Discuss December 2005

discuss@lists.surbl.org

20 participants
11 discussions

RE: [SURBL-Discuss] The (bad) situation with Yahoo / Geocities.
by Guy Rosen 25 Dec '05

25 Dec '05

We've been compiling and reporting lists of GeoCities sites and from here too it seems GeoCities isn't handling them well. We compile lists based on spam reports from our user community, and at one point we even found around 3,500 (!) live GeoCities spam sites. Eric, do you know that GeoCities were monitoring your list specifically, or might they have just shut down a lot of sites that day, regardless of your list? Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/ Tel: +972-9-9577736 x228 AIM: guyrrosen (double R) -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Eric Montr?al Sent: Wednesday, December 21, 2005 23:32 To: SURBL Discussion list Subject: [SURBL-Discuss] The (bad) situation with Yahoo / Geocities. Hi, It seems like people who were not too optimistic when the number of active spamming sites on Geocities dropped from more than 300 to 14 on Friday were unfortunately right. Yahoo / Geocities did not make anything to prevent spammers from (ab)using their service and only used the list once to remove their (old and unused) spam related sites, but did nothing to prevent spammers from building new spammy sites all over again. Today, Geocities still makes the bulk of spammy sites on the list (total 368) and in the last 2 days, they only closed down 6 of them, that's below 2% ! One thing we learned last friday is that Yahoo / Geocities are not only fully aware of the situation, but they are monitoring this list. Here is the current active list: http://nospam.mailpeers.net/alive_spammy.txt I thought maybe it's difficult to detect those sites, maybe spammers are very crafty and make it hard to separate their redirection pages from other non spammy pages, so I started analyzing the pages content and here is what I found: - More than 95% of Geocities spammy sites are redirections (the balance being 'click here' manual redirections). - there is a surprisingly low number of variation in those redirection scripts - The more spammy tries to obfuscate his scripts, the more the signs are evident and easy to detect. - only 11 rules have detected *all* redirection scripts to this date. - Non redirection sites are simply detected by the URIs they contain (blacklist now, I hope to add SURBL support soon). - hometown.aol.com *DOES NOT USE ANTIVIRUS !* on their user data. As a result, they end up being a malware hosting heaven ! (even if they remove some of them when they get complaints) http://nospam.mailpeers.net/alive_spammy_malware.txt - hometown.aol.com non malware sites are *all* using the same randomized redirection script - tripod.com seems to be handling the problem perfectly (unless my sampling is severely biased, send me more) and in the rare cases where a spammer tries to use them, the spammy site is usually shutdown before I list it. Fight the spammies, and they'll move away. Why are the others not doing the same ? You'll find the complete analysis results for all alive spammy sites on this page (updated regularly): http://nospam.mailpeers.net/alive_spammy2.txt I also added http://nospam.mailpeers.net/fresh_alive_spammy.txt that lists the most recent entries (first one is the most recent). These sites are actively used in current spam runs (The ones you *really* want down !) In cases where spammy does not encrypt his redirector, extracting the real target URL behind the redirector is a piece of cake. They end up here, along with blacklisted ones, in http://nospam.mailpeers.net/spammy_targets.txt (with country code) Some of them (but not all) are already listed in SURBL. BTW, is there a script (bash, perl, whatever) that simply decodes URIs and query SURBL ? I won't distribute the rules, since their effectiveness would be immediately impaired, but if the Yahoo guy or the AOL guy want them, I'd be glad to share... however, at least for Yahoo/Geocities, I have no illusions. The very low number of variation makes me wonder. Is it because all spammers use the same spamware to generate their redirection pages, or are only a selected few of them 'allowed' to (ab)use Geocities for their redirection needs ? ------------ So, what's next ? hometown.aol.com is actually shutting down some sites, but it's too few, too late. They need to be more proactive. the worst problem with their service being the presence of malware. A list member sent me a reporting address for hometown.aol.com abuses, I'll see if it works, and if so, it will become automatic. Yahoo/Geocities is a different beast. After months of well known abuse and minimal action, I think they deserve being treated as a spam ressource provider. Just like other spam ressource providers, they can get away with it just as long as their regular customers are not aware of their activities. Their parent company being Yahoo, it's completely useless to complain to their upstream ;-) but they have to protect Yahoo's corporate image. If yahoo sees a serious risk that their name will be associated with spam support / illegal activities, a *real* change will occur. I think I've done my homework collecting enough proof of Yahoo/Geocities's refusal to stop the spam support activities taking place on their network and that it could be used as a starting point in gathering enough evidence (+insiders info?) to issue a well researched press release. Obviously, since (as you might have noticed !) English is not my main language and I'm not familiar with the press, this is a call for volunteers for the additional data collection and redaction work. Regards, Eric ------------ PS-1: If you operate Spamassassin 3.xx, you can share all the Geocities / AOL / tripod URIs in the messages going through your server in near real time. All it takes is a 4 lines patch in URIDNSBL.pm and a simple cron job. PS-2:I'd like to have independent third party daily backups of the whole nospam.mailpeers.net subdomain. It's small, and a simple wget -r -w3 would do. If you want to do it, email me so that I'm aware of it. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

4 3

The (bad) situation with Yahoo / Geocities.
by Eric Montréal 23 Dec '05

23 Dec '05

Hi, It seems like people who were not too optimistic when the number of active spamming sites on Geocities dropped from more than 300 to 14 on Friday were unfortunately right. Yahoo / Geocities did not make anything to prevent spammers from (ab)using their service and only used the list once to remove their (old and unused) spam related sites, but did nothing to prevent spammers from building new spammy sites all over again. Today, Geocities still makes the bulk of spammy sites on the list (total 368) and in the last 2 days, they only closed down 6 of them, that's below 2% ! One thing we learned last friday is that Yahoo / Geocities are not only fully aware of the situation, but they are monitoring this list. Here is the current active list: http://nospam.mailpeers.net/alive_spammy.txt I thought maybe it's difficult to detect those sites, maybe spammers are very crafty and make it hard to separate their redirection pages from other non spammy pages, so I started analyzing the pages content and here is what I found: - More than 95% of Geocities spammy sites are redirections (the balance being 'click here' manual redirections). - there is a surprisingly low number of variation in those redirection scripts - The more spammy tries to obfuscate his scripts, the more the signs are evident and easy to detect. - only 11 rules have detected *all* redirection scripts to this date. - Non redirection sites are simply detected by the URIs they contain (blacklist now, I hope to add SURBL support soon). - hometown.aol.com *DOES NOT USE ANTIVIRUS !* on their user data. As a result, they end up being a malware hosting heaven ! (even if they remove some of them when they get complaints) http://nospam.mailpeers.net/alive_spammy_malware.txt - hometown.aol.com non malware sites are *all* using the same randomized redirection script - tripod.com seems to be handling the problem perfectly (unless my sampling is severely biased, send me more) and in the rare cases where a spammer tries to use them, the spammy site is usually shutdown before I list it. Fight the spammies, and they'll move away. Why are the others not doing the same ? You'll find the complete analysis results for all alive spammy sites on this page (updated regularly): http://nospam.mailpeers.net/alive_spammy2.txt I also added http://nospam.mailpeers.net/fresh_alive_spammy.txt that lists the most recent entries (first one is the most recent). These sites are actively used in current spam runs (The ones you *really* want down !) In cases where spammy does not encrypt his redirector, extracting the real target URL behind the redirector is a piece of cake. They end up here, along with blacklisted ones, in http://nospam.mailpeers.net/spammy_targets.txt (with country code) Some of them (but not all) are already listed in SURBL. BTW, is there a script (bash, perl, whatever) that simply decodes URIs and query SURBL ? I won't distribute the rules, since their effectiveness would be immediately impaired, but if the Yahoo guy or the AOL guy want them, I'd be glad to share... however, at least for Yahoo/Geocities, I have no illusions. The very low number of variation makes me wonder. Is it because all spammers use the same spamware to generate their redirection pages, or are only a selected few of them 'allowed' to (ab)use Geocities for their redirection needs ? ------------ So, what's next ? hometown.aol.com is actually shutting down some sites, but it's too few, too late. They need to be more proactive. the worst problem with their service being the presence of malware. A list member sent me a reporting address for hometown.aol.com abuses, I'll see if it works, and if so, it will become automatic. Yahoo/Geocities is a different beast. After months of well known abuse and minimal action, I think they deserve being treated as a spam ressource provider. Just like other spam ressource providers, they can get away with it just as long as their regular customers are not aware of their activities. Their parent company being Yahoo, it's completely useless to complain to their upstream ;-) but they have to protect Yahoo's corporate image. If yahoo sees a serious risk that their name will be associated with spam support / illegal activities, a *real* change will occur. I think I've done my homework collecting enough proof of Yahoo/Geocities's refusal to stop the spam support activities taking place on their network and that it could be used as a starting point in gathering enough evidence (+insiders info?) to issue a well researched press release. Obviously, since (as you might have noticed !) English is not my main language and I'm not familiar with the press, this is a call for volunteers for the additional data collection and redaction work. Regards, Eric ------------ PS-1: If you operate Spamassassin 3.xx, you can share all the Geocities / AOL / tripod URIs in the messages going through your server in near real time. All it takes is a 4 lines patch in URIDNSBL.pm and a simple cron job. PS-2:I'd like to have independent third party daily backups of the whole nospam.mailpeers.net subdomain. It's small, and a simple wget -r -w3 would do. If you want to do it, email me so that I'm aware of it.

4 4

Re: [SURBL-Discuss] Re: One way to handle the Geocities spam
by Joe Zitnik 19 Dec '05

19 Dec '05

I like it. While it hasn't completely nuked the geocities spam we were seeing, it has put a significant dent in it. >>> warren_ro(a)compuserve.com 12/13/2005 12:33 am >>> Hi All, Any feedback on how effective this is ? Regards Warren ----- Original Message ----- From: "Eric Montréal" <erv(a)mailpeers.net> To: "Jeff Chan" <jeffc(a)surbl.org>; "SURBL Discussion list" <discuss(a)lists.surbl.org> Sent: Sunday, December 04, 2005 11:57 AM Subject: Re: [SURBL-Discuss] Re: One way to handle the Geocities spam > > Jeff Chan wrote: > >>On Friday, December 2, 2005, 3:31:41 PM, Eric Montréal wrote: >> >>>I've >>>made my own >>>auto-generated spamassassin rules for both Geocities and Tripod spam. >>> >>>This list is similar in it's principles to the good old BigEvilList ... >>> >>>You can download and test it from there: http://nospam.mailpeers.net/ >>> >>>Feedback appreciated (good or bad, in or outside of the list) ... >>> >> >>This would work, but it could be somewhat difficult to maintain >> > The list generation / maintenance is somewhat automated and will be even > more if > there is enough interest for it. > > What I would need now is a broader set of URLs, since I only have a > partial view of > what's going on at a global level. > >>and distribute. >> > Not sure what you mean by distribution, but if successful, it might need > mirrors. > >> Note that that doesn't mean I think it's a bad >>idea. Anything that reasonably stops spam is a positive IMO. >> >> > Should work as the BigEvil list worked ... until it became too big and you > found a way > to solve the problem ... > > In the meantime those rules are easy to add and don't require any change > in Spamassassin. > >>Jeff C. >>-- >>Don't harm innocent bystanders. >> > I'll do my best ;-) > > Eric > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss > _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

5 7

WebRedirect SpamAssassin Plugin for use with 'Geocities Spam'
by Daryl C. W. O'Shea 17 Dec '05

17 Dec '05

I was planning on giving Yahoo! more time to correct their "Geocities Spam" problem before I released my plugin to deal with it, but I've been noticing a decline in the scores these mails are getting. I also just found out that I have copies of this sort of spam going back to at least December 28, 2004 and have been getting them in volume since May 2005. I had thought it only went back to September and not back an entire year with increasing volume (10%+ of my spam is now "geocities spam") in the last six months. In my opinion they've had sufficient time to act. Further, while adding some documentation to the plugin, I tested some of the spam I used to write the plugin back in September and found that some of the "member sites" are still active. Conveniently, there are only a few versions of the pages linked to, so writing rules against them is pretty effective -- which is what this plugin is for. A few words of caution if you do decide to use this plugin: - While I believe there are no issues with the code, I'm not too familiar with LWP::UserAgent, so it's entirely possible that I have missed something. In the event your machine gets rooted, you've been warned. - Query the links found in an email inherently has a number of privacy and technical issues you should be aware of. The plugin attempts to avoid them by stripping visible query strings and login credentials, but I encourage you to read the WARNING section of the plugin's perldoc before using it. Be sure to NEVER use this plugin to query links hosted on a server the sender may control. - High volume sites would be wise to run this behind a caching HTTP proxy such as Squid to reduce the 0.3 to 1 second that it may take to query each link. While the web query is blocking, it takes place just after the DNS requests are kicked off, so it gives the DNS queries more time to complete which may result in DNSBL hits that may have been missed due to timeouts. - The scores assigned to the rules are guesses on my part based on what they match. I have no legitimate email to compare hits against. I recommend monitoring the hits for some period of time and reassigning scores if necessary or not to your liking. The plugin is available at: http://wiki.apache.org/spamassassin/WebRedirectPlugin Send me an email if you find the plugin useful or spot a flaw that should be corrected. Best Regards, Daryl C. W. O'Shea

5 5

RE: [SURBL-Discuss] 'Geocities Spam' ... a miracle ?
by Kristopher Austin 17 Dec '05

17 Dec '05

I had 8 as ok, 7 as 301, all the rest were 403 and 404. Kris > -----Original Message----- > From: discuss-bounces(a)lists.surbl.org [mailto:discuss- > bounces(a)lists.surbl.org] On Behalf Of Eric Montréal > Sent: Friday, December 16, 2005 3:59 AM > To: SURBL Discussion list > Subject: Re: [SURBL-Discuss] 'Geocities Spam' ... a miracle ? > > wget http://nospam.mailpeers.net/rip_spammy.txt -Orip.txt;for i in > $(egrep -i > '^http:[0-9a-z\/_\-\.]*\bgeocities\b[0-9a-z\/_\-\.]*$'<rip.txt);do echo > -n "$i - ";wget -T3 -t3 -w3 --spider -U"Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" $i 2>&1|grep > 'awaiting'|cut -d'.' -f4|cut -d' ' -f2-;done;rm -f rip.txt > > Are they all 403 or 404 ?

2 1

Re: [SURBL-Discuss] 'Geocities Spam' ... a miracle ?
by List Mail User 16 Dec '05

16 Dec '05

>... >Hi, > >Looks like, after months ignoring the problem, a miracle finally >happened at Yahoo / Geocities tonight ... > >Yesterday, my list of alive Geocities spammy sites was more than 350 >names long. > >Tonight it's down to ... 14 Geocities sites ! All others have been shutdown >... Let us hope that some proactive mechanism is now shutting them down, and that hometown.aol.com doesn't pickup all the slack (where I've been seen them from recently). The worse case would have been if they just downloaded your list and checked and shut those - the 14 left implies that some other means was used (which is by far preferable). Paul Shupak track(a)plectere.com

2 1

RE: [SURBL-Discuss] 'Geocities Spam' ... a miracle ?
by Chris Santerre 16 Dec '05

16 Dec '05

> -----Original Message----- > From: List Mail User [mailto:track@plectere.com] > Sent: Friday, December 16, 2005 7:47 AM > To: discuss(a)lists.surbl.org > Cc: track(a)plectere.com > Subject: Re: [SURBL-Discuss] 'Geocities Spam' ... a miracle ? > > > >... > >Hi, > > > >Looks like, after months ignoring the problem, a miracle finally > >happened at Yahoo / Geocities tonight ... > > > >Yesterday, my list of alive Geocities spammy sites was more than 350 > >names long. > > > >Tonight it's down to ... 14 Geocities sites ! All others > have been shutdown > >... > > Let us hope that some proactive mechanism is now shutting them > down, and that hometown.aol.com doesn't pickup all the slack > (where I've > been seen them from recently). The worse case would have been if they > just downloaded your list and checked and shut those - the 14 > left implies > that some other means was used (which is by far preferable). > SWEEET!! +1 on the aol! This is a good day! --Chris

1 0

One way to handle the Geocities spam
by John Graham-Cumming 15 Dec '05

15 Dec '05

How about transforming a Geocities URL into a DNS query like this: http://uk.geocities.com/xyz/ becomes xyz.geocities.com.multi.surbl.org And then we could SURBL check the individual pages within Geocities. In a way geocities.com is just another TLD. John. -- John Graham-Cumming jgc(a)jgc.org Home: http://www.jgc.org/ Blog: http://www.jgc.org/blog/ POPFile: http://getpopfile.org/ GNU Make Standard Library: http://gmsl.sf.net/ GNU Make Debugger: http://gmd.sf.net/ Fast, Parallel Builds: http://www.electric-cloud.com/ Sign up for my Spam and Anti-spam Newsletter at http://www.jgc.org/

9 18

RE: [SURBL-Discuss] Possible FP...
by Chris Santerre 12 Dec '05

12 Dec '05

> -----Original Message----- > From: Alex Broens [mailto:surbl@alexb.ch] > Sent: Monday, December 12, 2005 10:07 AM > To: SURBL Discussion list > Subject: Re: [SURBL-Discuss] Possible FP... > > > Chris Santerre wrote: > > 2.0 URIBL_WS_SURBL Contains an URL listed in the > WS SURBL blocklist > > [URIs: promoreply .com] > > > > I'm not sure on the history of this domain. It was marked in a legit > > subscribed newsletter from one of my users. Doesn't mean it > isn't a spammer > > however. If anyones got some good evidence, I'll gladly > contact the legit > > newsletter and tell them not to use them. > > > > This domain was hosting all the images in the legit HTML email. > > Chris > > sorta curious... > > What was the newsletter domain? > > I have promoreply. com listed locally since Jan 2005 (no > more evidence > from back then) roadrunnersports.com I think they recently started using this listed domain to host images. Because the user has been subscribed for a long time (Greater then 3 yrs). I *think* this is the first time they have hit a URIBL list. --Chris

2 1

Possible FP...
by Chris Santerre 12 Dec '05

12 Dec '05

2.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: promoreply .com] I'm not sure on the history of this domain. It was marked in a legit subscribed newsletter from one of my users. Doesn't mean it isn't a spammer however. If anyones got some good evidence, I'll gladly contact the legit newsletter and tell them not to use them. This domain was hosting all the images in the legit HTML email. Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss December 2005