On Fri, 18 Dec 2015, Alex wrote:
I suggested converting the rawbody rule John was working on into a
redirector_pattern
Note that the following rule as posted by John:
uri __GOOG_MALWARE_DNLD
m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&]download=1;i
would not currently work as a redirector_pattern due to the problem
I posted in my today's reply (Re: redirector_pattern question);
i.e. where the redirector target contains "http:", followed
by other URI arguments (like "&download=1" here).
Right, and I would take that into account when composing the
redirector_pattern. That extra bit is there to avoid treating *all* google
redirects as malware downloads.
Question: has anyone ever seen a *legit* (non-spam, non-phishing,
non-malware) google redirect like that in an email? Maybe this rule is too
restrictive and we should be suspicious of *all* google redirects?
I've forwarded you a few samples.
Thanks.
I'm not entirely sure I've kept up with the pieces of this. Has a rule
yet been developed?
I've relaxed my google malware redirect rule (above) to match your sample.
It will go out the next time rules pass masscheck. The corpus looks
well-fed today so that *should* occur overnight.
Is both a rule and Marc's patch required?
I re-ran a test against your original sample after the other Alex edited
the existing google redirect patterns to also match https but before the
pattern order patch was committed and it did pull out the malware download
URL, so that should allow URIBL to see the download hostname (again,
pending rules being published from masscheck) and I don't think the patch
matters in this case.
However, that only helps if the download is being hosted by a site that
hits URIBL et. al. (or some other rule) and I don't think
www.mediafire.com will be listed, so yes, a scored rule that matches that
pattern is necessary in addition to the patch.
As soon as masscheck publishes an update, that redirect will get at least
one point; possibly more after your spamples are in the corpus and that
rule starts getting some fresh spam hits.
After the patch was posted, there was a comment about the
redirector_pattern not being necessary...
Yeah, the existing google redirect pattern for "url=" did work when it was
broadened to include https, so my rule doesn't need to be used as the
basis for another new redirect pattern.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
7 days until Christmas
