# SPAM_LINK_1 # Something like .... /plugin.php?t=147&SeBJYnc8AzD8YLd4kvf4uNR=Fqz&12i=Cwb&4f=cL4g # the common parts are: # - the first parameter name is one char long # - at least two more parameter follow /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i SPAM_LINK_1:0.4 # SPAM_LINK_3 # Something like ..../l/lt2K2240EH14R/1014LP2140G4657WU60A33287012SM1334722588 # Common parts: # - first part is always one character # - three parts in total /\/\w\/\w{10,}\/\w{10,}/i SPAM_LINK_3:0.4 # SPAM_LINK_4 # /pass.php?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=tvec4xo652&utm_content=403g22e07g # Common parts # - always a .php file in the root of the domain # - only GA tracking parameters # - values for utm_source, utm_medium and utm_campaign are always the same (at least between 2017-07 and 2017-10), # utm_term varies slightly and utm_content is random # - all tracking parameters have 10 chars /\/[a-z]+\.php\?utm_source=[a-zA-Z0-9]{10}&utm_medium=[a-zA-Z0-9]{10}&utm_campaign=[a-zA-Z0-9]{10}&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i SPAM_LINK_4:0.4 # SPAM_LINK_5 # sth. /mw/index.php/campaigns/pc118pw7p78bf/track-url/eo948g9ba3535/955e46674ff54a5792d9fa1782e483d77e4fdfc8 /\/campaigns\/[a-zA-Z0-9]{13}\/track-url\/[a-zA-Z0-9]{13}\/[a-zA-Z0-9]{40}/i SPAM_LINK_5:0.4 # SPAM_LINK_6 /\/[a-zA-Z0-9]{13,18}\/[a-zA-Z0-9-_]{43}\/[a-zA-Z0-9-_]{107,128}/i SPAM_LINK_6:0.4 # SPAM_LINK_7 # looks almost the same as SPAM_LINK_6 # characteristics: # - TLD: .date or .trade # - Domain always with leading www. # - path: # First part between 7 and 10 chars # Second part between 16 and 22 chars # Third part always(?) 43 chars # Fourth part > 80 chars but varying in length /www\.[a-zA-Z0-9]+\.(date|trade)\/[a-zA-Z0-9-_]{6,13}\/[a-zA-Z0-9-_]{13,24}\/[a-zA-Z0-9-_]{40,65}\/[a-zA-Z0-9-_]{80,999}/i SPAM_LINK_7:0.4 # SPAM_LINK_8 # Primarily used in bitcoin/crypto currency spam # characteristics: # - emails contain at least one link to .../?xtl=&eih= # - emails contain at least one link to .../?xul= /\?xtl=[a-zA-Z0-9]{100,300}&eih=[a-zA-Z0-9]{20,40}/i SPAM_LINK_8a:0.1 /\?xul=[a-zA-Z0-9]{70,120}&eih=[a-zA-Z0-9]{20,40}/i SPAM_LINK_8b:0.1 # SPAM_LINK_9 # Primarily used in bitcoin/crypto currency spam # - Subdomain of .page.link # - Very short path (typically less than 5 chars) /\.page\.link\/[a-zA-Z0-9]{1,8}/i SPAM_LINK_9:0.4 # Special rule for this persistent spammer /onlyone\-invest\.com/.*/i ONLYONE_INVEST:0.4 # MY_SHOPIFY # - Subdomain of myshopify.com # - Path is /apps//indexjs.html or apps//>/index_js.html # - The first url parameter *might* always start with "sum" /\.myshopify\.com\/apps\/[a-zA-Z0-9]+\/index_?js.html/i MY_SHOPIFY_a:0.2 /\.myshopify\.com\/apps\/[a-zA-Z0-9]+\/[a-zA-Z0-9]+\/index_?js.html/i MY_SHOPIFY_b:0.2