Alex, thanks for the spample!
I've only received one (so far), containing the same base domain
with the ".win" TLD, also freshly registered at NameCheap with
privacy protection and CloudFlare.
On Thu, 04 May 2017, Axb wrote:
>SA's redirect patterns detected these domains and my logs show
>most were listed by the domain lists within a few minutes.
URIBL caught mine, in real-time. :)
Good job, ninjas!
I did a very quick (three months, one diverse domain) check on
UNPARSEABLE_RELAY hits, and it had an 18:1 ham to spam ratio. :(
Fortunately, ALL the ham was from Facebook/Instagram, so that
rule has potential for tweakage.
John, how about a rule against the redirection parameter itself
(i.e. "redirect_uri")? I suspect it'll hit too much ham, however
it would make a great meta combined with obscure/cheap TLDs,
and/or other characteristics.
I've added that to my own MassCheck queue, and will report back.
- "Chip"
