On Thu, 12 Apr 2018, Alex wrote:
We received an email to undisclosed-recipients that contained a google
redirect to an owl.ly site and another URL which appears to be a
direct download of a PDF.
https://pastebin.com/raw/DekDzifK
I ran that through my testbed and it doesn't even see the google redirect
URI, perhaps because it's in data-saferedirecturl= rather than href= ...
Do we need to make the SA HTML parser aware of data-saferedirecturl= ?
That appears to be a gmail-ism that SA *should* probably be aware of, if
it can be used to hide spam signs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim IX: Never turn your back on an enemy.
-----------------------------------------------------------------------
Today: the 153rd anniversary of Lincoln's assassination
