On 2/19/21 1:09 AM, John Hardin wrote: > On Thu, 18 Feb 2021, Giovanni Bechis wrote: > >> On 2/18/21 6:37 PM, Ricky Boone wrote: >>> Just wanted to forward an example of an interesting URL obfuscation >>> tactic observed yesterday. >>> >>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g >> >> I just committed a new variation of GB_GOOGLE_OBFUR that should match this >> spam as well. >> If you can send me a spample I could tweak it a bit more. > > We may need to coordinate a little here - there's also a google.com/url redir > rule in my sandbox, and they may be overlapping. > I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules).
Giovanni
OpenPGP_signature
Description: OpenPGP digital signature
