We've been compiling and reporting lists of GeoCities sites and from here too it seems GeoCities isn't handling them well. We compile lists based on spam reports from our user community, and at one point we even found around 3,500 (!) live GeoCities spam sites.
Eric, do you know that GeoCities were monitoring your list specifically, or might they have just shut down a lot of sites that day, regardless of your list?
Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/ Tel: +972-9-9577736 x228 AIM: guyrrosen (double R)
-----Original Message----- From: discuss-bounces@lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Eric Montr?al Sent: Wednesday, December 21, 2005 23:32 To: SURBL Discussion list Subject: [SURBL-Discuss] The (bad) situation with Yahoo / Geocities.
Hi,
It seems like people who were not too optimistic when the number of active spamming sites on Geocities dropped from more than 300 to 14 on Friday were unfortunately right.
Yahoo / Geocities did not make anything to prevent spammers from (ab)using their service and only used the list once to remove their (old and unused) spam related sites, but did nothing to prevent spammers from building new spammy sites all over again. Today, Geocities still makes the bulk of spammy sites on the list (total 368) and in the last 2 days, they only closed down 6 of them, that's below 2% !
One thing we learned last friday is that Yahoo / Geocities are not only fully aware of the situation, but they are monitoring this list.
Here is the current active list: http://nospam.mailpeers.net/alive_spammy.txt
I thought maybe it's difficult to detect those sites, maybe spammers are very crafty and make it hard to separate their redirection pages from other non spammy pages, so I started analyzing the pages content and here is what I found:
- More than 95% of Geocities spammy sites are redirections (the balance being 'click here' manual redirections). - there is a surprisingly low number of variation in those redirection scripts - The more spammy tries to obfuscate his scripts, the more the signs are evident and easy to detect. - only 11 rules have detected *all* redirection scripts to this date. - Non redirection sites are simply detected by the URIs they contain (blacklist now, I hope to add SURBL support soon). - hometown.aol.com *DOES NOT USE ANTIVIRUS !* on their user data. As a result, they end up being a malware hosting heaven ! (even if they remove some of them when they get complaints) http://nospam.mailpeers.net/alive_spammy_malware.txt - hometown.aol.com non malware sites are *all* using the same randomized redirection script - tripod.com seems to be handling the problem perfectly (unless my sampling is severely biased, send me more) and in the rare cases where a spammer tries to use them, the spammy site is usually shutdown before I list it. Fight the spammies, and they'll move away. Why are the others not doing the same ?
You'll find the complete analysis results for all alive spammy sites on this page (updated regularly): http://nospam.mailpeers.net/alive_spammy2.txt
I also added http://nospam.mailpeers.net/fresh_alive_spammy.txt that lists the most recent entries (first one is the most recent). These sites are actively used in current spam runs (The ones you *really* want down !)
In cases where spammy does not encrypt his redirector, extracting the real target URL behind the redirector is a piece of cake. They end up here, along with blacklisted ones, in http://nospam.mailpeers.net/spammy_targets.txt (with country code) Some of them (but not all) are already listed in SURBL.
BTW, is there a script (bash, perl, whatever) that simply decodes URIs and query SURBL ?
I won't distribute the rules, since their effectiveness would be immediately impaired, but if the Yahoo guy or the AOL guy want them, I'd be glad to share... however, at least for Yahoo/Geocities, I have no illusions.
The very low number of variation makes me wonder. Is it because all spammers use the same spamware to generate their redirection pages, or are only a selected few of them 'allowed' to (ab)use Geocities for their redirection needs ?
------------
So, what's next ?
hometown.aol.com is actually shutting down some sites, but it's too few, too late. They need to be more proactive. the worst problem with their service being the presence of malware. A list member sent me a reporting address for hometown.aol.com abuses, I'll see if it works, and if so, it will become automatic.
Yahoo/Geocities is a different beast. After months of well known abuse and minimal action, I think they deserve being treated as a spam ressource provider.
Just like other spam ressource providers, they can get away with it just as long as their regular customers are not aware of their activities.
Their parent company being Yahoo, it's completely useless to complain to their upstream ;-) but they have to protect Yahoo's corporate image. If yahoo sees a serious risk that their name will be associated with spam support / illegal activities, a *real* change will occur.
I think I've done my homework collecting enough proof of Yahoo/Geocities's refusal to stop the spam support activities taking place on their network and that it could be used as a starting point in gathering enough evidence (+insiders info?) to issue a well researched press release.
Obviously, since (as you might have noticed !) English is not my main language and I'm not familiar with the press, this is a call for volunteers for the additional data collection and redaction work.
Regards,
Eric
------------
PS-1: If you operate Spamassassin 3.xx, you can share all the Geocities / AOL / tripod URIs in the messages going through your server in near real time. All it takes is a 4 lines patch in URIDNSBL.pm and a simple cron job. PS-2:I'd like to have independent third party daily backups of the whole nospam.mailpeers.net subdomain. It's small, and a simple wget -r -w3 would do. If you want to do it, email me so that I'm aware of it.
_______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Thursday, December 22, 2005, 1:58:36 AM, Guy Rosen wrote:
We've been compiling and reporting lists of GeoCities sites and from here too it seems GeoCities isn't handling them well. We compile lists based on spam reports from our user community, and at one point we even found around 3,500 (!) live GeoCities spam sites.
Eric, do you know that GeoCities were monitoring your list specifically, or might they have just shut down a lot of sites that day, regardless of your list?
Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/ Tel: +972-9-9577736 x228 AIM: guyrrosen (double R)
I believe there are different parties reporting the spammed Geocities sites to Yahoo. It does seem like they're closing some accounts, but they're not very consistent about it yet.
Jeff C. -- Don't harm innocent bystanders.
Hi,
Guy Rosen wrote:
We've been compiling and reporting lists of GeoCities sites and from here too it seems GeoCities isn't handling them well.
Everyone agrees on that ;-)
We compile lists based on spam reports from our user community, and at one point we even found around 3,500 (!) live GeoCities spam sites.
Would you like to share and increase our coverage (if so, email me off list) ?
Eric, do you know that GeoCities were monitoring your list specifically, or might they have just shut down a lot of sites that day, regardless of your list?
I don't have a 'smoking gun' proof, however the list had more than 300 alive Geocities sites. When the list building script ran the next time (one hour later) they were only 14 left. Some of the addresses on this list were kept alive more than 3 months and went away that day. That means 95% of the listed sites were gone. Considering that new URIs are constantly added, the 14 remaining ones could have been added between the moment they grabbed it and the next run.
But if they did not use the list, that's even better ! It means they can, whenever they see fit, remove more than 95% of all their spammy sites. Poof ! gone ...
If they can do that, then why don't they *always* do it ?
However, my point was not bragging about them using my list, but their removal proves they are perfectly aware of the situation, and they could at least mitigate the problem but they usually *choose* to let 98% of them online (more than so called 'bulletproof' hosts !). Why ?
That's why I wrote (and I still think) that, if they don't act quickly and effectively by themselves, exposing the facts to a broader audience will be the way to go.
Eric.
Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/ Tel: +972-9-9577736 x228 AIM: guyrrosen (double R)
Eric Montréal a écrit :
[snip] But if they did not use the list, that's even better ! It means they can, whenever they see fit, remove more than 95% of all their spammy sites. Poof ! gone ...
If they can do that, then why don't they *always* do it ?
I guess it's easier for them to determine that a site is bad because it is listed (on a list they trust) than to check that themselves. If so, this is a lazy approach.
The least they could do is to setup spam traps to watch for mail containing their URLs. if the traps are sufficiently protected (secret/can'tbe guessed), they can even have an automated process.
-
Eric Montréal -
Guy Rosen -
Jeff Chan -
mouss