You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2012/12/10 22:03:11 UTC

new (?) Google Translate trick using URL Shorteners

There's a new (to me), overly clever campaign combining Google 
Translate with a URL shortener.  It's fairly low volume, but most
are sailing thru SA.  It's such a goofy pattern it feels like it's
worthy of an Extinction level score. :)

These started yesterday (Dec 9) at around 2am Eastern US time, and
ALL the shorteners are still active. :(

They're all coming from Yahoo, with an unusual nation of origin.
In general, MANY of the interesting new campaigns are coming from
one or more of the big Freemailers.

All the URLs have the shortener domain encoded and look like:
	http://google.com.ag/translate?u=%79%2e%61%68%6f%6f%2e%69%74/[REDACTED]?&hl=en
which translates to:
	http://google.com.ag/translate?u=y.ahoo.it/[REDACTED]?&hl=en
The REDACTED element is _NOT_ encoded (and does not contain 
brackets, it's just a regular five character shortener parameter).
All are hitting SA's "HTTP_EXCESSIVE_ESCAPES". :)

In all cases, the shortener goes to some variation of:
	http://1427762013/[REDACTED]/[REDACTED].html

ALL of my samples go to the pure numerical domain "1427762013".
Could someone sanity check that that translates to "85.25.235.93"?
That's in German light snowshoe territory. :)

I've seen that form before, and am surprised that any URL shortener
is still allowing those.

So far, there's always two subdirs, and they look like either 
year month, or month day (always numbers).
The filename is long (15 to 19 chars), and looks random, with all
mixed-case alphanumerical characters.

So far, they're all using unusual Google domains (including my old
favorite "google.co.ck").  Google tricks campaigns often have 
started with rare TLDs, and often move to Google's default domain,
so it's probably best to write rules for all Google variations.


Suggestions:
Add metas for each of:
* Google Translate
* semi-legit but often exploited URL shorteners
* any Google URL with "HTTP_EXCESSIVE_ESCAPES"
* combinations of the above, and/or from Freemailers

Personally, I've jacked up the score of "HTTP_EXCESSIVE_ESCAPES",
however I do see enough legit-but-thick senders who hit it, that I
understand why it's somewhat low.

John H:
I'll send you a couple of raw corpses so you can wave your
RE magic wand. :)
	- "Chip"

Re: new (?) Google Translate trick using URL Shorteners

Posted by John Hardin <jh...@impsec.org>.

On Mon, 10 Dec 2012, Chip M. wrote:

> John H:
> I'll send you a couple of raw corpses so you can wave your
> RE magic wand. :)

Sanka, but until samples start showing up in the masscheck corpus don't 
expect much good from SA...

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Activist: Someone who gets involved.
   Unregistered Lobbyist: Someone who gets involved with something
     the MSM doesn't approve of.                           -- WizardPC
-----------------------------------------------------------------------
  5 days until Bill of Rights day