With regard to the latest subevil.cf could you please include "ar" in the countres list. Also would appreciate if the score is 5.0 ? Regards Warren
----- Original Message ----- From: "Eric Montréal" erv@mailpeers.net To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Friday, December 16, 2005 11:55 PM Subject: Re: [SURBL-Discuss] Re: One way to handle the Geocities spam
Hi,
mouss wrote:
Eric Montréal a écrit :
To really make the rules more effective I need to get more raw data. Some people are already sending me their URLs, but I would need more of them to get a better coverage.
I will send you mine. now, I would prefer to find less "exhaustive" ways. sometimes ago, I've looked at some (many) and they seemed to follow few patterns (two patterns covered most of the spams I've checked manually). so I think it would be good to share not just the URLs, but the full messages.
You can send full messages if you want to, I did not ask for them to prevent dealing with privacy issues, and since my automated filters are based on the URLs, but full mails would help me see the patterns used.
patterns are fine as long as you keep them private. As soon as you share them in a public place, they quickly stop being effective ... spammy is listening.
For Geocities spams, it happened with this rule (and other similar ones) :
body GeocitiesRd /(?i)http://(it|uk|sg|ca|www|au|in|mx|de|es).Geocities(.yahoo|).com/[A-Z_-a-z0-9%]{1,60}/?[A-Z_-a-z0-9%&]{1,100}/ describe GeocitiesRd Geocities Redirector spam. score GeocitiesRd 3.0
They simply stopped using the ID tag ...
The majority of Geocities spams I get could be flagged by detecting the Geocities link
- "F-R-E-E TODAY ONLY" + "charities" + "mail sending service" +
"non-commercial", but my goal is less against some particular spams than against the whole principle of (ab)using free hosts as redirectors, since this makes detection more difficult and creates a disproportionate number of false negatives. If this possibility is closed, that will force them in parts of the internet where the ham / spam separation is easier than on places like Geocities, Tripod and other free hosts.
My goal with the ruleset, beyond Geocities is also to see if a near realtime URL blocking (1 hour updates) is practical, both for traditional spams and phishing URLs detection.
Also, please see the "WebRedirect SpamAssassin Plugin for use with 'Geocities Spam'" thread. Hopefully, the whole issue with Yahoo / Geocities will soon be history.
Where will they go next ? Keep sending your best spams to spamslut@mailpeers.net ;-)
Regards,
Eric.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss