############################################################################################# # Redirection and URI hiding rules # # # # Version: 2.9.1 # # Created: 2004-04-29 # # Modified: 2004-08-17 # # Changes: See changelog # # License: Artistic - see http://www.rulesemporium.com/license.txt # # Current Maintainer: Jesse Houwing j.houwing@rulesemporium.com # # /w additions by Loren Wilton # # Current Home: http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf # # Requirements: SpamAssassin 2.x or higher # # SA 3.0 compliant: Yes # # # # This version is meant for users of SpamAssassin 2.x. SpamAssassin 3.0 decodes all uris # # automatically so the bulk of obfuscation code that is in here is not needed. This saves # # a lot of processor power and thus time. Also, because not all domain names have been en- # # coded this set will hit less spam than the 3.0.0 set, but as this version of this ruleset # # will be phased out when SpamAssassin 3.0 appears I'm not going to make it even harder to # # work on this set ;) ############################################################################################# ############################################################################################# # # # CHANGELOG # # # ############################################################################################# # Changes since 2.9 # # - Small fix to SARE_URI_EQUALS # # - Added more #+# to the file to prevent lint errors in SA 3.0 # # - Removed stale rules # # Changes since 2.8 # # - Fixed error in the additional http:// and http:\\ # # - finally found the problem for the Hotbot, JRoad en CCBill rules # # - Added tinyurl # # - Made safe redirectors allowing only one hit per email to lower the abusability # # - heavily optimized HEXOCTDWORD and the IP rules # # - Small fixes to the yahoo rule # # Changes since 2.7 # # - Testing against both http:// and http:\\ # # - Small fixes to URI_EQUALS and HEXOCTDWORD # # Changes since 2.6 # # - added encoded IP address URI # # - re-obfuscated the hotbot, ccbill and jroad rules # # Changes since 2.5 # # - Two safe redirs added, disabled by default. Use with caution. # # Enable by search and replacing "#+#" by "". # # - disabled Lycos and web2004 # # - fixed \S*? -> \.* # # - Copied back a couple of rules from older versions that hit more than the new ones # # Changes since 2.4 # # - Changed rules so that they match nested redirs better # # - Added additional obfuscation checks # # - Added more generic redirection tests (IP's, bad TLD's) # # Changes since 2.3 # # - Added double redirector check (to catch new google spam) # # - Fixed FP's to the yahoo rule # # - Renamed to SARE ruleset # # - Improved MSN redirect # # Changes since 2.2 # # - Added url obfuscation checks # # - Added a few spam domains # # - Disabled Generic rule # # Changes since 2.1 # # - Added another MSN redir # # - Small fix to yahoo redir (will be replaced soon) # # Changes since 2.0 # # - /xxxx/i -> m{xxxx}i # # - Added CCBILL # # Changes since 1.6 # # - Full rewrite of most rules # # - further improvements URI_EQUALS # # Changes since 1.5 # # - Added support for Yahoo redirect with secure token # # Changes since 1.4 # # - Added rules from testing 3.00 # # - Merged some rules to single rules # # - Fixed bug in REDIRS_GENERIC # # Changes since 1.3 # # - (?: on all rules where needed # # - Added generic redirect test # # - Updated yahoo redirect test # # Changes since 1.2 # # - Added more yahoo redir variants # # Changes since 1.0 # # - Added optional port to redirect URL # # - Added optional https to redirect url # # - Added ip version of Yahoo redirect script # # 1.0 # # - Initial release # # # ############################################################################################# ############################################################################################# # Specific tests for redirects that are known to be abused # ############################################################################################# uri SARE_RD_AOL m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*\w+(?:\.|%2e)aol(?:\.|%2e)com(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/).*(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_AOL Has AOL Redirect URI score SARE_RD_AOL 1.4 # Yahoo redirects uri SARE_RD_YAHOO m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*(?:[a-z]{2,3}(?:\.|%2e))?(?:pa|[rds]{1,3})(?:\.|%2e)yahoo(?:\.|%2e)com(?!/\*http://(?:\w+\.)+yahoo(?:\.\w{2,3}){1,2}/|/(?:sbcyahoo|DailyNews|welcome|careers|finance|launch|hosting|mail|search|slv|reg|webhosting|platinum|maps|hotjobs|mail(?:tag)?_us|O=1|(?:SIG.\w{7,9}/)?M.(?:[\d\.]{24}|[\d\.]{30,31})/D.(?:e?group(?:web|mail|s)|calrem)|evt.\d{4,6})\b).*\*-?(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_YAHOO Uses unsecure Yahoo redirect score SARE_RD_YAHOO 1.4 uri SARE_RD_GOOGLE m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*www(?:\.|%2e)google((?:\.|%2e).+)?(?:\.|%2e)[a-z]{2,3}(?:(?::|%3a)(?:\d|%3[0-9])+)?/url\?.*}i describe SARE_RD_GOOGLE Trying to hide real URL through Google redirect score SARE_RD_GOOGLE 0.80 uri SARE_RD_MSN m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*(?:[rg]|shopping|ads)(?:\.|%2e)msn(?:\.|%2e)com(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/).*(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_MSN Uses msn token redirect service score SARE_RD_MSN 1.4 uri SARE_RD_JROAD m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*www(?:\.|%2e)jroad(?:\.|%2e)com(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/)supercounter(?:%5c|\\|%2f|/)count(?:\.|%2e)cgi\?mail==(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_JROAD Uses jroad redirect script score SARE_RD_JROAD 1.4 uri SARE_RD_HOTBOT m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*click(?:\.|%2e)hotbot(?:\.|%2e)com(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/)director(?:\.|%2e)asp.+?;target=(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_HOTBOT Uses hotbot redirect script score SARE_RD_HOTBOT 0.80 uri SARE_RD_CCBILL m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*refer(?:\.|%2e)ccbill(?:\.|%2e)com(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/).*(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_CCBILL Spam redirect service score SARE_RD_CCBILL 2.5 ############################################################################################# # Tests for common spam redirectors # ############################################################################################# uri SARE_RD_GEN_A m{.*/Gt\?e=\d+&(?:amp;)?j=\d+&(?:amp;)?c=\d+&(?:amp;)?h=-\d+.+?&(?:amp;)?to=.*}i describe SARE_RD_GEN_A Generic redirect spam uri score SARE_RD_GEN_A 2.0 uri SARE_RD_GEN_B /.*(?:\.|%2e)jpegg\?.*/i describe SARE_RD_GEN_B Generic redirect spam uri score SARE_RD_GEN_B 2.0 ############################################################################################# # Generic redirect tests for 'bad' types of redirects # ############################################################################################# uri SARE_RD_TO_BAD_TLD m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*.+(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/).+(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:[\w_\-]+(?:\.|%2e))+(?:(?:b|%[46]2)(?:i|%[46]9)(?:z|%[75]a)|(?:i|%[46]9)(?:n|%[46]e)(?:f|%[46]6)(?:o|%[46]f)|(?:c|%[46]3){2}|(?:w|%[75]7)(?:s|%[75]3))(?=%5c|\\|%[23]f|/|\?|$).*}i describe SARE_RD_TO_BAD_TLD Redirect to bad TLD (info|cc|ws|biz) score SARE_RD_TO_BAD_TLD 2.5 uri SARE_RD_FROM_IP m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/).*(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}).*}i describe SARE_RD_FROM_IP Redirect from IP address score SARE_RD_FROM_IP 2.0 uri SARE_RD_TO_IP m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*.{10,}(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/).*(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}.*}i describe SARE_RD_TO_IP Redirect to IP address score SARE_RD_TO_IP 2.0 ############################################################################################# # Somewhat related URI obfuscation rules # ############################################################################################# # IE url obfuscating bug uri SARE_URI_EQUALS m{^(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})[^/\?&;]+=(?!(?:..)?$).*}i describe SARE_URI_EQUALS Trying to hide the real URL with IE parsing bug score SARE_URI_EQUALS 5.0 # catches all versions of IP obfuscation mentioned here: http://www.pc-help.org/obscure.htm uri SARE_HEXOCTDWORD m{(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*(?!123\.456\.789\.(?:999|012)|(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}(?:[:\?;&/\\]|%3[abf]|%2[6f]|%5[c]|$))(?:(?:%3[0-9]|\d)+|(?:0|%30)(?:x|%[57]8)(?:%3[0-9]|%[46][1-6]|[0-9a-f])+|(?:0|%30)(?:%3[0-7]|[0-7])+)(?:(?:\.|%2e)(?:(?:%3[0-9]|\d)+|(?:0|%30)(?:x|%[57]8)(?:%3[0-9]|%[46][1-6]|[0-9a-f])+|(?:0|%30)(?:%3[0-7]|[0-7])+)){0,3}(?:[:\?;&/\\]|%3[abf]|%2[6f]|%5[c]|$)}i describe SARE_HEXOCTDWORD Uses an encoded IP address score SARE_HEXOCTDWORD 2.0 #stype SARE_HEXOCTDWORD obfu ############################################################################################# # Safe redirs, use with caution as these could be abused in the future. # # Search and replace "#+#" with "" to enable these rules. # ############################################################################################# #+#uri SARE_RD_SAFE_MKSHRT m{^https?://makeashorterlink\.com/\?\w+$}i #+#describe SARE_RD_SAFE_MKSHRT SAFE Uses MakeAShorterLink redirector #+#score SARE_RD_SAFE_MKSHRT -0.001 #+#tflags SARE_RD_SAFE_MKSHRT nice #+#uri SARE_RD_SAFE_GT m{^https?://translate\.google\.com/translate\?hl=([a-z]{2})&sl=(?!\1)[a-z]{2}&u=https?://.*}i #+#describe SARE_RD_SAFE_GT SAFE Uses google translator #+#score SARE_RD_SAFE_GT -0.001 #+#tflags SARE_RD_SAFE_GT nice #+#uri SARE_RD_SAFE_TINY m{^https?://tinyurl\.com/\w+$}i #+#describe SARE_RD_SAFE_TINY SAFE Uses tinyURL redirector #+#score SARE_RD_SAFE_TINY -0.001 #+#tflags SARE_RD_SAFE_TINY nice meta SARE_RD_SAFE SARE_RD_SAFE_MKSHRT || SARE_RD_SAFE_GT || SARE_RD_SAFE_TINY describe SARE_RD_SAFE Uses a safe redirector score SARE_RD_SAFE -1.0 tflags SARE_RD_SAFE nice ############################################################################################# # Testing rules these ahve been spotted in the wild, they're in here to see if any FP comes # # along. If not they will be promoted. Please report any FP's # ############################################################################################# uri SARE_RD_REPORT_IUSA m{(?:(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2})(?:[^@/\?]+@)www(?:\.|%2e)imageusa(?:\.|%2e)com(?:(?::|%3a)(?:\d|%3[0-9])+)?(?:%5c|\\|%2f|/)bannerclick(?:\.|%2e)asp.*$}i score SARE_RD_REPORT_IUSA 0.001 describe SARE_RD_REPORT_IUSA PLEASE REPORT! - Possibly abused redirector. # EOF