On 05/04/2017 06:42 PM, Axb wrote:
On 05/04/2017 06:34 PM, John Hardin wrote:
On Thu, 4 May 2017, Chip M. wrote:
John, how about a rule against the redirection parameter itself
(i.e. "redirect_uri")? I suspect it'll hit too much ham, however
it would make a great meta combined with obscure/cheap TLDs,
and/or other characteristics.
I've added that to my own MassCheck queue, and will report back.
Take a look at "redirector_pattern" use in 20_uri_tests.cf and
hstern/20_uri_tests.cf.
It looks like several google redirector patterns are present, but not a
redirect via accounts.google.com, that's new.
FWIW: Using stock redirector_pattern pattern my SA detected them nicely
OH!
I found a local version which maybe did the trick
redirector_pattern
m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
.-)
