Koozali.org formerly Contribs.org

Block message with Google redirect trick

Offline CmdLn

Block message with Google redirect trick
« on: July 12, 2018, 09:10:09 AM »
Some of my users are receiving phishing mails that use a clever Google redirect trick. More or less its a message with link to www.google.com/#btnI=blaahblaahblaah which then redirects to the site blaahblah.

I want to block any messages containing www.google.com/#btnI= which I tried to do with custom spamassassin filter but it seems to be ignored and I am not sure if this an SME thing, spamassassin thing or my regex is wrong.

I added this to /etc/mail/spamassassin/local.cf

Code: [Select]
body BODY_REDIRECT_TRICK /www\.google\.com\/#btnI=/
score BODY_REDIRECT_TRICK 50

but it seems this is ignored or just wrong

Offline CmdLn

Re: Block message with Google redirect trick
« Reply #1 on: July 13, 2018, 09:12:11 AM »
Its seem like this should be possible according to https://wiki.contribs.org/Email#Custom_Rule_Scores but why isn't it working for me?

Offline mmccarn

  • *
  • 2,316
Re: Block message with Google redirect trick
« Reply #2 on: July 13, 2018, 02:47:47 PM »
Here are some notes I found on custom body rules: https://www.askdavetaylor.com/how_do_i_add_custom_spamassassin_rules_for_content_filtering/

From that:
- you might get better results using "rawbody" instead of "body"
- you might want to add "i" at the end of your regex: /www\.google\.com\/#btnI=/i

Other thoughts:
- If you look at the raw message source, are the URLs encoded somehow? If so, you may need to match on the encoded string instead of the decoded string
- You might want to test your rule using a test string then sending yourself some test emails from an outside account. Use a regex like "/thisisateststring/i", then send yourself emails with that string in the body to see what happens.
- I am unable to get any sample URL to redirect using the root address you've specified.  That is, this none of these URLs do any sort of redirecting for me (in Firefox 61.01 on a mac):
http://www.google.com/#btnI=http%3A%2F%2Fbbc.co.uk%2Fnews
http://www.google.com/#btnI=http://bbc.co.uk/news
http://www.google.com/#btnI=bbc.co.uk/news
http://www.google.com/#btnI=bbc.co.uk

[edit]
The URLs above do not redirect using Safari 11.1.1 or Chrome 67.0.3396.99, either
« Last Edit: July 13, 2018, 02:51:29 PM by mmccarn »


Offline mmccarn

  • *
  • 2,316
Re: Block message with Google redirect trick
« Reply #4 on: July 16, 2018, 03:17:04 PM »
...Here is a real redirect if you want to see it in action. ...

http://www.google.com/#btnI=kffrddkelrvymfdowuaeofzxvwboqaginsdzbth-pisllmjocuyfkngpilczkeycerohuxqatwinjlwietqcqguyrsvpqpcannq-vyrzcffpuunkwaebnyvsjiwdsvzdublwuwyvqalexvmshvfqhpssvcwnfrumvwmtkvamlxwcrnnytdmxvgawqqo&q=nkmauwugoq&koo=qwwyvpnzttztnxyivsrxnmrhdgwgfgjzzpvxdl-kqczhsixheudfwbybeehpwaeqrqnazlqrgmppkwpmecmqvtesq-gtrepxhdjekajuygztkfqxiwnsjwdqxprhagzamrlwlyardeeaczpypgdrslwhpintxorpwipnkyajavssddmuielez

or this one I created myself

http://www.google.com/#btnI=0&q=wsl&koo=balito

I didn't touch the first one, but I tested your example and read up on the World Surf League. Wow. 

I also found Spam that bypasses the Google spam filter using a bug/feature in Google Search talking about the same thing.

For anyone else who has never seen this before - google's "#btnI" directive uses google's "I'm feeling lucky" to automatically select the top result returned by the specified query (&q=). I get the same behavior with or without "&koo=".

The google forum discussion linked above describes a scenario where a malicious actor created a unique domain name, then used that to serve malicious content once the new domain had been added to google's index.

- "#btnI" appears to be case sensitive; these don't work: "#btni", "#BtnI", "#BTNI"
- "btnI" does not need to be specified first, or as an anchor
- The "=0" appears to be optional

These URLs all return the Koozali wiki homepage for me:
http://www.google.com/#btnI&q=contribs.org&koo=idontknowwhatkoodoes
http://www.google.com/#btnI=&q=contribs.org
http://www.google.com/#btnI=0&q=contribs.org
http://www.google.com/#btnI=1&q=contribs.org
http://www.google.com/#btnI&q=contribs.org
http://www.google.com/search?q=contribs.org&btnI
http://www.google.com/search?btnI&q=contribs.org

Finding these with spamassassin will require matching on "#btnI", "?btnI" and "&btnI"... or I suppose "google.*btnI" if spamassassin regexes are confined to a single line and not the entire message body.

There is an existing spamassassin rule that appears to be related  -
Quote from: /usr/share/spamassassin/72_active.cf
##{ JM_I_FEEL_LUCKY

uri JM_I_FEEL_LUCKY         /(?:\&|\?)btnI=ec(?:$|\&)/
tflags JM_I_FEEL_LUCKY  publish     # low hitrate, but always a good sign
##} JM_I_FEEL_LUCKY

Checking existing emails now...