############################################################################################# # Redirection and URI hiding rules # # # # Version: 2.9.2 # # Created: 2004-04-29 # # Modified: 2004-11-16 # # Changes: See changelog # # License: Artistic - see http://www.rulesemporium.com/license.txt # # Current Maintainer: Jesse Houwing j.houwing@rulesemporium.com # # /w additions by Loren Wilton # # Current Home: http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf # # Requirements: SpamAssassin 3.x or higher # # SA 3.0 compliant: Yes # # # ############################################################################################# # require_version 3.0 ############################################################################################# # # # CHANGELOG # # # ############################################################################################# # Changes since 2.9 # # - Changed the rules so that they should be faster with extreme redirect uri's # # - Small change to SARE_URI_EQUALS # # - Added more #+# to the file to prevent lint errors in SA 3.0 # # - Removed stale rules # # Changes since 2.8 # # - Small fixes # # - Added tinyurl # # - Made safe redirectors allowing only one hit per email to lower the abusability # # - heavily optimized HEXOCTDWORD and the IP rules # # - Small fixes to the yahoo rule # # Changes since 2.7 # # - Testing against both http:// and http:\\ # # - Small fixes to URI_EQUALS and HEXOCTDWORD # # Changes since 2.6 # # - added encoded IP address URI # # - Removed obfuscation for SpamAssassin 3.0 (which deobfuscates all uris automatically # # Changes since 2.5 # # - Two safe redirs added, disabled by default. Use with caution. # # Enable by search and replacing "#+#" by "". # # - disabled Lycos and web2004 # # - fixed \S*? -> \.* # # - Copied back a couple of rules from older versions that hit more than the new ones # # Changes since 2.4 # # - Changed rules so that they match nested redirs better # # - Added additional obfuscation checks # # - Added more generic redirection tests (IP's, bad TLD's) # # Changes since 2.3 # # - Added double redirector check (to catch new google spam) # # - Fixed FP's to the yahoo rule # # - Renamed to SARE ruleset # # - Improved MSN redirect # # Changes since 2.2 # # - Added url obfuscation checks # # - Added a few spam domains # # - Disabled Generic rule # # Changes since 2.1 # # - Added another MSN redir # # - Small fix to yahoo redir (will be replaced soon) # # Changes since 2.0 # # - /xxxx/i -> m{xxxx}i # # - Added CCBILL # # Changes since 1.6 # # - Full rewrite of most rules # # - further improvements URI_EQUALS # # Changes since 1.5 # # - Added support for Yahoo redirect with secure token # # Changes since 1.4 # # - Added rules from testing 3.00 # # - Merged some rules to single rules # # - Fixed bug in REDIRS_GENERIC # # Changes since 1.3 # # - (?: on all rules where needed # # - Added generic redirect test # # - Updated yahoo redirect test # # Changes since 1.2 # # - Added more yahoo redir variants # # Changes since 1.0 # # - Added optional port to redirect URL # # - Added optional https to redirect url # # - Added ip version of Yahoo redirect script # # 1.0 # # - Initial release # # # ############################################################################################# ############################################################################################# # Specific tests for redirects that are known to be abused # ############################################################################################# uri SARE_RD_AOL m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}\w+\.aol\.com(?::\d+)?(?=\\|/).*https?:?[/\\]{0,2}.*$}i describe SARE_RD_AOL Has AOL Redirect URI score SARE_RD_AOL 1.4 #stype SARE_RD_AOL spam # Yahoo redirects uri SARE_RD_YAHOO m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}(?:[a-z]{2,3}\.)?(?:pa|[rds]{1,3})\.yahoo\.com(?!/\*http://(?:\w+\.)+yahoo(?:\.\w{2,3}){1,2}/|/(?:sbcyahoo|DailyNews|welcome|careers|finance|launch|hosting|mail|search|slv|reg|webhosting|platinum|maps|hotjobs|mail(?:tag)?_us|O=1|(?:SIG.\w{7,9}/)?M.(?:[\d\.]{24}|[\d\.]{30,31})/D.(?:e?group(?:web|mail|s)|calrem)|evt.\d{4,6})\b).{,200}\*-?https?:?[/\\]{0,2}.*$}i describe SARE_RD_YAHOO Uses unsecure Yahoo redirect score SARE_RD_YAHOO 1.4 #stype SARE_RD_YAHOO spam uri SARE_RD_GOOGLE m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}www\.google(\..{1,20}){1,2}\.[a-z]{2,3}(?::\d+)?(?=\\|/)url\?.*$}i describe SARE_RD_GOOGLE Trying to hide real URL through Google redirect score SARE_RD_GOOGLE 0.80 #stype SARE_RD_GOOGLE spam uri SARE_RD_MSN m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}(?:[rg]|shopping|ads)\.msn\.com(?::\d+)?(?=\\|/).{,200}https?:?[/\\]{0,2}.*$}i describe SARE_RD_MSN Uses msn token redirect service score SARE_RD_MSN 1.4 #stype SARE_RD_MSN spam uri SARE_RD_HOTBOT m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}click\.hotbot\.com(?::\d+)?/director.asp.+?;target=https?:?[/\\]{0,2}.*$}i describe SARE_RD_HOTBOT Uses hotbot redirect script score SARE_RD_HOTBOT 0.80 #stype SARE_RD_HOTBOT spam ############################################################################################# # Tests for common spam redirectors # ############################################################################################# uri SARE_RD_GEN_A m{^.*/Gt\?e=\d+&(?:amp;)?j=\d+&(?:amp;)?c=\d+&(?:amp;)?h=-\d+.+?&(?:amp;)?to=.*$}i describe SARE_RD_GEN_A Generic redirect spam uri score SARE_RD_GEN_A 2.0 #stype SARE_RD_GEN_A gggspam uri SARE_RD_GEN_B /^.*\.jpegg\?.*$/i describe SARE_RD_GEN_B Generic redirect spam uri score SARE_RD_GEN_B 2.0 #stype SARE_RD_GEN_B gggspam ############################################################################################# # Generic redirect tests for 'bad' types of redirects # ############################################################################################# uri SARE_RD_TO_BAD_TLD m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}.+(?::\d+)?(?=\\|/).+https?:?[/\\]{0,2}(?:\w+\.)+(?:biz|info|cc|ws)(?!\w|\.|-).*$}i describe SARE_RD_TO_BAD_TLD Redirect to bad TLD score SARE_RD_TO_BAD_TLD 2.5 #stype SARE_RD_TO_BAD_TLD ggspam uri SARE_RD_FROM_IP m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}(?::\d+)?(?=\\|/).*https?:?[/\\]{0,2}.*$}i describe SARE_RD_FROM_IP Redirect from IP address score SARE_RD_FROM_IP 2.0 #stype SARE_RD_FROM_IP ggspam uri SARE_RD_TO_IP m{^https?:?[/\\]{0,2}(?:[^@/\?]{1,100}@){0,5}.{10,}(?::\d+)?(?=\\|/).{,200}https?:?[/\\]{0,2}(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}.*$}i describe SARE_RD_TO_IP Redirect to IP address score SARE_RD_TO_IP 2.0 #stype SARE_RD_TO_IP ggspam ############################################################################################# # Somewhat related URI obfuscation rules # ############################################################################################# # IE url obfuscating bug uri SARE_URI_EQUALS m{^https?:?[/\\]{0,2}[^/\&?;]{1,100}=(?!(?:..)?$).*$}i describe SARE_URI_EQUALS Trying to hide the real URL with IE parsing bug score SARE_URI_EQUALS 5.0 #stype SARE_URI_EQUALS obfu # Not decoded, as we're explicitly searching for the encoded version # catches all versions of IP obfuscation mentioned here: http://www.pc-help.org/obscure.htm uri SARE_HEXOCTDWORD m{^(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*(?!123\.456\.789\.(?:999|012)|(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}(?:[:\?;&/\\]|%3[abf]|%2[6f]|%5[c]|$))(?:(?:%3[0-9]|\d)+|(?:0|%30)(?:x|%[57]8)(?:%3[0-9]|%[46][1-6]|[0-9a-f])+|(?:0|%30)(?:%3[0-7]|[0-7])+)(?:(?:\.|%2e)(?:(?:%3[0-9]|\d)+|(?:0|%30)(?:x|%[57]8)(?:%3[0-9]|%[46][1-6]|[0-9a-f])+|(?:0|%30)(?:%3[0-7]|[0-7])+)){0,3}(?:[:\?;&/\\]|%3[abf]|%2[6f]|%5[c]|$)}i describe SARE_HEXOCTDWORD Uses an encoded IP address score SARE_HEXOCTDWORD 2.0 #stype SARE_HEXOCTDWORD obfu ############################################################################################# # Safe redirs, use with caution as these could be abused in the future. # # Search and replace "#+#" with "" to enable these rules. # ############################################################################################# #+#uri SARE_RD_SAFE_MKSHRT m{^https?://makeashorterlink\.com/\?\w+$}i #+#describe SARE_RD_SAFE_MKSHRT SAFE Uses MakeAShorterLink redirector #+#score SARE_RD_SAFE_MKSHRT -0.001 #+#tflags SARE_RD_SAFE_MKSHRT nice #+#uri SARE_RD_SAFE_GT m{^https?://translate\.google\.com/translate\?hl=([a-z]{2})&sl=(?!\1)[a-z]{2}&u=https?://.*$}i #+#describe SARE_RD_SAFE_GT SAFE Uses google translator #+#score SARE_RD_SAFE_GT -0.001 #+#tflags SARE_RD_SAFE_GT nice #+#uri SARE_RD_SAFE_TINY m{^https?://tinyurl\.com/\w+$}i #+#describe SARE_RD_SAFE_TINY SAFE Uses tinyURL redirector #+#score SARE_RD_SAFE_TINY -0.001 #+#tflags SARE_RD_SAFE_TINY nice meta SARE_RD_SAFE SARE_RD_SAFE_MKSHRT || SARE_RD_SAFE_GT || SARE_RD_SAFE_TINY describe SARE_RD_SAFE Uses a safe redirector score SARE_RD_SAFE -1.0 tflags SARE_RD_SAFE nice ############################################################################################# # Testing rules these have been spotted in the wild, they're in here to see if any FP comes # # along. If not they will be promoted. Please report any FP's # ############################################################################################# # EOF