https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6676
Bug #: 6676
Summary: Add SPOOFED_URL_HOST to Darxus' sandbox
Product: Spamassassin
Version: 3.4.0
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Rules
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Created attachment 4980
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=4980
SPOOFED_URL_HOST patch
Khopesh has a SPOOFED_URL rule in his sandbox which matches cases like:
<a href="http://www.spammerdomain.com";>http://www.youtube.com</a>
But it also hits cases like:
<a
href="http://www.legitdomain.com/?variable=ILikeToTrackAllKindsOfRandomJunk";>http://www.legitdomain.com</a>
SPOOFED_URL_HOST, in the attached patch, is a small modification of the rule
that only matches where the host part of the URL is different.
I believe this doesn't require any voting, just a commit, since I don't have
commit access.
Of the 10,923 hams in my ham corpora, SPOOFED_URL hits 48, and
__SPOOFED_URL_HOST hits 10 of those, 4 of which are Google Calendar "legit"
marketing tracker cases.
Can't just ignore all cases going through google's redirector, because spammers
can then just route all their links through it. But we could add a check for
DKIM_VALID_AU and "From: Google Calendar <[email protected]>".
SPOOFED_URL hits 184 of my spams, __SPOOFED_URL_HOST hits 139 of those (of
5,256 spams).
All the hams hit by __SPOOFED_URL_HOST in my corpus:
Google Calendar:
<a href=3D"http://www.google.com/url?q=3Dhttp%3A%2F%2Fwww.templecon.=
org%2F&usd=3D2&usg=3DAFQjCNHGQtanthD0JfX4FmbFcyr2L_dqMw" target=3D"=
_blank">http://www.templecon.org/</a>
<a href=3D"http://www.google.com/url?q=3Dhttp%3A%2F%2Fwww.3rdcome.or=
g&usd=3D2&usg=3DAFQjCNGLyz4TL3lsRogAtJheCpPEHswi7Q" target=3D"_blan=
k">http://www.3rdcome.org</a>
<a href=3D"http://www.goo=
gle.com/url?q=3Dhttp%3A%2F%2Fwww.somervilleopenstudios.org%2F&usd=3D2&a=
mp;usg=3DAFQjCNED0k2VJve6M8pLRNRFcUnekaSCKg" target=3D"_blank">http://www.s=
omervilleopenstudios.org/</a>
<a href=3D"http://www.google.com/url?q=3Dhttp%3A%2F%2Fwww.=
wmos.org%2F&usd=3D2&usg=3DAFQjCNEicUtvxpcEJ8V5Nem2RTycomPYMQ" targe=
t=3D"_blank">http://www.wmos.org/</a>
MobileMe Mail htmlification flaw (dropped a "."):
<a href="http://www.youtube.com/watch?v=ywBwUiq6v4o";
_mce_href="http://www.youtube.com/watch?v=ywBwUiq5v4o";>http://www.youtubecom/watch?v=ywBwUiq5v4o</a>
Botched htmlization from jockeycomfort.com:
<a href=3D"http://e=
mail.jockeycomfort.com/a/hBN2$afB8ardYB8bVlZAAAfkY4S/mobile?t_params=3DEMAI=
L%3D[redacted]%2540chaosreigns.com">http:///mobile</a>
(username replaced with "[redacted]")
Can't find the problem in an email from nhliberty.
Can't find problem in metalshapers yahoo groups email from [email protected].
TurboTax:
<A HREF=3D"http://inf=
o1.turbotax.com/[redacted]">http://privacy.intuit.com</A>
(Both domains, turbotax.com and intuit.com, owned by the same organization.)
A private list:
<a href=3D"http://www.=
nramedia.org/t/193719/4743427/6880/0/" target=3D"_blank">http://www.nraila.=
org/Legislation/Read.aspx?ID=3D7061</a>
(Both domains owned by the same organization.)
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
