrade.com > > No www: > http://google.com/url?q=http://cardtraffic.com > > Apparently any of Google's sub domains (Except labs.google.com) > http://groups.google.com/url?q=http://cardtraffic.com > http://images.google.com/url?q=http://cardtraffic.com > > IE will gladly take a \ and use it after the .com > http://images.google.com\url?q=http://cardtraffic.com > > or after the http part > http:\\images.google.com\url?q=http://cardtraffic.com > > > White space after the q will be taken > <http://images.google.com/url?q= http://cardtraffic.com> > > > If you changed the rule to: > > /http:(?:\/|\\)(?:\/|\\).{0,10}\.google\.com(?:\/|\\)url\?q=\s?https?:/i > > It should match all of these variations. Also, I think your question > mark that comes after url and before q needed to be escaped. > > > I have a question about URI tests that hopefully some could answer. Are > they decoded, or is it possible to decode them? > > For example would: > http://images.google.com\url?%71=http://cardtraffic.com > Now will the rule above or below fail since the q is represented by it's > hex code in the URL? Or is the hex code translated to q for the uri > test? > > Mike > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of David B Funk > > Sent: Friday, January 09, 2004 1:32 AM > > To: [EMAIL PROTECTED] > > Subject: [SAtalk] Oh Joy, another abusable URI redirector > > > > > > Oh Joy, another abusable URI redirector. Saw this in a > > recent spam: > > > http://www.google.com/url?q=http://cardtraffic.com > > Proposed rule: > > uri L_URI_REDIR3 /http:\/\/www\.google\.com\/url?q=http:/i > describe L_URI_REDIR3 open URI redirector #3 > score L_URI_REDIR3 1.5 > > Dave > > -- Adam Lopresto http://cec.wustl.edu/~adam/ The box said "Requires Windows 95 or better." I can't understand why it won't work on my Linux computer. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
