spamassassin regexp for a google redirect ??

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
johang
Senior user
Senior user
Posts: 675
Joined: 2008-09-01 09:20

spamassassin regexp for a google redirect ??

Post by johang » 2022-01-07 11:45

how would i go about to trigger spamassassin on below included "text" that i recieve in an email.. ?

https://www.google.com/url?q=https%3A%2 ... BCBCBCBxxx

my regexp capacity is non existant, i did however try: RAWBODY /href=.*\/neweverymonth.*>/i
but those email just come whooshing in anyway.. i believe the double "https" and my inability to understand how to surpass the "https google part" may cause it


i dont want to block google searches per see.. people should be able to send google searches without email being deleted




help.. :cry:
(edit added "rawbody" in text)
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
katip
Senior user
Senior user
Posts: 992
Joined: 2006-12-22 07:58
Location: Istanbul

Re: spamassassin regexp for a google redirect ??

Post by katip » 2022-01-07 11:57

how about

Code: Select all

body GGL_RDR /sexdate-neweverymonth\.com/i
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.4, ClamAV 0.103.2

User avatar
johang
Senior user
Senior user
Posts: 675
Joined: 2008-09-01 09:20

Re: spamassassin regexp for a google redirect ??

Post by johang » 2022-01-07 13:03

katip wrote:
2022-01-07 11:57
how about

Code: Select all

body GGL_RDR /sexdate-neweverymonth\.com/i
nope
tested rawbody as well... no go..

email comes through without score on that
lets cheat darwin out of his legacy, find a cure for cancer...

palinka
Senior user
Senior user
Posts: 3174
Joined: 2017-09-12 17:57

Re: spamassassin regexp for a google redirect ??

Post by palinka » 2022-01-07 13:24

johang wrote:
2022-01-07 11:45
how would i go about to trigger spamassassin on below included "text" that i recieve in an email.. ?

https://www.google.com/url?q=https%3A%2 ... BCBCBCBxxx

my regexp capacity is non existant, i did however try: RAWBODY /href=.*\/neweverymonth.*>/i
but those email just come whooshing in anyway.. i believe the double "https" and my inability to understand how to surpass the "https google part" may cause it


i dont want to block google searches per see.. people should be able to send google searches without email being deleted




help.. :cry:
(edit added "rawbody" in text)
I came up with this regex (for use in scripting). It should catch any GET url redirect. I haven't had a single hit, though. By hit, I mean target url domain listed on spamhaus dbl or surbl. I don't count regex matches - I only count matches that are listed. So far (only 2 months) I haven't had a single hit.

Code: Select all

(?:\bhttps?:\/\/.+\?.+=https?\%3A\%2F\%2F)([a-zA-Z0-9-.]+)(?:\%2F[^\s]+\b)
Theres a short discussion here where Soren has some links to SA mailing list archives where the topic has come up.

viewtopic.php?p=234191#p234191

User avatar
RvdH
Senior user
Senior user
Posts: 1759
Joined: 2008-06-27 14:42
Location: Netherlands

Re: spamassassin regexp for a google redirect ??

Post by RvdH » 2022-01-07 13:36

Code: Select all

rawbody  /^.*(neweverymonth\..+).*$/i
https://regexr.com/6cssl

if you create a rule prefixed with "T_" , eg: T_GOOGLEREDIRECT you can test rules without actually scoring them as long as you do not assign a SCORE to the rule, could be helpful to see if the rule is triggered
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
johang
Senior user
Senior user
Posts: 675
Joined: 2008-09-01 09:20

Re: spamassassin regexp for a google redirect ??

Post by johang » 2022-01-07 13:46

katip wrote:
2022-01-07 11:57
how about

Code: Select all

body GGL_RDR /sexdate-neweverymonth\.com/i
it actually worked ... i was wrong ....

however i had sneaked in a "-" in the describe row, and after removing that it scores perfectly.. no error produced via "spamassassin --lint" so i was merely doing trial and error writing in my custom.cf file

solution:

Code: Select all

rawbody   GGLRDRJOY   /nightjoyyz\.com/i
score     GGLRDRJOY   5
describe  GGLRDRJOY   SexDating
thank you all ( but especially katip )
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
johang
Senior user
Senior user
Posts: 675
Joined: 2008-09-01 09:20

Re: spamassassin regexp for a google redirect ??

Post by johang » 2022-01-07 13:52

RvdH wrote:
2022-01-07 13:36

Code: Select all

rawbody  /^.*(neweverymonth\..+).*$/i
https://regexr.com/6cssl

if you create a rule prefixed with "T_" , eg: T_GOOGLEREDIRECT you can test rules without actually scoring them as long as you do not assign a SCORE to the rule, could be helpful to see if the rule is triggered
i had a test rule as well; "tteestt" wih 0.1 score :) in my trials
but your approach is better ...
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
SorenR
Senior user
Senior user
Posts: 5092
Joined: 2006-08-21 15:38
Location: Denmark

Re: spamassassin regexp for a google redirect ??

Post by SorenR » 2022-01-07 15:20

johang wrote:
2022-01-07 11:45
how would i go about to trigger spamassassin on below included "text" that i recieve in an email.. ?

https://www.google.com/url?q=https%3A%2 ... BCBCBCBxxx

my regexp capacity is non existant, i did however try: RAWBODY /href=.*\/neweverymonth.*>/i
but those email just come whooshing in anyway.. i believe the double "https" and my inability to understand how to surpass the "https google part" may cause it


i dont want to block google searches per see.. people should be able to send google searches without email being deleted




help.. :cry:
(edit added "rawbody" in text)
https://stackoverflow.com/questions/365 ... rd-pattern
SørenR.

There are only two difficult problems in computer science: naming things, cache invalidation and off-by-one errors.

Post Reply