Just browsing through my spam folder and noticed a spam with the following URL:
http://yahoo.com.collectiza.com-munged/vp9
(without the -munged of course)
Looks like they might think that putting yahoo.com on the front will fool a simple parser ? :) Have we been "noticed" already or am I just being paranoid ;)
That particular spam didn't match on that test, but did match on another different URL in the same message...
Regards, Simon
At 12:30 22/04/2004, you wrote:
Just browsing through my spam folder and noticed a spam with the following URL:
[URL snipped]
(without the -munged of course)
Well that blew up in my face. My own SpamAssassin running SpamCopURI-0.12 (and the redirect parser enabled) picked that URL up despite my attempt to mung it, and matched it against both sc and ws :) Fortunately BAYES_00 was enough to prevent it from actually being blocked, but possibly some of you out there may have blocked it...
I can see one disadvantage to surbl - it makes it pretty hard to discuss the domain names of spammers ;)
Regards, Simon
On Wednesday, April 21, 2004, 5:38:06 PM, Simon Byrnand wrote:
At 12:30 22/04/2004, you wrote:
Just browsing through my spam folder and noticed a spam with the following URL:
[URL snipped]
(without the -munged of course)
Well that blew up in my face. My own SpamAssassin running SpamCopURI-0.12 (and the redirect parser enabled) picked that URL up despite my attempt to mung it, and matched it against both sc and ws :) Fortunately BAYES_00 was enough to prevent it from actually being blocked, but possibly some of you out there may have blocked it...
I can see one disadvantage to surbl - it makes it pretty hard to discuss the domain names of spammers ;)
LOL! Munge harder... ;-)
Jeff C.
On Wednesday, April 21, 2004, 5:30:37 PM, Simon Byrnand wrote:
Just browsing through my spam folder and noticed a spam with the following URL:
(without the -munged of course)
Looks like they might think that putting yahoo.com on the front will fool a simple parser ? :)
Another possibly is that the spam was keyed to a yahoo.com user address. Spammers can customize their messages, including URIs to detect how successful a particular spam run was or whether a particular destination email address got through.
Jeff C.
Good eening, Simon,
On Thu, 22 Apr 2004, Simon Byrnand wrote:
Just browsing through my spam folder and noticed a spam with the following URL:
http COWLON //yahoo DAWT com DAWT collectiza DAWT com/vp9
Looks like they might think that putting yahoo.com on the front will fool a simple parser ? :) Have we been "noticed" already or am I just being paranoid ;)
That particular spam didn't match on that test, but did match on another different URL in the same message...
They've been doing this for a long time, stuffing msn, yahoo, netscape and others in front of the domain, hoping that dumb string matchers will whitelist those and then ignore the true domain. Short version; you're doing yourself a disservice if you allow mailing lists _about_ spam to go through spamassassin or any other filtering tool. Feed those lists off to separate files before you hit the spam checker. Cheers, - Bill
--------------------------------------------------------------------------- "Very funny, Mr. Scott. Now beam down my clothes." (Courtesy of Michael J. Fromberger sting@linguist.thayer.dartmouth.edu) -------------------------------------------------------------------------- William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------
On Thu, Apr 22, 2004 at 12:30:37PM +1200, Simon Byrnand wrote:
Looks like they might think that putting yahoo.com on the front will fool a simple parser ? :) Have we been "noticed" already or am I just being paranoid ;)
It's just another decoy tactic, same as using a DNS wildcard and a randomized 3LD. Also makes the URL a bit more palatable, probably improves the spammer's clickthrough by a tiny fraction of a percent, and maybe triggers a few poorly-constructed whitelist patterns. URIBL checks should match it like any other wildcard.
-
Devin Carraway -
Jeff Chan -
Simon Byrnand -
William Stearns