adding a redirector_pattern will catch this.
redirector_pattern /^https?://(?:www.)?google.com/search?q=site:([A-Za-z0-9-.]+)$/I
dbg: uri: parsed uri found, http://www.google.com/search?q=site:bluevallet.com dbg: uri: cleaned parsed uri, http://bluevallet.com dbg: uri: cleaned parsed uri, http://www.google.com/search?q=site:bluevallet.com dbg: uri: cleaned parsed uri, bluevallet.com dbg: uri: parsed domain, google.com dbg: uri: parsed domain, bluevallet.com dbg: uridnsbl: domain google.com in skip list dbg: uridnsbl: domains to query: bluevallet.com dbg: uri: running uri tests; score so far=-0.001 dbg: rules: ran uri rule __LOCAL_PP_NONPPURL ======> got hit: "http://bluevallet.com" dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_BLACK): 127.0.0.2 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (multi.uribl.com.:bluevallet.com) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: DNSBL=1 NS=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SC_SURBL): 127.0.0.2 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (multi.surbl.org.:bluevallet.com) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: NS=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: queries completed: 1 started: 2 dbg: uridnsbl: queries active: at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: queries completed: 1 started: 1 dbg: uridnsbl: queries active: A=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: queries completed: 1 started: 1 dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36468" dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36335" dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (sbl.spamhaus.org.:17.160.20.58) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36470" dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (sbl.spamhaus.org.:7.134.11.221) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: done waiting for URIDNSBL lookups to complete dbg: uri: running uri tests; score so far=9.972 dbg: uri: running uri tests; score so far=7.11254545454546
Thanks, Dallas
-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Wednesday, January 04, 2006 3:56 AM To: SpamAssassin Users; SURBL Discuss Subject: Google search as spam URI
This drug spam message body seems problematic, since the URI is google, being used to search for the spammer's. Naturally the actual spammer domain bluevallet.com is blacklisted. This showed up Tue, 03 Jan 2006 14:45:48 +0100
__
Proecia Xana Pail VALIM from $1.21 IAGRA from $3.33 IALIS from $3.75 eridia Abien Soa Levtra =20 http://www.google.com/search?q=3Dsite:bluevallet.com http://www.google.com/search?q=3Dsite:bluevallet.com=20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META
http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D3>Pro<IMG = src=3D"cid:000101c6106b$c54633bd$66c5a8c0@printingmachine">eci
a</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Xana<IMG = src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine"></F
ONT></DIV>
<DIV><FONT face=3DArial size=3D3>Pa<IMG = src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine">il<
/FONT></DIV>
<DIV><FONT face=3DArial size=3D3>VALI<IMG = src=3D"cid:000301c6106b$c54633bd$66c5a8c0@printingmachine">M <STRONG>from = $1.21</STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D3><IMG = src=3D"cid:000401c6106b$c54633bd$66c5a8c0@printingmachine">IAG
RA <STRONG>from = $3.33</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial size=3D3><IMG =
src=3D"cid:000501c6106b$c54633bd$66c5a8c0@printingmachine">IAL
IS <STRONG>from = $3.75</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial size=3D3><IMG =
src=3D"cid:000601c6106b$c54633bd$66c5a8c0@printingmachine">eri
dia</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>A<IMG = src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">bie
n</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>So<IMG = src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">a</
FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Lev<IMG = src=3D"cid:000801c6106b$c54633bd$66c5a8c0@printingmachine">tra
</FONT></DIV>
<DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3><A = href=3D"http://www.google.com/search?q=3Dsite:bluevallet.com">
<FONT = face=3DArial = size=3D3>http://www.google.com/search?q=%3E 3Dsite:bluevallet.com</FONT></A><=
/FONT></DIV></BODY></HTML> R0lGODdhDQAMAOMAAP///wUTCMDEwWJrZCQwJt/h4KGmooKJg0NORQAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAADQAMAAAEMRBIMUggo8htiNFFp0kFMW4Hsg3HtoWb6c5SQNP27c q6xN6GF4/TQnlA KZoAEbgUJREAOw== R0lGODdhDgAZAOMAAP///wUCDkNBSqGgpN/f4CQhLIKAhmJgaMC/wgAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAADgAZAAAESxDISau9OOvNu/9gKHLCcA3CFAhERRSBOhiVYcRSXF QFgQOxg0kyOABV AERKIkAcc5Jecvd8GowHWhX36kK/gIPACP4hAs4yhfyNAAA7 R0lGODdhDQAXAMIAAP///wANER8rLt/g4V9nar/Cw5+kpQAAACwAAAAADQAXAA
ADMgi63P4wykmr
vRiGt1dvHxB6zKiEplhyq4Oyi+AM8kIUjUEwtDEAA4PgxyMIAgICUZEAADs= R0lGODdhDAAVAOMAAP///wgOEMHCwyYsLYOGh2RoaeDg4aKkpUVKSwAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAADAAVAAAENhDISau9OOvNu5/CcA2CRFbhRBRVQUyGSAUGVRzTga C7hJSVQS12IbyM F6IQg9BlDgNcRkaJAAA7 R0lGODdhBQANAIAAAP///w0KDywAAAAABQANAAACDIQfp2uJ6hqcr0pTAAA7 R0lGODdhDgANAMIAAP///xIJC6aioy8nKcPBwk1GSOHg4IiEhSwAAAAADgANAA ADJwi63P4wShXE CIPYUFcoBnB8oRB4hBdSHnO2LBwD70zLt1zn8+4rCQA7 R0lGODdhCgAVAOMAAP///xMPD6alpTAtLcTDw2tpaeHh4YmHh05LSwAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAACgAVAAAELRDISau9OOvNu/9AIAzBQFCBCBDmpEpC4RqTMbhVMN e39AIxV4tF8x1I iCIgAgA7 R0lGODdhCQAVAMIAAP///wQKA2JlYaCjoN/g3yMoIgAAAAAAACwAAAAACQAVAA ADJQi63P4wykmr XWKsIRQpBPCFCgdkjaA6REAyaseYqAeK96mVcgIAOw==
__
SpamAssassin 3.0.1 did not catch this one, though the sender IP was on the SpamCop BL (that was all it caught).
Jeff C.
Don't harm innocent bystanders.
Dallas
Small change required for my to lint cleanly...
redirector_pattern /^https?://(?:www.)?google.com/search?q=site:([A-Za-z0-9-.]+)$/i
(lower case letter I at the end, not uppercase/capitol I)
-- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300
-----Original Message----- From: Dallas L. Engelken [mailto:dallase@nmgi.com] Sent: 04 January 2006 14:30 To: Jeff Chan; SpamAssassin Users; SURBL Discuss Subject: RE: Google search as spam URI
adding a redirector_pattern will catch this.
redirector_pattern /^https?://(?:www.)?google.com/search?q=site:([A-Za-z0-9-.]+)$/I
dbg: uri: parsed uri found, http://www.google.com/search?q=site:bluevallet.com dbg: uri: cleaned parsed uri, http://bluevallet.com dbg: uri: cleaned parsed uri, http://www.google.com/search?q=site:bluevallet.com dbg: uri: cleaned parsed uri, bluevallet.com dbg: uri: parsed domain, google.com dbg: uri: parsed domain, bluevallet.com dbg: uridnsbl: domain google.com in skip list dbg: uridnsbl: domains to query: bluevallet.com dbg: uri: running uri tests; score so far=-0.001 dbg: rules: ran uri rule __LOCAL_PP_NONPPURL ======> got hit: "http://bluevallet.com" dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_BLACK): 127.0.0.2 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (multi.uribl.com.:bluevallet.com) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: DNSBL=1 NS=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SC_SURBL): 127.0.0.2 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (multi.surbl.org.:bluevallet.com) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: NS=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: queries completed: 1 started: 2 dbg: uridnsbl: queries active: at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: queries completed: 1 started: 1 dbg: uridnsbl: queries active: A=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: queries completed: 1 started: 1 dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36468" dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36335" dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (sbl.spamhaus.org.:17.160.20.58) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: select found 1 socks ready dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36470" dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up (sbl.spamhaus.org.:7.134.11.221) dbg: uridnsbl: queries completed: 1 started: 0 dbg: uridnsbl: queries active: at Wed Jan 4 08:26:42 2006 dbg: uridnsbl: done waiting for URIDNSBL lookups to complete dbg: uri: running uri tests; score so far=9.972 dbg: uri: running uri tests; score so far=7.11254545454546
Thanks, Dallas
-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Wednesday, January 04, 2006 3:56 AM To: SpamAssassin Users; SURBL Discuss Subject: Google search as spam URI
This drug spam message body seems problematic, since the URI is google, being used to search for the spammer's. Naturally the actual spammer domain bluevallet.com is blacklisted. This showed up Tue, 03 Jan 2006 14:45:48 +0100
__
Proecia Xana Pail VALIM from $1.21 IAGRA from $3.33 IALIS from $3.75 eridia Abien Soa Levtra =20 http://www.google.com/search?q=3Dsite:bluevallet.com http://www.google.com/search?q=3Dsite:bluevallet.com=20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META
http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D3>Pro<IMG = src=3D"cid:000101c6106b$c54633bd$66c5a8c0@printingmachine">eci
a</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Xana<IMG = src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine"></F
ONT></DIV>
<DIV><FONT face=3DArial size=3D3>Pa<IMG = src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine">il<
/FONT></DIV>
<DIV><FONT face=3DArial size=3D3>VALI<IMG = src=3D"cid:000301c6106b$c54633bd$66c5a8c0@printingmachine">M <STRONG>from = $1.21</STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D3><IMG = src=3D"cid:000401c6106b$c54633bd$66c5a8c0@printingmachine">IAG
RA <STRONG>from = $3.33</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial size=3D3><IMG =
src=3D"cid:000501c6106b$c54633bd$66c5a8c0@printingmachine">IAL
IS <STRONG>from = $3.75</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial size=3D3><IMG =
src=3D"cid:000601c6106b$c54633bd$66c5a8c0@printingmachine">eri
dia</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>A<IMG = src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">bie
n</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>So<IMG = src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">a</
FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Lev<IMG = src=3D"cid:000801c6106b$c54633bd$66c5a8c0@printingmachine">tra
</FONT></DIV>
<DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3><A = href=3D"http://www.google.com/search?q=3Dsite:bluevallet.com">
<FONT = face=3DArial = size=3D3>http://www.google.com/search?q=%3E 3Dsite:bluevallet.com</FONT></A><=
/FONT></DIV></BODY></HTML> R0lGODdhDQAMAOMAAP///wUTCMDEwWJrZCQwJt/h4KGmooKJg0NORQAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAADQAMAAAEMRBIMUggo8htiNFFp0kFMW4Hsg3HtoWb6c5SQNP27c q6xN6GF4/TQnlA KZoAEbgUJREAOw== R0lGODdhDgAZAOMAAP///wUCDkNBSqGgpN/f4CQhLIKAhmJgaMC/wgAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAADgAZAAAESxDISau9OOvNu/9gKHLCcA3CFAhERRSBOhiVYcRSXF QFgQOxg0kyOABV AERKIkAcc5Jecvd8GowHWhX36kK/gIPACP4hAs4yhfyNAAA7 R0lGODdhDQAXAMIAAP///wANER8rLt/g4V9nar/Cw5+kpQAAACwAAAAADQAXAA
ADMgi63P4wykmr
vRiGt1dvHxB6zKiEplhyq4Oyi+AM8kIUjUEwtDEAA4PgxyMIAgICUZEAADs= R0lGODdhDAAVAOMAAP///wgOEMHCwyYsLYOGh2RoaeDg4aKkpUVKSwAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAADAAVAAAENhDISau9OOvNu5/CcA2CRFbhRBRVQUyGSAUGVRzTga C7hJSVQS12IbyM F6IQg9BlDgNcRkaJAAA7 R0lGODdhBQANAIAAAP///w0KDywAAAAABQANAAACDIQfp2uJ6hqcr0pTAAA7 R0lGODdhDgANAMIAAP///xIJC6aioy8nKcPBwk1GSOHg4IiEhSwAAAAADgANAA ADJwi63P4wShXE CIPYUFcoBnB8oRB4hBdSHnO2LBwD70zLt1zn8+4rCQA7 R0lGODdhCgAVAOMAAP///xMPD6alpTAtLcTDw2tpaeHh4YmHh05LSwAAAAAAAA AAAAAAAAAAAAAA AAAAACwAAAAACgAVAAAELRDISau9OOvNu/9AIAzBQFCBCBDmpEpC4RqTMbhVMN e39AIxV4tF8x1I iCIgAgA7 R0lGODdhCQAVAMIAAP///wQKA2JlYaCjoN/g3yMoIgAAAAAAACwAAAAACQAVAA ADJQi63P4wykmr XWKsIRQpBPCFCgdkjaA6REAyaseYqAeK96mVcgIAOw==
__
SpamAssassin 3.0.1 did not catch this one, though the sender IP was on the SpamCop BL (that was all it caught).
Jeff C.
Don't harm innocent bystanders.
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean.
**********************************************************************
Dallas L. Engelken writes:
adding a redirector_pattern will catch this.
redirector_pattern /^https?://(?:www.)?google.com/search?q=site:([A-Za-z0-9-.]+)$/I
better write a rule for google translate as well.. i see it being abused soon.
http://translate.google.com/translate?u=www.domain.tld&langpair=en%7Cen&... n
- dhawal
-
Dallas L. Engelken -
Dhawal Doshy -
Martin Hepworth