you're looking to use a redirector_pattern rule - weird that this hasn't
been yet been added in SA's default ruleset
Please submit a bug with a sample message
On 11/2/21 9:52 AM, Benoit Panizzon wrote:
Hi SA Community
In the last couple of weeks, I see a massive increase of spam mails
which make use of google site redirection and dodge all our attempts at
filtering.
That is google redirector is about the only common thing in those
emails. Source IP, text content etc. is quite random.
Such an example URI looks like (two spaces added to prevent this
triggering other filters)
https://www.goo gle.com/url?q=https%3A%2F%2Fkissch
icksrr.com%2F%3Futm_source%3DbDukb6xHEYDF2%26amp%3Butm_campaign%3DKirka2&sa=D&sntz=1&usg=AFQjCNGkpnVKLl8I1IP9aQXtTha-jCnt3A
google.com of course is whitelisted.
Creating a rule to match the string "google.com/url?q=" also is a no go
as this would create way to many false positives.
So if I could somehow extract the domain "kissch icksrr.com"
and ckeck it against URI blacklists, we would probably solve that issue.
Has anyone already come up with a way how to do that?
Mit freundlichen Grüssen
-Benoît Panizzon-
