You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/09/01 11:29:56 UTC

Re: google analytics and spam

Michael Scheidell writes:
> looks like (despite GA's TOS forbidding using GA to track personal 
> information and email), spammers are starting to use GA to track their spam.
> 
> Not unlike all the other WEB bugs that SA knows how to track.
> 
> given a GA like this in an email:
> 
> <script type="text/javascript">
> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
> document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
> </script>
> <script type="text/javascript">
> var pageTracker = _gat._getTracker("UA-XXXXXXXX-X");
> pageTracker._initData();
> pageTracker._trackPageview();
> </script>
> 
> would a SA rule like this help? anything FASTER (uses less cpu?)  body 
> or rawbody rule?  anyone run this against a non-spam corpus?
> 
> body GA_TRACKING eval:html_text_match('script', 'google-analytics\.com')
> score GA_TRACKING 1.7
> 
> (a quick run on my corpus only shows it on the 'spam that got away')..  
> scored 3.339 ...  looks like '_getTracker' might be a good keyword also.
> 
> on a client, ('false alarms' already), I see things like this in 
> 'legitimate' email (Bulk emails, that clients reported as false positives)
> anyone know the difference between these two?
> 
> <SCRIPT src=3D"http://www.google-analytics.com/urchin.js" =
> type=3Dtext/javascript>
> </SCRIPT>
> 
> <SCRIPT type=3Dtext/javascript>
> _uacct =3D "UA-xxxxxxx";
> urchinTracker();
> </SCRIPT>

I'd say there'll be a lot of FPs; legit senders tend to design emails as
webpages (with analytics etc.) then send those individual pages as HTML
email.

However, the UA-xxxxxxx-x code may be trackable.

--j.

Re: google analytics and spam

Posted by Michael Scheidell <sc...@secnap.net>.

Justin Mason wrote:
>
> email.
>
> However, the UA-xxxxxxx-x code may be trackable.
>   

would JM_THOUGHT code find it

-- 
Michael Scheidell, President
Main: 561-999-5000, Office: 561-939-7259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * Everything Channel Hot Product of 2008
    * Shaping Information Security Award 2008
    * CRN Magazine Top 40 Emerging Security Vendors

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________