I like it. While it hasn't completely nuked the geocities spam we were seeing, it has put a significant dent in it.
warren_ro@compuserve.com 12/13/2005 12:33 am >>>
Hi All,
Any feedback on how effective this is ?
Regards Warren
----- Original Message ----- From: "Eric Montréal" erv@mailpeers.net To: "Jeff Chan" jeffc@surbl.org; "SURBL Discussion list" discuss@lists.surbl.org Sent: Sunday, December 04, 2005 11:57 AM Subject: Re: [SURBL-Discuss] Re: One way to handle the Geocities spam
Jeff Chan wrote:
On Friday, December 2, 2005, 3:31:41 PM, Eric Montréal wrote:
I've made my own auto-generated spamassassin rules for both Geocities and Tripod spam.
This list is similar in it's principles to the good old BigEvilList ...
You can download and test it from there: http://nospam.mailpeers.net/
Feedback appreciated (good or bad, in or outside of the list) ...
This would work, but it could be somewhat difficult to maintain
The list generation / maintenance is somewhat automated and will be even more if there is enough interest for it.
What I would need now is a broader set of URLs, since I only have a partial view of what's going on at a global level.
and distribute.
Not sure what you mean by distribution, but if successful, it might need mirrors.
Note that that doesn't mean I think it's a bad idea. Anything that reasonably stops spam is a positive IMO.
Should work as the BigEvil list worked ... until it became too big and you found a way to solve the problem ...
In the meantime those rules are easy to add and don't require any change in Spamassassin.
Jeff C.
Don't harm innocent bystanders.
I'll do my best ;-)
Eric _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
_______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Hi,
Joe Zitnik wrote:
I like it. While it hasn't completely nuked the geocities spam we were seeing, it has put a significant dent in it.
Thanks for the comment.
If you want to make it more effective, you need to update the rules very frequently, since they have a short lifespan. I just finished an auto update script for them : http://nospam.mailpeers.net/#script (It seems to works well, but here too, feedback would be appreciated)
To really make the rules more effective I need to get more raw data. Some people are already sending me their URLs, but I would need more of them to get a better coverage.
Regards,
Eric
Eric Montréal a écrit :
To really make the rules more effective I need to get more raw data. Some people are already sending me their URLs, but I would need more of them to get a better coverage.
I will send you mine. now, I would prefer to find less "exhaustive" ways. sometimes ago, I've looked at some (many) and they seemed to follow few patterns (two patterns covered most of the spams I've checked manually). so I think it would be good to share not just the URLs, but the full messages.
On Thursday, December 15, 2005, 5:16:46 PM, mouss mouss wrote:
Eric Montréal a écrit :
To really make the rules more effective I need to get more raw data. Some people are already sending me their URLs, but I would need more of them to get a better coverage.
I will send you mine. now, I would prefer to find less "exhaustive" ways. sometimes ago, I've looked at some (many) and they seemed to follow few patterns (two patterns covered most of the spams I've checked manually). so I think it would be good to share not just the URLs, but the full messages.
If there are discernable patterns, can you share the patterns and/or rules to catch them?
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan a écrit :
If there are discernable patterns, can you share the patterns and/or rules to catch them?
simple checks: - they contain a url in a known free hoster - most have helo != rdns - many have rdns = unknown - many have rdns = looks dynamic
more importantly, there are things related to the data. but I don't wanna help spammers.
Hi,
mouss wrote:
Eric Montréal a écrit :
To really make the rules more effective I need to get more raw data. Some people are already sending me their URLs, but I would need more of them to get a better coverage.
I will send you mine. now, I would prefer to find less "exhaustive" ways. sometimes ago, I've looked at some (many) and they seemed to follow few patterns (two patterns covered most of the spams I've checked manually). so I think it would be good to share not just the URLs, but the full messages.
You can send full messages if you want to, I did not ask for them to prevent dealing with privacy issues, and since my automated filters are based on the URLs, but full mails would help me see the patterns used.
patterns are fine as long as you keep them private. As soon as you share them in a public place, they quickly stop being effective ... spammy is listening.
For Geocities spams, it happened with this rule (and other similar ones) :
body GeocitiesRd /(?i)http://(it|uk|sg|ca|www|au|in|mx|de|es).Geocities(.yahoo|).com/[A-Z_-a-z0-9%]{1,60}/?[A-Z_-a-z0-9%&]{1,100}/ describe GeocitiesRd Geocities Redirector spam. score GeocitiesRd 3.0
They simply stopped using the ID tag ...
The majority of Geocities spams I get could be flagged by detecting the Geocities link + "F-R-E-E TODAY ONLY" + "charities" + "mail sending service" + "non-commercial", but my goal is less against some particular spams than against the whole principle of (ab)using free hosts as redirectors, since this makes detection more difficult and creates a disproportionate number of false negatives. If this possibility is closed, that will force them in parts of the internet where the ham / spam separation is easier than on places like Geocities, Tripod and other free hosts.
My goal with the ruleset, beyond Geocities is also to see if a near realtime URL blocking (1 hour updates) is practical, both for traditional spams and phishing URLs detection.
Also, please see the "WebRedirect SpamAssassin Plugin for use with 'Geocities Spam'" thread. Hopefully, the whole issue with Yahoo / Geocities will soon be history.
Where will they go next ? Keep sending your best spams to spamslut@mailpeers.net ;-)
Regards,
Eric.
With regard to the latest subevil.cf could you please include "ar" in the countres list. Also would appreciate if the score is 5.0 ? Regards Warren
----- Original Message ----- From: "Eric Montréal" erv@mailpeers.net To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Friday, December 16, 2005 11:55 PM Subject: Re: [SURBL-Discuss] Re: One way to handle the Geocities spam
Hi,
mouss wrote:
Eric Montréal a écrit :
To really make the rules more effective I need to get more raw data. Some people are already sending me their URLs, but I would need more of them to get a better coverage.
I will send you mine. now, I would prefer to find less "exhaustive" ways. sometimes ago, I've looked at some (many) and they seemed to follow few patterns (two patterns covered most of the spams I've checked manually). so I think it would be good to share not just the URLs, but the full messages.
You can send full messages if you want to, I did not ask for them to prevent dealing with privacy issues, and since my automated filters are based on the URLs, but full mails would help me see the patterns used.
patterns are fine as long as you keep them private. As soon as you share them in a public place, they quickly stop being effective ... spammy is listening.
For Geocities spams, it happened with this rule (and other similar ones) :
body GeocitiesRd /(?i)http://(it|uk|sg|ca|www|au|in|mx|de|es).Geocities(.yahoo|).com/[A-Z_-a-z0-9%]{1,60}/?[A-Z_-a-z0-9%&]{1,100}/ describe GeocitiesRd Geocities Redirector spam. score GeocitiesRd 3.0
They simply stopped using the ID tag ...
The majority of Geocities spams I get could be flagged by detecting the Geocities link
- "F-R-E-E TODAY ONLY" + "charities" + "mail sending service" +
"non-commercial", but my goal is less against some particular spams than against the whole principle of (ab)using free hosts as redirectors, since this makes detection more difficult and creates a disproportionate number of false negatives. If this possibility is closed, that will force them in parts of the internet where the ham / spam separation is easier than on places like Geocities, Tripod and other free hosts.
My goal with the ruleset, beyond Geocities is also to see if a near realtime URL blocking (1 hour updates) is practical, both for traditional spams and phishing URLs detection.
Also, please see the "WebRedirect SpamAssassin Plugin for use with 'Geocities Spam'" thread. Hopefully, the whole issue with Yahoo / Geocities will soon be history.
Where will they go next ? Keep sending your best spams to spamslut@mailpeers.net ;-)
Regards,
Eric.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Hi,
Warren Robinson wrote:
With regard to the latest subevil.cf could you please include "ar" in the countres list.
Let's not forget Argentina ...
Also would appreciate if the score is 5.0 ? Regards Warren
The new score you propose makes sense, so I changed it too.
More generally, if you don't like the score for any rule, you can define a meta rule containing the main rule and give it a modifier score.
let's say, you now want the rule to be 8 points instead of 5, you add the following rule to local.cf :
meta my_GeocitiesRd GeocitiesRd describe my_GeocitiesRd Score modifier - Add 3 well earned points score my_GeocitiesRd 3.0
If you want to add the same number of points to many rules, you can combine them in the meta rule.
Eric.
-
Eric Montréal -
Jeff Chan -
Joe Zitnik -
mouss -
Warren Robinson