On Fri, 18 Dec 2015, Joe Quinn wrote:
On 12/18/2015 11:32 AM, John Hardin wrote:
>
> uri __GOOG_MALWARE_DNLD
> m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&]download=1;i
Question: has anyone ever seen a *legit* (non-spam, non-phishing,
non-malware) google redirect like that in an email? Maybe this rule is too
restrictive and we should be suspicious of *all* google redirects?
I do it occasionally, if I am sending a link to someone and I right-click ->
"copy link location" on the search results. I'd be suspicious of those sorts
of links, but not too suspicious.
It's already there as a subrule for masscheck eval and use in metas:
http://ruleqa.spamassassin.org/20151218-r1720729-n/__GOOG_REDIR/detail
SPAM% HAM% S/O
0.3357 0.0288 0.921
~12% of spam hits are at <5 points.
It's meta'd for score in a couple of rules:
http://ruleqa.spamassassin.org/20151218-r1720729-n/GOOG_REDIR_SHORT/detail
http://ruleqa.spamassassin.org/20151218-r1720729-n/GOOG_REDIR_NORDNS/detail
...and those are hitting the bulk of the spams but they are not hitting
the low-scoring spams.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
7 days until Christmas
