On Thu, 12 Apr 2018, Alex wrote:

We received an email to undisclosed-recipients that contained a google
redirect to an owl.ly site


amavisd knew this single email was delivered to more than 40
recipients. Is there any way to benefit from that in spamassassin?
This seems to be a common denominator with a lot of these.

How did it know that? Was it bcc'd to 40+ local users and there's some side channel communicating that to Amavis? Or are you referring to 40+ separate deliveries of the same message, which would point at Razor et. al. as the solution?

How much of a spam indicator is the google redirects?

I'd say a google redirect to bit.ly or ow.ly is pretty suspicious, potentially poison-pill suspicious...

Can someone look at this redirect as part of the redirector_pattern along with __GOOG_REDIR?

I'll take a look and see about adding it to my sandbox.

 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Vista is at best mildly annoying and at worst makes you want to
  rush to Redmond, Wash. and rip somebody's liver out.      -- Forbes
 Tomorrow: Thomas Jefferson's 275th Birthday

Reply via email to