On 26.12.24 09:27, Pierluigi Frullani wrote:
X-Spam-Status: No, score=4.2 required=4.4 tests=FREEMAIL_FROM,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTTP_EXCESSIVE_ESCAPES,
PDS_OTHER_BAD_TLD,T_REMOTE_IMAGE,URI_NOVOWEL shortcircuit=no
autolearn=no autolearn_force=no version=3.4.6
X-Spam-Report:
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
* provider
* [mauneypals[at]gmail.com]
* 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
* [URI: haligr.click (click)]
* 0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
* 1.0 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes
* inside a URL
* 0.7 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 T_REMOTE_IMAGE Message contains an external image
FREEMAIL_FROM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTTP_EXCESSIVE_ESCAPES,PDS_OTHER_BAD_TLD,T_REMOTE_IMAGE,URI_NOVOWEL
FREEMAIL_FROM=0.001,HTML_FONT_LOW_CONTRAST=0.713,HTML_MESSAGE=0.001,HTTP_EXCESSIVE_ESCAPES=1,PDS_OTHER_BAD_TLD=1.999,T_REMOTE_IMAGE=0.01,URI_NOVOWEL=0.5
I can trap those because of the HTTP_EXCESSIVE_ESCAPES which I can give a
bit more aggressive score, but no "GOOG*" in report.
I might have received similar similar spam shortly after your message:
X-Spam-Status: No, score=1.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HREF_EMPTY_XANTIABUSE,
HREF_EMPTY_XAUTHED,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,
SPF_PASS,T_REMOTE_IMAGE,URI_GOOGLE_PROXY autolearn=disabled
version=4.0.0
meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE &&
!__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID
uri __URI_GOOGLE_PROXY
m;^https?://[^.]+\.googleusercontent\.com/proxy/;
and source contains this:
<img st=
yle=3D"margin:0;padding:0;box-sizing:border-box;vertical-align:middle" alt=
=3D"" src=3D"https://ci3.googleusercontent.com/proxy/X8Q_KWklntUHsnaepTZ3W9=
9TIpNz0Ne6IlWhxGdnZrBwsgTPQFav-jBNaatr-M-drsxy1xeucxFn8q528XK6Ya1slCHSJXW-H=
QDwZovedAYkr6Dg4VIyS2OIa9GsNnBJHgtGecqDwzrcXQ=3Ds0-d-e1-ft#https://www.mvmn=
ext.hu/foldgaz/contents/Ugyfelszolgalat/Ertesito/view-the-bill-icon.png"
Obvioulsy I think it could be dangerous to give a greater score
to FREEMAIL_FROM as it could lead to false positive when receiving valid
mails from gmail, or I'm wrong ?
Could it be I'm missing something in config ?
For info I'm running SpamAssassin version 3.4.6 running on Perl version
5.22.2 just sa-updated few minutes ago.
I'm preparing the zip file woth some the
Do you want me to send the zip file ( I have 46 mails that have failed ) ?
Not me, but perhaps check your source as well?
Il giorno mer 25 dic 2024 alle ore 18:42 John Hardin <jhar...@impsec.org>
ha scritto:
On Wed, 25 Dec 2024, Pierluigi Frullani wrote:
> Hi all, I know it's not really a new subject but I would like to ask how
> can I stop url redirect from google.*.
> These days I'm receiveind a lot of messages that are really spam, but
they
> pass trough spamassasin, containing the following:
> "url?q=3Dhttps%3A%2F%2F" from several google location ( I mean,
> images.google.com, google.es and so on.
>
> Is there any good rule to catch them ( at least to score some value to
this
> messages ) ?
There are existing google redirect rules. It's possible they may not be
hitting the variants you are seeing.
If you run the message through SpamAssassin with these flags:
--debug area=rules,rules-all
you will get information about which rules and subrules hit. You can use
that to make a meta rule that works better on such messages.
Feel free ot zip up spamples and send them to me directly for review, if
we're missing new variants or some Google domains that would help us
improve our coverage.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.