Thursday, December 30, 2010

CACHEREDIR Rule: Prevent Google cache redirector abuse

UPDATE: 2/2/2011 
Masscheck results indicate spammers have stopped abusing Google cache as a redirector about 3 weeks ago.  It appears that previous redirects already in the cache still work, but perhaps Google changed their system to prevent future redirects from getting into their cache.  We'll continue to keep an eye on this.

UPDATE: 1/6/2011 - now catches more variations

For the past month or more spammers have been abusing Google's cache as a link redirector.  Normally if a spammer includes links in their message body, it is easy to identify that message as spam because the domain of that URI is listed in the numerous URIBL's.  But by using Google cache as a redirector they often sneak past the URIBL's with an overall low score.  Read more for the custom rule syntax and analysis.

uri      CACHEREDIR m;^http://google\..{2,7}/search\?q=cache:[-\w]{12}:google;
describe CACHEREDIR URI pointing at Google cache
score    CACHEREDIR 2.00

Add this custom rule to your local.cf then restart the spamd daemon.  On Fedora/RHEL, it is located at /etc/mail/spamassassin/local.cf and you restart the spamd daemon with service spamassassin restart.


http://ruleqa.spamassassin.org/20110101-r1054209-n/T_CACHEREDIR/detail
This rule has been tested in SpamAssassin's nightly masscheck and it seems to be very precise.  I do not believe any ham will hit this rule as the spammers have been exclusively abusing what seems to be non-standard CC TLD Google domain names as cache redirectors instead of the usual webcache.googleusercontent.com URI.  Currently it appears somewhere between 1 to 4% of spam is hitting this rule.  Roughly 30% of hits on CACHEREDIR are below 5 points under normal conditions, making this rule particularly effective.

I suspect that Google will eventually do something to prevent spammers from taking advantage of their cache in this abusive manner.  But until then this rule should be effective in your local.cf.  This blog will notify users when it is time to remove this rule from your local SA config.

No comments:

Post a Comment