On Fri, 19 Feb 2021, Giovanni Bechis wrote:
On 2/19/21 1:09 AM, John Hardin wrote:
On Thu, 18 Feb 2021, Giovanni Bechis wrote:
On 2/18/21 6:37 PM, Ricky Boone wrote:
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam
as well.
If you can send me a spample I could tweak it a bit more.
We may need to coordinate a little here - there's also a google.com/url redir
rule in my sandbox, and they may be overlapping.
I proposed a shared sandbox for that reason when we developed bitcoin rules
(and we had similar problems with overlapping rules).
Perhaps it's time we pursued that. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The promise of nuclear power: electricity too cheap to meter
The reality of nuclear power: FUD too cheap to meter
-----------------------------------------------------------------------
3 days until George Washington's 289th Birthday
