Hi, On Thu, May 4, 2017 at 11:54 AM, Chip M. <sa_c...@iowahoneypot.com> wrote: > Alex, thanks for the spample!
Gladly. > I've only received one (so far), containing the same base domain > with the ".win" TLD, also freshly registered at NameCheap with > privacy protection and CloudFlare. Which rules show that? Sounds like a meta in the making. > On Thu, 04 May 2017, Axb wrote: >>SA's redirect patterns detected these domains and my logs show >>most were listed by the domain lists within a few minutes. > > URIBL caught mine, in real-time. :) > Good job, ninjas! We got hit at around 2:30pm EDT and it went on for at least an hour, with some being tagged. I'm curious about your times, where the first RBL was blocking them? I believe the first zen was closer to 3pm. > I did a very quick (three months, one diverse domain) check on > UNPARSEABLE_RELAY hits, and it had an 18:1 ham to spam ratio. :( > Fortunately, ALL the ham was from Facebook/Instagram, so that > rule has potential for tweakage. > > John, how about a rule against the redirection parameter itself > (i.e. "redirect_uri")? I suspect it'll hit too much ham, however > it would make a great meta combined with obscure/cheap TLDs, > and/or other characteristics. That's what I've done as well, by just adapting the basic accounts.google.com uri rule. > I've added that to my own MassCheck queue, and will report back. Mail me separately if you want the rest, although I suppose there's very little variation.
