On Sun, Sep 12, 2021 at 08:34:28PM -0500, Dave Funk wrote: > On Sun, 12 Sep 2021, Loren Wilton wrote: > > > I found this little wonder in a bunch of spams I've been getting for the > > last few days: > > > > <a amzon-work to=http://"; http://"; http://"; http://"; http://"; http://"; > > href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/<tracking > > id>">unsubscribe here</a> > > > > I have no idea if that actually works, since I'm not about to try it. > > The base hostname in that URL (I bowdlerized it in this message) is listed > in a couple different URIBLs. > > SA 3.4.1 is able to spot/extract that name from the garbage and trigger > URIBL rules. > In debug mode for this message its 'URIDOMAINS' contains: ARY:[...] > > SA 3.4.6 not so much. it doesn't seem to "see" that href/URL at all. > Its 'URIDOMAINS' contains: value: avg.com > > So why is SA 3.4.6 much less sensitive about picking up hosts in URLs?
Because newer works more sensibly if you feed it crap? As we don't have an original pastebin to test, we can simply assume to fake it as a text/html message: printf 'Content-Type: text/html\n\n<a amzon-work to=http://"; http://"; http://"; http://"; http://"; http://"; href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/foo"> unsubscribe here</a>' | spamassassin -D -L 2>&1 | grep uri: You will find it parses it fine. (replace -dot-)
