On Thu, 17 Dec 2015, Axb wrote:
On 12/17/2015 09:15 PM, John Hardin wrote:
On Thu, 17 Dec 2015, Alex wrote:
> Hi,
>
> Can someone explain why spamassassin is allowing apparent google
> redirects? Cryptolocker :-( This one's blocked now.
>
> <td align="left" style="font-family: 'merriweather sans', tahoma,
> arial, sans-serif; color: rgb(54, 54, 54); font-size: 14px;"><a
> href="https://www.google.com/url?q=http://www.mediafire.com/download/{snip}";
>
> style="color: rgb(89, 143, 222);
> outline: 0px;" target="_blank">1Z4566W50378875...</a></td>
>
> #
>
href="https://www.google.com/url?q=http://www.mediafire.com/download/izdqjzml6
>
> rawbody GOOG_VIEW1
> m;https?://www\.google\.com/url\?(q=http(s)?|sa=t\&\;url=http);
> describe GOOG_VIEW1 Using google url
> score GOOG_VIEW1 6.0
>
> Ideas for improving the rule or making it more flexible would be
> appreciated.
There are google rules. I'll take a look at why this wasn't scored when
I get a chance later today or tomorrow.
there's a bunch of Henry Stern's google redirector_pattern rules but they're
all made for http only.
Adding and commiting s? now
And this in my sandbox, with a different pattern:
uri __GOOG_MALWARE_DNLD
m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&]download=1;i
I will broaden that a bit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
8 days until Christmas
