On Nov 12, 2020, at 12:31 PM, John Hardin <jhar...@impsec.org> wrote: > > On Thu, 12 Nov 2020, Darrell Budic wrote: > >> On Nov 12, 2020, at 11:54 AM, John Hardin <jhar...@impsec.org> wrote: >>> >>> On Thu, 12 Nov 2020, Darrell Budic wrote: >>> >>>> Got a few of these 411 google form spams recently and was wondering why >>>> they weren’t getting caught by SA. Looks like the Return-Path: is >>>> triggering a whitelist rule on google.com so the rest of the tests aren’t >>>> enough to get it tagged. Anything I can do to keep the whitelist rule from >>>> firing when the free mail rules have been tripped? >>> >>> You can't keep it from firing beyond removing google.com from the >>> whitelist, which would impact non-gmail google mails. What you *can* do is >>> define a meta to offset the whitelist score: >>> >>> meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM >>> score FREEM_WLIST_OFFSET 100.000 # offset whitelist score >>> describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From >>> >>> Of course, that would prevent you from auth-whitelisting any freemail >>> provider, if you wanted to do such a thing. >> >> Thanks, figured it would be something like that. >> >> Would this make sense for something a bit more granular? >> >> uri GOOGLE_FORMS /docs\.google\.com\/forms\// >> meta FREEM_WLIST_OFFSET_GOOGLE GOOGLE_FORMS && USER_IN_SPF_WHITELIST && >> FREEMAIL_FROM >> score FREEM_WLIST_OFFSET_GOOGLE 100.000 # offset whitelist score >> describe FREEM_WLIST_OFFSET_GOOGLE Offset SPF whitelist on freemail From >> for google forms > > There's already a google doc subrule in the base ruleset, try using that: > > meta FREEM_GDOC_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM && > __URI_GOOGLE_DOC > > I'd have to see a spample to tell whether that would hit your particular > case, though. Can you upload an example to pastebin for us?
Sure, it’s at https://paste.centos.org/view/045312a7 <https://paste.centos.org/view/045312a7>. The line it’d be looking for is https://docs.google.com/forms/d/e/1FAIpQLSewTcsIWucmT-BDiN5F0_25NVaNqfbTcCANvTA8ReD_MjpONw/viewform?vc=0&c=0&w=1&flr=0&usp=mail_form_link which looks like it would match if I'm reading regexps correctly today?
