Benoit had already confirmed that the redirector_pattern worked as expected.
On 11/2/21 6:07 PM, Bill Cole wrote:
On 2021-11-02 at 04:52:17 UTC-0400 (Tue, 2 Nov 2021 09:52:17 +0100)
Benoit Panizzon <benoit.paniz...@imp.ch>
is rumored to have said:
Hi SA Community
In the last couple of weeks, I see a massive increase of spam mails
which make use of google site redirection and dodge all our attempts at
filtering.
That is google redirector is about the only common thing in those
emails. Source IP, text content etc. is quite random.
Such an example URI looks like (two spaces added to prevent this
triggering other filters)
https://www.goo gle.com/url?q=https%3A%2F%2Fkissch
icksrr.com%2F%3Futm_source%3DbDukb6xHEYDF2%26amp%3Butm_campaign%3DKirka2&sa=D&sntz=1&usg=AFQjCNGkpnVKLl8I1IP9aQXtTha-jCnt3A
google.com of course is whitelisted.
Why "of course?"
Have you tested what happens if you add "clear_uridnsbl_skip_domain
google.com" to your config?
Creating a rule to match the string "google.com/url?q=" also is a no go
as this would create way to many false positives.
Do not be scared by SA rules matching non-spam. That is a design
feature, not an inadvertent bug. All of the most useful rules match some
ham.
It's only really a "false positive" if the total score for a non-spam
message goes over your local threshold. The fact that the automated
re-scorer assigns scores well below the default threshold is a clue.
So if I could somehow extract the domain "kissch icksrr.com"
and ckeck it against URI blacklists, we would probably solve that issue.
Has anyone already come up with a way how to do that?
I do not believe there's a means of doing that currently. It may be
possible to work something up using the existing internal blocklisting
tools (HashBL, enlist*, etc) but I think it will require new code.
It would be an interesting addition to have a way to define arbitrary
extractor patterns to pull elements out of a string to check against
hostname blocklists or other specific classes of patterns.
