On Mon, Jul 24, 2017, at 15:00, Alex wrote: > Hi, > > We're currently experiencing a new spam campaign that involves some > text pertaining to invoicing then a link that immediately downloads a > Word macro file. > > http://sdeflores.com/PHJC579907/ > > What would be involved in following these links in SA to determine if > they immediately download a file (other than a web page)? Would that > even be a reliable indicator?
You want to be very careful with your implementation, many "Verify this account" or Subscribe/Unsubscribe links act on a single GET rather than following standards and using a POST, so this type of activity can trigger an action. It is possible that a HEAD would be safer and still provide the needed information, but i'm not clear if this will trigger any actions, but noting how terrible many implementations are, it wouldn't shock me if there are a few home-brewed beasts that take action on a HEAD request.
