On Fri, 16 Oct 2020, Ricky Boone wrote:
Good afternoon.
I'm seeing an increase in spam/phishing that is utilizing Google Docs. I
see a rule that seems to be intended to flag certain Google Docs related
URLs, but not the ones I'm seeing.
72_active.cf:uri __URI_GOOGLE_DOC
m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
The URLs I'm seeing don't match that regex. They all appear to have the
following prefix:
https://docs.google.com/document/d/e/
I think it might be useful to update the pattern to something like the
following, so it could be used by other meta rules, but thought I'd check
with the community first:
m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:id|formkey)=|document),i
Thoughts or opinions?
I'll put something into my sandbox to see how the new pattern performs in
masscheck. If you can upload some spamples to pastebin and post their URIs
here so that we can see what they look like, that would be very helpful.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Justice is justice, whereas "social justice" is code for one set
of rules for the rich, another for the poor; one set for whites,
another set for minorities; one set for straight men, another for
women and gays. In short, it's the opposite of actual justice.
-- Burt Prelutsky
-----------------------------------------------------------------------
18 days until the Presidential Election
