They look like this:
http://docs.google.com/doc?id=MUNGED_MUNGED
I'm not sure if the id is personally identifiable, so MUNGED both halves of
it.
I've only seen two so far, and haven't visited either (again, due to the
potential PII - both samples were from other people).
Very little else stands out about them (other than very low default SA
ruleset scores - both were caught by supplementary nation-of-origin tests).
Of potential interest is that the From and To followed this pattern:
"account" <[EMAIL PROTECTED]>
"account" <[EMAIL PROTECTED]>
Which should rarely occur in Ham, and should be easily rule-writeable.
I've added "doc" to my list of tokens that are word matched in my own
battery of anti Google Tricks tests.
Hmmm... I wonder if it would be more productive to come up with a rule that
triggers on _ANY_ "unusual" params in a Google url? In other words,
enumerate the legit ones, and score all others.
The only legit form of pre-emptive strike is the kind against spammers
(IMO). :)
- "Chip"
