Hey all,
I'm getting a lot of single-link spam from Yahoo -- seems to be via compromised accounts, mostly (as in, via an account that my address would be in the addressbook of). It's coming through legitimately via the Yahoo servers, with DKIM signatures intact and all. As the message body is purely a link (at least, the text-plain portion is), this is an ideal job for SURBL and pretty hard for most other content matching.
One such example (spaces added by me):
http://dark turn ip.com/sxduvb/dgemdczfcmc/lzuc.php
Yahoo seem to be absolutely braindead about spam reporting on these compromised accounts. So much so that I wrote a blog about it: http://gushi.livejournal.com/588829.html
I could easily create a SpamAssassin or Procmail rule to block these messages, but I think it makes sense to make better use of this data.
I often report things that get through SpamAssassin to SpamCop, which I understand feeds SURBL, but as SpamCop has to wait for me to go hit their webpage, this introduces a lag that need not be present, ergo I'm happy to feed traps directly from my system procmailrc -- where I have a couple hundred friends-and-family domains.
Anyone interested?
-Dan