You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/09/01 11:29:56 UTC
Re: google analytics and spam
Michael Scheidell writes:
> looks like (despite GA's TOS forbidding using GA to track personal
> information and email), spammers are starting to use GA to track their spam.
>
> Not unlike all the other WEB bugs that SA knows how to track.
>
> given a GA like this in an email:
>
> <script type="text/javascript">
> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
> document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
> </script>
> <script type="text/javascript">
> var pageTracker = _gat._getTracker("UA-XXXXXXXX-X");
> pageTracker._initData();
> pageTracker._trackPageview();
> </script>
>
> would a SA rule like this help? anything FASTER (uses less cpu?) body
> or rawbody rule? anyone run this against a non-spam corpus?
>
> body GA_TRACKING eval:html_text_match('script', 'google-analytics\.com')
> score GA_TRACKING 1.7
>
> (a quick run on my corpus only shows it on the 'spam that got away')..
> scored 3.339 ... looks like '_getTracker' might be a good keyword also.
>
> on a client, ('false alarms' already), I see things like this in
> 'legitimate' email (Bulk emails, that clients reported as false positives)
> anyone know the difference between these two?
>
> <SCRIPT src=3D"http://www.google-analytics.com/urchin.js" =
> type=3Dtext/javascript>
> </SCRIPT>
>
> <SCRIPT type=3Dtext/javascript>
> _uacct =3D "UA-xxxxxxx";
> urchinTracker();
> </SCRIPT>
I'd say there'll be a lot of FPs; legit senders tend to design emails as
webpages (with analytics etc.) then send those individual pages as HTML
email.
However, the UA-xxxxxxx-x code may be trackable.
--j.
Re: google analytics and spam
Posted by Michael Scheidell <sc...@secnap.net>.
Justin Mason wrote:
>
> email.
>
> However, the UA-xxxxxxx-x code may be trackable.
>
would JM_THOUGHT code find it
--
Michael Scheidell, President
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* Everything Channel Hot Product of 2008
* Shaping Information Security Award 2008
* CRN Magazine Top 40 Emerging Security Vendors
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________