On Thu, 12 Apr 2018, Alex wrote:
We received an email to undisclosed-recipients that contained a google
redirect to an owl.ly site
https://pastebin.com/raw/DekDzifK
amavisd knew this single email was delivered to more than 40
recipients. Is there any way to benefit from that in spamassassin?
This seems to be a common denominator with a lot of these.
How did it know that? Was it bcc'd to 40+ local users and there's some
side channel communicating that to Amavis? Or are you referring to 40+
separate deliveries of the same message, which would point at Razor et.
al. as the solution?
How much of a spam indicator is the google redirects?
I'd say a google redirect to bit.ly or ow.ly is pretty suspicious,
potentially poison-pill suspicious...
Can someone look at this redirect as part of the redirector_pattern
along with __GOOG_REDIR?
I'll take a look and see about adding it to my sandbox.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista is at best mildly annoying and at worst makes you want to
rush to Redmond, Wash. and rip somebody's liver out. -- Forbes
-----------------------------------------------------------------------
Tomorrow: Thomas Jefferson's 275th Birthday
