....................................../////.===Shadow-Here===./////................................................ > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < ------------------------------------------------------------------------------------------------------------------- /////////////////////////////////////////////////////////////////////////////////////////////////////////////////// RIFF¤ WEBPVP8 ˜ ðÑ *ôô>‘HŸK¥¤"§£±¨àð enü¹%½_F‘åè¿2ºQú³íªú`N¿­3ÿƒügµJžaÿ¯ÿ°~¼ÎùnúîÞÖô•òíôÁÉß®Sm¥Ü/ ‡ó˜f£Ùà<˜„xëJ¢Ù€SO3x<ªÔ©4¿+ç¶A`q@Ì“Úñè™ÍÿJÌ´ª-˜ÆtÊÛL]Ïq*‘Ý”ì#ŸÌÏãY]@ê`¿ /ªfkØB4·®£ó z—Üw¥Pxù–ÞLШKÇN¾AkÙTf½è'‰g gÆv›Øuh~ a˜Z— ïj*á¥t d£“uÒ ¨`K˜¹ßþ]b>˜]_ÏÔ6W—è2r4x•íÖ…"ƒÖNîä!¦å Ú}ýxGøÌ —@ ;ÆÚŠ=ɾ1ý8lªË¥ô ^yf®Œ¢u&2©nÙÇ›ñÂñŒ³ aPo['½»øFùà­+4ê“$!lövlüÞ=;N®3ð‚õ›DÉKòÞ>ÄÍ ¥ˆuߤ#ˆ$6ù™¥îŠ‡y’ÍB¼ çxÛ;X"WL£R÷͝*ó-¶Zu}º.s¸sšXqù–DþÿvªhüïwyŸ ¯é³lÀ:KCûÄ£Ëá\…­ ~—ýóî ¼ûûÜTÓüÇy…ŽÆvc»¾×U ñ¸žþоP÷¦ó:Ò¨¨5;Ð#&#ÖúñläÿÁœ GxÉ­/ñ‡áQðìYÉtÒwŽ¼GÔ´zàÒò ð*ëzƒ•4~H]Ø‹f ñÓÈñ`NåWçs'ÆÏW^ø¹!XžµmQ5ÃËoLœÎ: ÞËÍ¥J ù…î èo£ßPÎñ¶ž8.Œ]ʵ~5›ÙË-ù*8ÙÖß±~ ©¹rÓê‚j¶d¸{^Q'˜±Crß ÚH—#¥¥QlÀ×ëã‡DÜ«èî þ&Çæžî;ŽÏºò6ÒLÃXy&ZŒ'j‚¢Ù€IßÚù+–MGi‰*jE€‘JcÜ ÓÌ EÏÚj]o˜ Þr <¾U ûŪæÍ/šÝH¥˜b”¼ ÁñßX GP›ï2›4WŠÏà×£…íÓk†¦H·ÅíMh–*nó÷à]ÁjCº€b7<ب‹¨5車bp2:Á[UªM„QŒçiNMa#<5›áËó¸HýÊ"…×Éw¹¦ì2º–x<›»a±¸3Weü®FÝ⑱ö–î–³|LPÈ~çð~Çå‡|º kD¢µÏàÆAI %1À% ¹Ò – ”ϝS¦‰4&¶£°à Öý”û_Ò Áw°A«Å€?mÇÛgHÉ/8)á¾ÛìáöŽP í¨PŸNÙµº¦‡§Ùš"ÿ«>+ªÕ`Ê÷‡‚ß Õû˜þãÇ-PÍ.¾XV‘€ dÜ"þ4¹ ±Oú‘©t¥¦FªÄÃÄ•b‚znýu½—#cDs˜ÃiÑOˆñ×QO=*IAÊ,¶ŽZƒ;‡wøXè%EÐk:F±Ú” .Ѽ+Áu&Ç`."pÈÉw o&¿dE6‘’EqTuK@Ì¥ã™À(Êk(h‰,H}RÀIXÛš3µ1©_OqÚÒJAñ$ÊÙÜ;D3çŒ[þùœh¬Ã³™ö6ç†NY".Ú‰ï[ªŸŒ '²Ð öø_¨ÂÉ9u鶳ÒŠõTàîMØ#û¯gN‡bÙ놚X„ö …ÉeüÌ^J ‹€.œ$Æ)βÄeæW#óüßĺŸ€ ÀzwV 9oä»f4V*uB «Ë†¹ì¯žR霓æHXa=&“I4K;¯ç‹h×·"UŠ~<•â•ªVêª&ÍSÃÆÅ?ÔqÎ*mTM ˜›µwêd#[C¡©§‘D<©àb†–ÁœøvH/,í:¯( ²£|4-„Æövv„Yͼ™^Á$ˆ„¢Û[6yB.åH*V¨æ?$=˜Ñ€•î¦ñ·­(VlŸ‘ nÀt8W÷´Bûba?q9ú¶Xƒl«ÿ\ù¶’þòUÐj/õ¢Ìµ³g$ƒÎR!¸»|Oߍë’BhîÚÑ¢ñåŒJ„®„£2Ð3•ô02Nt…!£Í]Ïc½Qÿ?ˆ<&ÃA¾Ú,JˆijÌ#5yz„‰Î|ÊŽ5QÏ:‹ÐaóVÔxW—CpeÏzÐïíçôÿÅ_[hãsÐ_/ŽTÝ?BîˆííV$<¿i>²F¬_Eß¿ †bÊŒº­ÿ®Z H“C}”¬,Mp ý/Bá£w>˜YV°aƒúh+cŠ- r/[%|üUMHäQ°X»|û/@|°¥Ð !BÔ Ç¢Ä©š+Õì D«7ìN¶ŽðÔ " ƶ’ÖçtA‰Û×}{tþz­¾GÍ›k¹OEJR$ Â׃ «ëÁ"oÉôž$oUK(Ä)Ãz³Ê-‹êN[Ò3Œñbï8P 4ƒ×q¢bo|?<ÛX¬òÄÍ°L–±›(™ûG?ýË©ÚÄ–ÂDØÐ_Ç¡ô ¾–ÄÏø ×e8Ë©$ÄF¹Å‹ì[©óìl:F¾f´‹‹Xì²ï®\¬ôùƒ ÿat¥óèÒùHß0äe‚;ü×h:ÆWðHž=Ã8骣"kœ'Y?³}Tûè€>?0l›e1Lòñ„aæKÆw…hÖŠùW…ÈÆÄ0ši·›[pcwËþñiêíY/~-Á5˜!¿†A›™Mÿþ(±“t@â“ö2­´TG5yé]çå僳 .·ÍïçÝ7UÚ±Ð/Nè»,_Ï ùdj7\ï Wì4›„»c¸àešg#ÒÊ⥭áØo5‘?ÌdÝô¯ ¹kzsƒ=´#ëÉK›Ø´±-¥eW?‡çßtòTã…$Ý+qÿ±ƒ÷_3Ô¥í÷:æ–ž<·Ö‡‰Å¢ š‡%Ô—utÌÈìðžgÖÀz²À—ï÷Óîäõ{K'´È÷³yaÏÁjƒô}ž§®æÊydÕÈë5¯èˆõvÕ©ã*çD„ “z„Ó‡^^xÂ3M§A´JG‚öï 3W'ˆ.OvXè¡ÊÕª?5º7†˜(˜Ç¶#çê’¶!ÌdZK§æ 0fãaN]òY³RV ™î$®K2R¨`W!1Ôó\;Ý ýB%qæK•&ÓÈe9È0êI±žeŸß -ú@žQr¦ ö4»M¼Áè¹µmw 9 EÆE_°2ó„ŸXKWÁ×Hóì^´²GѝF©óäR†¦‰ç"V»eØ<3ùd3ÿÚ¤Žú“Gi" —‘_ÙËÎ~Üö¯¥½Î»üŸEÚŽåmÞþí ;ÞólËΦMzA"Âf(´òá;Éï(/7½ûñÌ­cïÕçлþÝz¾-ÍvÑ“pH­–ðÓj$¸Äû¤‚‘ãUBË-n“2åPkS5&‹Â|+g^œ®Ì͆d!OïäîU«c;{Û!ÅŽ«ëZ9Ókóˆ]¯ƒ›né `ÇÒ+tÆš (ØKá¾—=3œ®•vuMñg²\ï Ec€ 05±d™‡×iÇ×›UúvÌ¢£Èþ¡ÕØô¶ßÎA"ß±#Ö²ˆÊŸ¦*Ä~ij|àø.-¼'»Ú¥£h ofº¦‡VsR=N½„Î v˜Z*SÌ{=jÑB‹tê…;’HžH¯8–îDù8ñ¢|Q•bÛçš–‹m³“ê¨ åÏ^m¬Žãþ©ïêO‡½6] µÆ„Ooòü ²x}N¦Ë3ïé¿»€›HA˜m%çÞ/¿í7Fø“‹léUk)É°Œµ8Q8›:ÀŠeT*šõ~ôڝG6 ¢}`ùH­–”¡k ‰P1>š†®9z11!X wKfmÁ¦xÑ,N1Q”–æB¶M…ÒÃv6SMˆhU¬ÊPŽï‘öj=·CŒ¯u¹ƒVIЃsx4’ömÛýc塶7ßŠß 57^\wÒÐÆ k§h,Œý î«q^R½3]J¸ÇðN ‚çU¬ôº^Áì} ³f©Õœ§ˆã:FÄÈ‚é(€™?àýÓüè1Gô£¼éj‚OÅñ  #>×—ßtà 0G¥Åa뀐kßhc™À_ÉñÞ#±)GD" YîäË-ÿÙ̪ ¹™a¯´¢E\ÝÒö‚;™„ë]_ p8‰o¡ñ+^÷ 3‘'dT4œŽ ðVë½° :¬víÑ«£tßÚS-3¶“þ2 †üüʨòrš¹M{É_¤`Û¨0ìjœøJ‡:÷ÃáZ˜†@GP&œÑDGÏs¡þ¦þDGú‘1Yá9Ôþ¼ ûø…§÷8&–ÜÑnÄ_m®^üÆ`;ÉVÁJ£?â€-ßê}suÍ2sõA NÌúA磸‘îÿÚ»ƒìö·á¿±tÑÐ"Tÿü˜[@/äj¬€uüªìù¥Ý˜á8Ý´sõj 8@rˆð äþZÇD®ÿUÏ2ùôõrBzÆÏÞž>Ì™xœ“ wiÎ×7_… ¸ \#€MɁV¶¥üÕÿPÔ9Z‡ø§É8#H:ƒ5ÀÝå9ÍIŒ5åKÙŠ÷qÄ>1AÈøžj"µÂд/ªnÀ qªã}"iŸBå˜ÓÛŽ¦…&ݧ;G@—³b¯“•"´4í¨ôM¨åñC‹ïùÉó¯ÓsSH2Ý@ßáM‡ˆKÀªÛUeø/4\gnm¥‹ŸŒ qÄ b9ÞwÒNÏ_4Ég³ú=܆‚´ •â¥õeíþkjz>éÚyU«Íӝ݃6"8/ø{=Ô¢»G¥ äUw°W«,ô—¿ãㆅү¢³xŠUû™yŒ (øSópÐ 9\åTâ»—*oG$/×ÍT†Y¿1¤Þ¢_‡ ¼ „±ÍçèSaÓ 3ÛMÁBkxs‰’R/¡¤ˆÙçª(*õ„üXÌ´ƒ E§´¬EF"Ù”R/ÐNyÆÂ^°?™6¡œïJ·±$§?º>ÖüœcNÌù¯G ‹ñ2ŠBB„^·úìaz¨k:#¨Æ¨8LÎõލ£^§S&cŒÐU€ü(‡F±Š¼&P>8ÙÁ ‰ p5?0ÊƃZl¸aô š¼¡}gÿ¶zÆC²¹¬ÎÖG*HB¡O<º2#ñŒAƒ–¡B˜´É$¥›É:FÀÔx¾u?XÜÏÓvN©RS{2ʈãk9rmP¼Qq̳ è¼ÐFׄ^¡Öì fE“F4A…!ì/…¦Lƒ… … $%´¾yã@CI¬ á—3PþBÏNÿ<ý°4Ü ËÃ#ØÍ~âW«rEñw‹eùMMHß²`¬Öó½íf³:‹k˜¯÷}Z!ã¿<¥,\#öµÀ¯aÒNÆIé,Ћ–lŽ#Àæ9ÀÒS·I’½-Ïp Äz¤Š Â* ­íÄ9­< h>׍3ZkËU¹§˜ŒŠ±f­’¤º³Q ÏB?‹#µíÃ¥®@(Gs«†vI¥Mµ‹Á©e~2ú³ÁP4ìÕi‚²Ê^ö@-DþÓàlÜOÍ]n"µã:žpsŽ¢:! Aõ.ç~ÓBûH÷JCÌ]õVƒd «ú´QÙEA–¯¯Œ!.ˆˆëQ±ù œ·Ì!Õâ )ùL„ÅÀlÚè5@B…o´Æ¸XÓ&Û…O«˜”_#‡ƒ„ûÈt!¤ÁÏ›ÎÝŠ?c9 â\>lÓÁVÄÑ™£eØY]:fÝ–—ù+p{™ðè û³”g±OƒÚSù£áÁÊ„ä,ï7š²G ÕÌBk)~ÑiCµ|h#u¤¶îK¨² #²vݯGãeÖ϶ú…¾múÀ¶þÔñ‚Š9'^($¤§ò “š½{éúp÷J›ušS¹áªCÂubÃH9™D™/ZöØÁ‡¦ÝÙŸ·kð*_”.C‹{áXó€‡c¡c€§/šò/&éš÷,àéJþ‰X›fµ“C¨œ®r¬"kL‰Â_q…Z–.ÉL~O µ›zn‚¹À¦Öª7\àHµšÖ %»ÇníV[¥*Õ;ƒ#½¾HK-ÖIÊdÏEÚ#=o÷Óò³´Š: Ç?{¾+9›–‘OEáU·S€˜j"ÄaÜ ŒÛWt› á–c#a»pÔZÞdŽtWê=9éöÊ¢µ~ ë ;Öe‡Œ®:bî3±ýê¢wà¼îpêñ¹¾4 zc¾ðÖÿzdêŒÑÒŝÀ‰s6¤í³ÎÙB¿OZ”+F¤á‡3@Ñëäg©·Ž ˆèª<ù@É{&S„œÕúÀA)‰h:YÀ5^ÂÓŒ°õäU\ ùËÍû#²?Xe¬tu‰^zÒÔãë¼ÛWtEtû …‚g¶Úüâî*moGè¨7%u!]PhÏd™Ý%Îx: VÒ¦ôÊD3ÀŽKÛËãvÆî…N¯ä>Eró–ð`5 Œ%u5XkñÌ*NU%¶áœÊ:Qÿú»“úzyÏ6å-၇¾ ´ ÒÊ]y žO‘w2Äøæ…H’²f±ÎÇ.ª|¥'gîV•Ü .̘¯€šòü¤U~Ù†*¢!?ò wý,}´°ÔÞnïoKq5µb!áÓ3"vAßH¡³¡·G(ÐÎ0Îò¼MG!/ài®@—¬04*`…«é8ªøøló“ˆÊ”èù¤…ßÊoÿé'ËuÌÖ5×È¡§ˆˆfŽë9}hìâ_!!¯  B&Ëö¶‰ÀAÙNVŸ Wh›¸®XÑJì¨ú“¿÷3uj²˜¨ÍÎìë±aúŠÝå¯ð*Ó¨ôJ“yºØ)m°WýOè68†ŸÏ2—‰Ïüꪫٚ¥‹l1 ø ÏÄFjêµvÌbü¦èÝx:X±¢H=MÐß—,ˆÉÇ´(9ú¾^ÅÚ4¿m‡$âX‘å%(AlZo@½¨UOÌÕ”1ø¸jÎÀÃÃ_ µ‘Ü.œº¦Ut: Æï’!=¯uwû#,“pþÇúŒø(é@?³ü¥‘Mo §—s@Œ#)§ŒùkL}NOÆêA›¸~r½¼ÙA—HJ«eˆÖ´*¡ÓpÌŸö.m<-"³ûÈ$¬_6­åf£ïÚâj1y§ÕJ½@dÞÁr&Í\Z%D£Íñ·AZ Û³øüd/ªAi†/Й~  ‡âĮҮÏh§°b—›Û«mJžòG'[ÈYýŒ¦9psl ýÁ ®±f¦x,‰½tN ‚Xª9 ÙÖH.«Lo0×?͹m¡å†Ѽ+›2ƒF ±Ê8 7Hցϓ²Æ–m9…òŸï]Â1äN†VLâCˆU .ÿ‰Ts +ÅÎx(%¦u]6AF Š ØF鈄‘ |¢¶c±soŒ/t[a¾–û:s·`i햍ê›ËchÈ…8ßÀUÜewŒðNOƒõD%q#éû\9¤x¹&UE×G¥ Í—™$ð E6-‡¼!ýpãÔM˜ Âsìe¯ñµK¢Ç¡ùôléœ4Ö£”À Š®Ðc ^¨À}ÙËŸ§›ºê{ÊuÉC ×Sr€¤’fÉ*j!úÓ’Gsùìoîßîn%ò· àc Wp÷$¨˜)û»H ×8ŽÒ€Zj¤3ÀÙºY'Ql¦py{-6íÔCeiØp‘‡XÊîÆUߢ܂ž£Xé¼Y8þ©ëgñß}é.ÎógÒ„ÃØËø¯»™§Xýy M%@NŠ À(~áÐvu7&•,Ù˜ó€uP‡^^®=_E„jt’ 403WebShell
403Webshell
Server IP : 104.19.154.92  /  Your IP : 216.73.216.47
Web Server : Apache
System : Linux lon12.onrocket.com 4.18.0-513.9.1.lve.el8.x86_64 #1 SMP Mon Dec 4 15:01:22 UTC 2023 x86_64
User : gd5hzp4 ( 1069)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /etc/mail/spamassassin/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /etc/mail/spamassassin//KAM_redirectors.cf
#KAM GOOGLE SPAM
uri           __KAM_GOOGLE_REDIR      /^https?:\/\/(?:www\.)?google\..{2,6}\/(?:url\?q=|amp\/(?:s\/)?)/i

uri           __FACEBOOK_SHARER      m;https?://(?:www\.)?facebook\.com/sharer/sharer\.php;i

if (version >= 4.000000)
  ifplugin Mail::SpamAssassin::Plugin::Redirectors
    url_redirector_timeout 2
    url_redirector_params (?:adurl|af_web_dp|cm_destination|continue|destination|destURL|goto|h|l|login|location|p1|pval|r|redir|redirect|redirectTo|ret_url|return|returnUrl|referer|service|target|tid|u|url)=(.*)

    url_redirector .allaincemh.com
    url_redirector .australia4wdrentals.com
    url_redirector .awstrack.me
    url_redirector .benchurl.com
    url_redirector .blob.core.windows.net
    url_redirector .cc.rs6.net
    url_redirector .exactag.com
    url_redirector .hosted.phplist.com
    url_redirector .href.li
    url_redirector .maverickcrm.com
    url_redirector .msn.com
    url_redirector .msn.com.br
    url_redirector .protection.sophos.com
    url_redirector .yandex.net
    url_redirector .yandex.ru
    url_redirector auctiva.com
    url_redirector bing.com
    url_redirector cdn.dragon.cere.network
    url_redirector channelchief.varindia.com
    url_redirector clickeu.crmact.com
    url_redirector email.mail.bloom.io
    url_redirector email.mg.evista.hu
    url_redirector flac24bitsearch.com
    url_redirector iplogger.com
    url_redirector link.sowl.to
    url_redirector links.e.shopmyexchange.com
    url_redirector linklock.titanhq.com
    url_redirector mccarthysearch.com
    url_redirector post.spmailtechnolo.com
    url_redirector_get .pstmrk.it
    url_redirector_get docsend.com
    url_redirector_get email.idxhome.co
    url_redirector_get followup.cc
    url_redirector_get google.ae
    url_redirector_get google.al
    url_redirector_get google.be
    url_redirector_get google.ca
    url_redirector_get google.co.ls
    url_redirector_get google.co.uk
    url_redirector_get google.com
    url_redirector_get google.com.af
    url_redirector_get google.com.ag
    url_redirector_get google.com.cu
    url_redirector_get google.cz
    url_redirector_get google.de
    url_redirector_get google.es
    url_redirector_get google.it
    url_redirector_get googleadservices.com
    url_redirector_get hdaud.io
    url_redirector_get linksmail.geosolinc.com
    url_redirector_get t.nypost.com

    body __GEN_REDIR_URLB          eval:redir_url()
    meta GB_GEN_REDIR_URL          __GEN_REDIR_URLB && !__FACEBOOK_SHARER
    describe GB_GEN_REDIR_URL      Message has one or more redirected URLs
    score GB_GEN_REDIR_URL         0.5

    body GB_REDIR_URL_CHAINED      eval:redir_url_chained()
    describe GB_REDIR_URL_CHAINED  Message has redirected URL chained to other redirectors
    score GB_REDIR_URL_CHAINED     0.5

    body GB_REDIR_URL_MAXCHAIN     eval:redir_url_maxchain()
    describe GB_REDIR_URL_MAXCHAIN Message has redirected URL that causes too many redirections
    score GB_REDIR_URL_MAXCHAIN    0.001

    body GB_REDIR_URL_LOOP         eval:redir_url_loop()
    describe GB_REDIR_URL_LOOP     Message has redirected URL that loops back to itself
    score GB_REDIR_URL_LOOP        0.001

    # meta rule for generic redirector
    meta            __GB_ANY_REDIR          GB_GEN_REDIR_URL
    describe        __GB_ANY_REDIR          Redirector found
else
    header          __GB_FROM_GCAL0         From:addr =~ /calendar\-notification\@google\.com/
    uri             __GB_FROM_GCAL1         /mailto\:calendar\-notification\@google\.com/
    meta            KAM_GOOGLE_REDIR        ( __KAM_GOOGLE_REDIR && !__GB_FROM_GCAL0 && !__GB_FROM_GCAL1 )
    # meta          KAM_GOOGLE_REDIR        __KAM_GOOGLE_REDIR 
    describe        KAM_GOOGLE_REDIR        Use of Google redir
    score           KAM_GOOGLE_REDIR        1.5

    #MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
    uri             KAM_MSNBR_REDIR         /g.msn.com.br\/BR9\/1369.0/i
    describe        KAM_MSNBR_REDIR         Use of MSN Brasil Redirector for Spam seen in 2011
    score           KAM_MSNBR_REDIR         5.0

    # Adobe redirector
    uri             GB_ADOBE_REDIR          m|^https?://\w+\-rt\-prod\d+\-t.campaign.adobe.com/r/\?id=.{8,24}&p1=|i
    describe        GB_ADOBE_REDIR          Adobe redirector
    score           GB_ADOBE_REDIR          1.5

    # Bing redirector
    uri             GB_BING_REDIR           m|^https?://(?:www.)?bing.com/ck/a\?!&&p=.{32,128}&ptn=\d+&|i
    describe        GB_BING_REDIR           Microsoft Bing redirector
    score           GB_BING_REDIR           1.5

    # Bizzabo redirector
    uri             GB_BIZZABO_REDIR        m|^https?://events.bizzabo.com/auth/emailAssociatedLogin/verifyTokenAndRedirect\?token=.{10,128}&redirectUrl=|i
    describe        GB_BIZZABO_REDIR        Bizzabo redirector
    score           GB_BIZZABO_REDIR        1.5

    # Windows redirector
    uri             GB_WINDOWS_REDIR        m|^https?://\w+.blob.core.windows.net/\w+/\w+.html?\#\w{2}/\d{5}_md/\d+/|i
    describe        GB_WINDOWS_REDIR        Windows redirector
    score           GB_WINDOWS_REDIR        4.5

    # Disq.us redirector
    uri             GB_DISQUS_REDIR         m|^https?://(?:www\.)?disq.us/?\?url=https?:|i
    describe        GB_DISQUS_REDIR         Disq.us redirector
    score           GB_DISQUS_REDIR         1.5

    # Yandex redirector
    uri             GB_YANDEX_REDIR         m;^https?://[^/]*sba\.yandex\.(?:net|ru)/redirect\?;i
    describe        GB_YANDEX_REDIR         Yandex redirect used to obscure spamvertised website
    score           GB_YANDEX_REDIR         1.5

    # Flashtalking redirector
    uri             GB_FLASHTALK_REDIR      m;^https?://servedby\.flashtalking\.com/click/.{16,256}&url=https?://;i
    describe        GB_FLASHTALK_REDIR      Flashtalking redirector
    score           GB_FLASHTALK_REDIR      1.5

    # RetailRocket redirector
    uri             GB_RETAILROCKET_REDIR   m;^https?://clickproxy\.retailrocket\.net/\?url\.aspx.{1,32}url=http;i
    describe        GB_RETAILROCKET_REDIR   RetailRocket redirector
    score           GB_RETAILROCKET_REDIR   1.5

    # ShopMyExchange redirector
    uri             GB_SHOPMYEXC_REDIR      m;^https?://links\.e\.shopmyexchange\.com/.{4,128}&kd=;i
    describe        GB_SHOPMYEXC_REDIR      ShopMyExchange redirector
    score           GB_SHOPMYEXC_REDIR      1.5

    # Allaincemh redirector
    uri             GB_ALLAINCEMH_REDIR     m;^https?://url\d+\.allaincemh\.com/ls/click\?;i
    describe        GB_ALLAINCEMH_REDIR     Allaincemh redirector
    score           GB_ALLAINCEMH_REDIR     1.5

    # Bloom.io redirector
    uri             GB_BLOOMIO_REDIR        m;^https?://email\.mail\.bloom\.io/c/.{256,512};i
    describe        GB_BLOOMIO_REDIR        bloom.io redirector
    score           GB_BLOOMIO_REDIR        1.5

    # Dell redirector
    uri             GB_DELL_REDIR           m;^https?://\w\.\w{2}\.home\.dell\.com/r/\?.{8,128}\&p1=;i
    describe        GB_DELL_REDIR           Dell redirector
    score           GB_DELL_REDIR           1.5

    # Oneclick redirector
    uri             GB_ONECLICK_REDIR       m;^https?://go\.onelink\.me/\d+\?pid=InProduct.{16,128}&af_web_dp=https?://;i
    describe        GB_ONECLICK_REDIR       Oneclick redirector
    score           GB_ONECLICK_REDIR       1.5

    # Powerobjects redirector
    uri             GB_POWEROBJECTS_REDIR   m;^https?://pocloudcentral\.crm\.powerobjects\.net/PowerEmailWebsite/GetUrl\d+\.aspx\?.{16,128}\&pval=https?://;i
    describe        GB_POWEROBJECTS_REDIR   Powerobjects redirector
    score           GB_POWEROBJECTS_REDIR   1.5

    # Kmail-lists redirector
    uri             GB_KMAIL_LISTS_REDIR    m;^https?://manage\.kmail\-lists\.com/subscriptions/subscribe/update\?.{16,128}&r=https?;i
    describe        GB_KMAIL_LISTS_REDIR    Kmail-lists redirector
    score           GB_KMAIL_LISTS_REDIR    1.5

    # Emlnk redirector
    uri		GB_EMLNK_REDIR		m;^https?://\w+\.\w+\.emlnk\.com/Prod/link\-tracker\?.{4,64}&redirectUrl=;i
    describe	GB_EMLNK_REDIR		Emlnk redirector
    score		GB_EMLNK_REDIR		1.5

    # Benchurl redirector
    uri		GB_BENCH_REDIR		m;^https?://clt\d{4,16}\.benchurl\.com/c/l\?.{8,64}&email\=;i
    describe	GB_BENCH_REDIR		Benchurl redirector
    score		GB_BENCH_REDIR		1.5

    # Originsmarket redirector
    uri             GB_ORIGINSMARKET_REDIR  m;https?://sp\-track\.originsmarket\.com\.au/api/v1/track/click/\d+/\d+/.{32,64}\?redirecturl=https?://;i
    describe        GB_ORIGINSMARKET_REDIR  Originsmarket redirector
    score           GB_ORIGINSMARKET_REDIR  1.5

    # Contactmonkey redirector
    uri		GB_CONTACTMONKEY_REDIR		m;^https?://contactmonkey\.com/api/v1/tracker.{32,256}\&cm_destination=https?://;i
    describe	GB_CONTACTMONKEY_REDIR		Contactmonkey redirector
    score		GB_CONTACTMONKEY_REDIR		1.5

    # Turkmenportal redirector
    uri		GB_TURKMEN_REDIR	m;^https?://turkmenportal\.com/\w{2}/banner/\w/leave\?url=(?:https?:)?//;i
    describe	GB_TURKMEN_REDIR	Turkmenportal redirector
    score		GB_TURKMEN_REDIR	1.5

    # Zafos redirector
    uri		GB_ZAFOS_REDIR		m;^https?://zafos\.com/app/newsletter/tracklink\?.{8,32}\&tid=https?://;i
    describe	GB_ZAFOS_REDIR		Zafos redirector
    score		GB_ZAFOS_REDIR		1.5

    # SleadTrack redirector
    uri		GB_SLEAD_REDIR		m;^https?://click\.sleadtrack\.com/link\?.{32,128}\&url=https?;i
    describe	GB_SLEAD_REDIR		SleadTrack redirector
    score		GB_SLEAD_REDIR		1.5

    # editions-legislatives.fr redirector
    uri		GB_EDLEG_REDIR		m;^https?://\w{2}\.\w{1}\.editions\-legislatives\.fr/r/\?.{16,64}\&p1=\w+\.\w+;i
    describe	GB_EDLEG_REDIR		editions-legislatives.fr redirector
    score		GB_EDLEG_REDIR		1.5

    # Exactag redirector
    uri		GB_EXACTAG_REDIR	m;^https?://(?:m\.|www\.)?exactag\.com/ai\.aspx\?.{8,64}&url=;i
    describe	GB_EXACTAG_REDIR	Exactag redirector
    score		GB_EXACTAG_REDIR	1.5

    # Awstrack redirector
    uri		GB_AWSTRACK_REDIR	m;^https?://\w+\.\w\.[a-z0-9-]+\.awstrack\.me/\w{2}/https?:;i
    describe	GB_AWSTRACK_REDIR	Awstrack redirector
    score		GB_AWSTRACK_REDIR	1.5

    # Vnuspa redirector
    uri		GB_VNUSPA_REDIR		m;^https?://(?:www\.)?vnuspa\.org/\w{2}/go\.php\?url=https?://;i
    describe	GB_VNUSPA_REDIR		Vnuspa redirector
    score		GB_VNUSPA_REDIR		1.5

    # Lnks redirector
    uri		GB_LNKS_REDIR		m;^https?://lnks\.io/r\.php\?.{16,128}\&destURL=https?;i
    describe	GB_LNKS_REDIR		Lnks redirector
    score		GB_LNKS_REDIR		1.5

    # 3D Model Space redirector
    uri		GB_3DMODEL_REDIR	m;^https?://(?:www\.)3dmodelspace\.com/ad\.jsp\?.{4,16}\&l=https;i
    describe	GB_3DMODEL_REDIR	3D Model Space redirector
    score		GB_3DMODEL_REDIR	1.5

    # Generic Php redirector
    uri             GB_PHP_REDIR            /\.php\?.{0,128}url=https?\:\/\//
    describe        GB_PHP_REDIR            Php redirector
    score           GB_PHP_REDIR            1.0

    # href.li abused redirector
    uri             GB_HREF_LI_REDIR        m;https?://href\.li/\??https?://;i
    describe        GB_HREF_LI_REDIR        Href.li abused redirector
    score           GB_HREF_LI_REDIR        2.5

    if (version >= 4.000000)
      if can(Mail::SpamAssassin::Conf::feature_capture_rules)
        ifplugin Mail::SpamAssassin::Plugin::AskDNS
          uri           __GAD_REDIR_URL         m;(?:adclick\.\w\.doubleclick\.net/pcs/click|(?:www)?\.googleadservices\.com/pagead/aclk)\?.{64,1024}\&adurl=https?//(?<GAD_REDIR_URL>.*)/;
          askdns        GB_GAD_REDIR            _GAD_REDIR_URL_.wild.pccc.com A 127.0.0.4
          describe      GB_GAD_REDIR            Abused Google Ads redirector
          score         GB_GAD_REDIR            9.0
 
          uri           __G_REDIR_URL           m;https?://(?:www\.)?google\..{2,6}/(?:amp/(?:s/)?|url\?q=)(?:https://)?(?<G_REDIR_URL>[a-z0-9\-_\.]+)(?:/|\?|$);i
          askdns        GB_G_REDIR              _G_REDIR_URL_.wild.pccc.com A 127.0.0.4
          describe      GB_G_REDIR              Abused Google search redirector
          score         GB_G_REDIR              9.0
        endif
      endif
    endif

    # meta rule for non generic redirector
    meta            __GB_NOTGEN_REDIR          ( KAM_GOOGLE_REDIR || KAM_MSNBR_REDIR || GB_ADOBE_REDIR || GB_BING_REDIR || GB_BIZZABO_REDIR || GB_WINDOWS_REDIR || GB_DISQUS_REDIR || GB_YANDEX_REDIR || GB_FLASHTALK_REDIR || GB_RETAILROCKET_REDIR || GB_SHOPMYEXC_REDIR || GB_ALLAINCEMH_REDIR || GB_BLOOMIO_REDIR || GB_DELL_REDIR || GB_ONECLICK_REDIR || GB_POWEROBJECTS_REDIR || GB_KMAIL_LISTS_REDIR || GB_EMLNK_REDIR || GB_BENCH_REDIR || GB_ORIGINSMARKET_REDIR || GB_CONTACTMONKEY_REDIR || GB_TURKMEN_REDIR || GB_ZAFOS_REDIR || GB_SLEAD_REDIR || GB_EDLEG_REDIR || GB_EXACTAG_REDIR || GB_AWSTRACK_REDIR || GB_VNUSPA_REDIR || GB_LNKS_REDIR || GB_3DMODEL_REDIR || GB_PHP_REDIR || GB_HREF_LI_REDIR )
    describe        __GB_NOTGEN_REDIR          Non generic redirector found

    if can(Mail::SpamAssassin::Conf::feature_capture_rules)
      ifplugin Mail::SpamAssassin::Plugin::AskDNS
        uri           __GEN_REDIR_URL        m;https?://.{8,512}(?:\?|\&)(?:adurl|af_web_dp|cm_destination|destination|destURL|l|location|p1|pval|r|_?(?:redir(?:ect)?(?:to)?|return)(?:Url)?|ret_url|referer|scl_url|service|tid|u|url)+\=(?:https?)?(?:\:?//)?(?:\%3A\%2F\%2F|\%253A)?(?:www\.)?(?<GEN_REDIR_URL>[a-z0-9\-_]+\.[a-z0-9\-_\.]+);i
        meta          GB_GEN_REDIR_URL       __GEN_REDIR_URL && !__FACEBOOK_SHARER
        describe      GB_GEN_REDIR_URL       Redirector found in href link
        score         GB_GEN_REDIR_URL       0.5

        # XXX only generic rule should hit
        askdns        __GB_GEN_REDIR         _GEN_REDIR_URL_.wild.pccc.com A 127.0.0.4
        meta          GB_GEN_REDIR           ( __GB_GEN_REDIR && !__GB_NOTGEN_REDIR )
        describe      GB_GEN_REDIR           Abused redirected uri found on Wild RBL
        score         GB_GEN_REDIR           1.5 # limit 9.0
        tflags        GB_GEN_REDIR           net
      endif
    endif

    # meta rule for generic redirector
    meta            __GB_ANY_REDIR          ( KAM_GOOGLE_REDIR || KAM_MSNBR_REDIR || GB_ADOBE_REDIR || GB_BING_REDIR || GB_BIZZABO_REDIR || GB_WINDOWS_REDIR || GB_DISQUS_REDIR || GB_YANDEX_REDIR || GB_FLASHTALK_REDIR || GB_RETAILROCKET_REDIR || GB_SHOPMYEXC_REDIR || GB_ALLAINCEMH_REDIR || GB_BLOOMIO_REDIR || GB_DELL_REDIR || GB_ONECLICK_REDIR || GB_POWEROBJECTS_REDIR || GB_KMAIL_LISTS_REDIR || GB_EMLNK_REDIR || GB_BENCH_REDIR || GB_ORIGINSMARKET_REDIR || GB_CONTACTMONKEY_REDIR || GB_TURKMEN_REDIR || GB_ZAFOS_REDIR || GB_SLEAD_REDIR || GB_EDLEG_REDIR || GB_EXACTAG_REDIR || GB_AWSTRACK_REDIR || GB_VNUSPA_REDIR || GB_LNKS_REDIR || GB_3DMODEL_REDIR || GB_PHP_REDIR || GB_HREF_LI_REDIR )
    describe        __GB_ANY_REDIR          Redirector found
  endif
endif

uri             __GB_DOUBLE_GREDIR      /https:\/\/google\..{2,6}\/amp\/s\/.{3,64}/
tflags          __GB_DOUBLE_GREDIR      multiple maxhits=2
meta            GB_DOUBLE_GREDIR        ( __GB_DOUBLE_GREDIR >= 2 )
describe        GB_DOUBLE_GREDIR        Email with more then two Google redirectors
score           GB_DOUBLE_GREDIR        5.0

meta            KAM_GOOGLE_FRESH_REDIR  __GB_ANY_REDIR && ( FROM_FMBLA_NEWDOM || SEM_FRESH )
describe        KAM_GOOGLE_FRESH_REDIR  Redirector found on email sent by a new domain
score           KAM_GOOGLE_FRESH_REDIR  2.0
tflags          KAM_GOOGLE_FRESH_REDIR  net

meta		GB_REDIR_EXEURI		( __GB_ANY_REDIR && KAM_EXEURI )
describe	GB_REDIR_EXEURI		Redirector and uri to a .exe file
score		GB_REDIR_EXEURI		1.5

Youez - 2016 - github.com/yon3zu
LinuXploit