[SURBL-Discuss] RE: Google search as spam URI

Martin Hepworth martinh at solid-state-logic.com
Wed Jan 4 17:36:18 CET 2006


Dallas

Small change required for my to lint cleanly...

redirector_pattern
/^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/i

(lower case letter I at the end, not uppercase/capitol I)

--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: Dallas L. Engelken [mailto:dallase at nmgi.com]
> Sent: 04 January 2006 14:30
> To: Jeff Chan; SpamAssassin Users; SURBL Discuss
> Subject: RE: Google search as spam URI
> 
> adding a redirector_pattern will catch this.
> 
> redirector_pattern
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/I
> 
>  dbg: uri: parsed uri found,
> http://www.google.com/search?q=site:bluevallet.com
>  dbg: uri: cleaned parsed uri, http://bluevallet.com
>  dbg: uri: cleaned parsed uri,
> http://www.google.com/search?q=site:bluevallet.com
>  dbg: uri: cleaned parsed uri, bluevallet.com
>  dbg: uri: parsed domain, google.com
>  dbg: uri: parsed domain, bluevallet.com
>  dbg: uridnsbl: domain google.com in skip list
>  dbg: uridnsbl: domains to query: bluevallet.com
>  dbg: uri: running uri tests; score so far=-0.001
>  dbg: rules: ran uri rule __LOCAL_PP_NONPPURL ======> got hit:
> "http://bluevallet.com"
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_BLACK): 127.0.0.2
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (multi.uribl.com.:bluevallet.com)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active: DNSBL=1 NS=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SC_SURBL):
> 127.0.0.2
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (multi.surbl.org.:bluevallet.com)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active: NS=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: queries completed: 1 started: 2
>  dbg: uridnsbl: queries active:  at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: queries completed: 1 started: 1
>  dbg: uridnsbl: queries active: A=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: queries completed: 1 started: 1
>  dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36468"
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36335"
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (sbl.spamhaus.org.:17.160.20.58)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36470"
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (sbl.spamhaus.org.:7.134.11.221)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active:  at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: done waiting for URIDNSBL lookups to complete
>  dbg: uri: running uri tests; score so far=9.972
>  dbg: uri: running uri tests; score so far=7.11254545454546
> 
> Thanks,
> Dallas
> 
> 
> > -----Original Message-----
> > From: Jeff Chan [mailto:jeffc at surbl.org]
> > Sent: Wednesday, January 04, 2006 3:56 AM
> > To: SpamAssassin Users; SURBL Discuss
> > Subject: Google search as spam URI
> >
> > This drug spam message body seems problematic, since the URI is
> > google, being used to search for the spammer's.   Naturally the
> > actual spammer domain  bluevallet.com  is blacklisted.  This
> > showed up  Tue, 03 Jan 2006 14:45:48 +0100
> >
> > __
> >
> >
> > Proecia
> > Xana
> > Pail
> > VALIM from $1.21
> > IAGRA from $3.33
> > IALIS from $3.75
> > eridia
> > Abien
> > Soa
> > Levtra
> > =20
> > http://www.google.com/search?q=3Dsite:bluevallet.com
> > <http://www.google.com/search?q=3Dsite:bluevallet.com>=20
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
> > Transitional//EN"> <HTML><HEAD> <META
> > http-equiv=3DContent-Type content=3D"text/html; =
> > charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106"
> > name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY
> > bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D3>Pro<IMG =
> > src=3D"cid:000101c6106b$c54633bd$66c5a8c0 at printingmachine">eci
> a</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>Xana<IMG =
> > src=3D"cid:000201c6106b$c54633bd$66c5a8c0 at printingmachine"></F
> ONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>Pa<IMG =
> > src=3D"cid:000201c6106b$c54633bd$66c5a8c0 at printingmachine">il<
> /FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>VALI<IMG =
> > src=3D"cid:000301c6106b$c54633bd$66c5a8c0 at printingmachine">M
> > <STRONG>from = $1.21</STRONG></FONT></DIV> <DIV><FONT
> > face=3DArial size=3D3><IMG =
> > src=3D"cid:000401c6106b$c54633bd$66c5a8c0 at printingmachine">IAG
> RA <STRONG>from = $3.33</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial
> size=3D3><IMG =
> > src=3D"cid:000501c6106b$c54633bd$66c5a8c0 at printingmachine">IAL
> IS <STRONG>from = $3.75</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial
> size=3D3><IMG =
> > src=3D"cid:000601c6106b$c54633bd$66c5a8c0 at printingmachine">eri
> dia</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>A<IMG =
> > src=3D"cid:000701c6106b$c54633bd$66c5a8c0 at printingmachine">bie
> n</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>So<IMG =
> > src=3D"cid:000701c6106b$c54633bd$66c5a8c0 at printingmachine">a</
> FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>Lev<IMG =
> > src=3D"cid:000801c6106b$c54633bd$66c5a8c0 at printingmachine">tra
> </FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3></FONT>&nbsp;</DIV>
> > <DIV><FONT face=3DArial size=3D3><A =
> > href=3D"http://www.google.com/search?q=3Dsite:bluevallet.com">
> <FONT = face=3DArial = size=3D3>http://www.google.com/search?q=>
> 3Dsite:bluevallet.com</FONT></A><=
> > /FONT></DIV></BODY></HTML>
> > R0lGODdhDQAMAOMAAP///wUTCMDEwWJrZCQwJt/h4KGmooKJg0NORQAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAADQAMAAAEMRBIMUggo8htiNFFp0kFMW4Hsg3HtoWb6c5SQNP27c
> > q6xN6GF4/TQnlA
> > KZoAEbgUJREAOw==
> > R0lGODdhDgAZAOMAAP///wUCDkNBSqGgpN/f4CQhLIKAhmJgaMC/wgAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAADgAZAAAESxDISau9OOvNu/9gKHLCcA3CFAhERRSBOhiVYcRSXF
> > QFgQOxg0kyOABV
> > AERKIkAcc5Jecvd8GowHWhX36kK/gIPACP4hAs4yhfyNAAA7
> > R0lGODdhDQAXAMIAAP///wANER8rLt/g4V9nar/Cw5+kpQAAACwAAAAADQAXAA
> ADMgi63P4wykmr
> > vRiGt1dvHxB6zKiEplhyq4Oyi+AM8kIUjUEwtDEAA4PgxyMIAgICUZEAADs=
> > R0lGODdhDAAVAOMAAP///wgOEMHCwyYsLYOGh2RoaeDg4aKkpUVKSwAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAADAAVAAAENhDISau9OOvNu5/CcA2CRFbhRBRVQUyGSAUGVRzTga
> > C7hJSVQS12IbyM
> > F6IQg9BlDgNcRkaJAAA7
> > R0lGODdhBQANAIAAAP///w0KDywAAAAABQANAAACDIQfp2uJ6hqcr0pTAAA7
> > R0lGODdhDgANAMIAAP///xIJC6aioy8nKcPBwk1GSOHg4IiEhSwAAAAADgANAA
> > ADJwi63P4wShXE
> > CIPYUFcoBnB8oRB4hBdSHnO2LBwD70zLt1zn8+4rCQA7
> > R0lGODdhCgAVAOMAAP///xMPD6alpTAtLcTDw2tpaeHh4YmHh05LSwAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAACgAVAAAELRDISau9OOvNu/9AIAzBQFCBCBDmpEpC4RqTMbhVMN
> > e39AIxV4tF8x1I
> > iCIgAgA7
> > R0lGODdhCQAVAMIAAP///wQKA2JlYaCjoN/g3yMoIgAAAAAAACwAAAAACQAVAA
> > ADJQi63P4wykmr
> > XWKsIRQpBPCFCgdkjaA6REAyaseYqAeK96mVcgIAOw==
> >
> > __
> >
> > SpamAssassin 3.0.1 did not catch this one, though the sender
> > IP was on the SpamCop BL (that was all it caught).
> >
> > Jeff C.
> > --
> > Don't harm innocent bystanders.
> >
> >


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************



More information about the Discuss mailing list