Brian Wilson wrote:
On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
Brian Wilson wrote:
Ok, I've got one; apparently from a gmail user to my gmail account,
then forwarded to an external account. The html links go to a
blogspot.com site, then redirect to some Pharmacy Express site.
Raw Message: http://bubba.org/spam/spam_lowscore.txt
Message renders like this: http://bubba.org/spam/spam_lowscore.jpg
X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
SPF_PASS autolearn=no version=3.1.8
X-Spam-Report:
* -0.5 SPF_PASS SPF: sender matches SPF record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.4641]
Any ideas for detecting these?
The WebRedirect plugin will help (if you add *.blogspot.com to the
list of domains it's supposed to check).
Daryl
I installed the plugin, added *.blogspot.com to the list, and the plugin
didn't flag anything for this particular message.
[13718] dbg: rules: hostname: osmmehaaranrev.blogspot.com matches check
pattern: *.blogspot.com
[13718] dbg: rules: checking uri: http://osmmehaaranrev.blogspot.com/
[13718] dbg: rules: request status: 200 OK
[13718] dbg: rules: got response to request in 0.813493 seconds
[13718] dbg: rules: _decode_page() iteration 0
[13718] dbg: rules: WebRedirect page text: start>>
<data from page>
[13718] dbg: rules: WebRedirect decoded text: start>><<end
Did this work for you?
Looking at this particular web page for now, you'll need a rule to hit
on how they're doing the redirect. Previous Blogspot redirect pages
used redirect code that matched rules written two years ago for
Geocities spam.
Anyway... this is the redirect code they're using:
<div class='widget-content'>
<script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
"ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
"nhu";wnx = "ocation.
hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
+ uos + bdj; eval(jftrg); </script>
</div>
Quick and dirty, a regex that would work for a Web-Redirect header rule:
/( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
Daryl
