On Mon, 24 Jul 2017 23:00:33 +0100, Alex <mysqlstud...@gmail.com> wrote:
Link to malicious file removed... Generally not a good idea to post direct links like that.
What would be involved in following these links in SA to determine if they immediately download a file (other than a web page)?
Testing links in mail is fraught with issues. Aside from privacy issues, which have already been mentioned, triggering multiple requests to verify remote contents could introduce significant server load.
I just looked at one legitimate newsletter and counted 172 remote links. You can probably drop about a third as duplicates due to both plain text and html alternatives but still, that's potentially a lot of requests for both my server and theirs. URIBL lookups are light because they're using a single domain, but at ~120 link checks per message? Yikes. You'd want good caching of the results because otherwise if 10 users receive the same newsletter you're making 1,200 queries, if it's 100... Senders likely wouldn't be very happy with all that automated checking either.
There are ways to mitigate the impact, but they will also reduce the effectiveness of any testing.
Would that even be a reliable indicator?
Not for me. I see a lot of legit traffic that has direct links to images, pdfs, zips, tarballs, even Word files. I don't see it having any real value unless you're then passing the downloaded files to a virus scanner.
Also, there are enough web pages which you likely don't want users accessing anyway https://www.sophos.com/en-us/security-news-trends/security-trends/malicious-javascript.aspx
