On 12/17/2015 1:34 PM, Alex wrote:
Hi,
Can someone explain why spamassassin is allowing apparent google
redirects? Cryptolocker :-( This one's blocked now.
<td align="left" style="font-family: 'merriweather sans', tahoma,
arial, sans-serif; color: rgb(54, 54, 54); font-size: 14px;"><a
href="https://www.google.com/url?q=http://www.mediafire.com/download/izdqjzml6dz68t3/1Z4566W50325036.ups.doc_.wsf08137322366IlRiZxJtpLvPq78WySF33Y&sa=D&usg=AFQjCNG6PWyLVrbpnrMhn12glB2txWOUgA";
style="color: rgb(89, 143, 222);
outline: 0px;" target="_blank">1Z4566W50378875...</a></td>
# href="https://www.google.com/url?q=http://www.mediafire.com/download/izdqjzml6
rawbody GOOG_VIEW1
m;https?://www\.google\.com/url\?(q=http(s)?|sa=t\&\;url=http);
describe GOOG_VIEW1 Using google url
score GOOG_VIEW1 6.0
Ideas for improving the rule or making it more flexible would be appreciated.
http://pastebin.com/MY7mZkjs
It goes without saying, but if your mail client automatically highlights
URLs be very careful about clicking in this email.
I think your rawbody rule should probably be a URI rule, especially
since it's looking for a protocol anyway. Then you can probably get a
bit more aggressive in using (.*) and such to handle URLs like
"https://www.google.com/url?asdhlf=laskjdhflkjasdhf&lakjsdf=laskjfhlasdf&...&q={payload}";.
I'm not sure about scoring it 6.0 for myself, but it's fine if it works
for you. I'd also be interested to see what RuleQA thinks of it.
