Note the redirect of this image:
[code:1:a684fabd9e]ramon@devbak01:~$ curl -v http://farms.fplqb.us/Zyyrxyhbb/bejqhq300ezqbcj/.jpg
* Trying 104.244.210.126…
* Connected to farms.fplqb.us (104.244.210.126) port 80 (#0)
> GET /Zyyrxyhbb/bejqhq300ezqbcj/.jpg HTTP/1.1
> Host: farms.fplqb.us
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.10.2
< Date: Sun, 04 Dec 2016 13:06:29 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.3.3
< Location: http://i.imgsafe.org/0a1f9c334b.jpg
<
* Connection #0 to host farms.fplqb.us left intact
[/code:1:a684fabd9e]
So if you want to set your spamassasin rule to deny the message, search for a subset of farms.fplqb.us and/or the “/.jpg” ‘extension’ ..
Leave a Reply