You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Dave Funk <db...@engineering.uiowa.edu> on 2022/08/29 07:43:01 UTC

metholdless URLs bypass DecodeShortURLs link shortner checking

Today I found some spammy messages which contained tinyurl links that were not 
checked by my DecodeShortURLs checker.

Checking the tinyurl by hand using wget, I found that the destination was a URL 
that hit some of my URIBL lists.

The issue is that if the method is omitted from the url it is not considered for 
DecodeShortURLs checking.

EG: <a href=3D"tinyurl.com/REDACTED"><B>Click here</B></a> does not get checked 
but <a href=3D"http://tinyurl.com/REDACTED"><B>Click here</B></a> does get 
checked.
This happens with SA 3.4.6

Note that this is specific to DecodeShortURLs, a methodless URL is still checked 
via direct URIBL rules.

Is this an issue with the DecodeShortURLs plugin or with SA?

Where would I find the most recent version of DecodeShortURLs plugin?

Thanks,
Dave

-- 
Dave Funk                               University of Iowa
<dbfunk (at) engineering.uiowa.edu>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: metholdless URLs bypass DecodeShortURLs link shortner checking

Posted by "Kevin A. McGrail" <km...@apache.org>.

If you can try the current RC-1 and report if the issue still exists and
open a bugzilla report ASAP that would be great too.  We are working hard
on a last handful of items for a 4.0 release. -KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Mon, Aug 29, 2022 at 4:10 AM Henrik K <he...@hege.li> wrote:

> On Mon, Aug 29, 2022 at 02:43:01AM -0500, Dave Funk wrote:
> >
> > Where would I find the most recent version of DecodeShortURLs plugin?
>
> It is now maintained by SA project and included in 4.0 release.  Best to
> wait for that or try the current trunk/4.0.0-rc1.
>
>

Re: metholdless URLs bypass DecodeShortURLs link shortner checking

Posted by Henrik K <he...@hege.li>.

On Mon, Aug 29, 2022 at 02:43:01AM -0500, Dave Funk wrote:
> 
> Where would I find the most recent version of DecodeShortURLs plugin?

It is now maintained by SA project and included in 4.0 release.  Best to
wait for that or try the current trunk/4.0.0-rc1.