I was planning on giving Yahoo! more time to correct their "Geocities Spam" problem before I released my plugin to deal with it, but I've been noticing a decline in the scores these mails are getting.
I also just found out that I have copies of this sort of spam going back to at least December 28, 2004 and have been getting them in volume since May 2005. I had thought it only went back to September and not back an entire year with increasing volume (10%+ of my spam is now "geocities spam") in the last six months. In my opinion they've had sufficient time to act.
Further, while adding some documentation to the plugin, I tested some of the spam I used to write the plugin back in September and found that some of the "member sites" are still active.
Conveniently, there are only a few versions of the pages linked to, so writing rules against them is pretty effective -- which is what this plugin is for.
A few words of caution if you do decide to use this plugin:
- While I believe there are no issues with the code, I'm not too familiar with LWP::UserAgent, so it's entirely possible that I have missed something. In the event your machine gets rooted, you've been warned.
- Query the links found in an email inherently has a number of privacy and technical issues you should be aware of. The plugin attempts to avoid them by stripping visible query strings and login credentials, but I encourage you to read the WARNING section of the plugin's perldoc before using it. Be sure to NEVER use this plugin to query links hosted on a server the sender may control.
- High volume sites would be wise to run this behind a caching HTTP proxy such as Squid to reduce the 0.3 to 1 second that it may take to query each link. While the web query is blocking, it takes place just after the DNS requests are kicked off, so it gives the DNS queries more time to complete which may result in DNSBL hits that may have been missed due to timeouts.
- The scores assigned to the rules are guesses on my part based on what they match. I have no legitimate email to compare hits against. I recommend monitoring the hits for some period of time and reassigning scores if necessary or not to your liking.
The plugin is available at: http://wiki.apache.org/spamassassin/WebRedirectPlugin
Send me an email if you find the plugin useful or spot a flaw that should be corrected.
Best Regards,
Daryl C. W. O'Shea
Hi,
Looks like, after months ignoring the problem, a miracle finally happened at Yahoo / Geocities tonight ...
Yesterday, my list of alive Geocities spammy sites was more than 350 names long.
Tonight it's down to ... 14 Geocities sites ! All others have been shutdown http://nospam.mailpeers.net/alive_spammy.txt
Just for fun, here is the RIP list: http://nospam.mailpeers.net/rip_spammy.txt
Could you guys verify that the sites marked as 'Closed' in the ruleset are 403/404 from your location too ? http://nospam.mailpeers.net/subevil.cf
Here is a one liner bash command line script to check them all (don't worry, wget in spider mode downloads nothing) :
wget http://nospam.mailpeers.net/rip_spammy.txt -Orip.txt;for i in $(egrep -i '^http:[0-9a-z/_-.]*\bgeocities\b[0-9a-z/_-.]*$'<rip.txt);do echo -n "$i - ";wget -T3 -t3 -w3 --spider -U"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" $i 2>&1|grep 'awaiting'|cut -d'.' -f4|cut -d' ' -f2-;done;rm -f rip.txt
Are they all 403 or 404 ?
Would be too bad if they ... just banned my spider! (I connected from 3 different places, got the same results)
Anyways, keep sending those spammy URLs to spamslut@mailpeers.net , but it seems like someone at Yahoo finally decided to act before being caught in a fine Spamassassin plugin or some ugly wget loops ...
Let's see if that was a one time action or if they'll keep cleaning the mess until the spammers move out of their servers and back to places where SURBL will be able to toast them ...
Waiting for your feedback, as usual ;-)
Eric.
On Friday, December 16, 2005, 1:59:21 AM, Eric Montréal wrote:
Hi,
Looks like, after months ignoring the problem, a miracle finally happened at Yahoo / Geocities tonight ...
Yesterday, my list of alive Geocities spammy sites was more than 350 names long.
Tonight it's down to ... 14 Geocities sites ! All others have been shutdown http://nospam.mailpeers.net/alive_spammy.txt
Just for fun, here is the RIP list: http://nospam.mailpeers.net/rip_spammy.txt
[...]
Are they all 403 or 404 ?
Would be too bad if they ... just banned my spider! (I connected from 3 different places, got the same results)
Woohoo! I spot checked about a dozen and they were all 403 for me too. Looks like they're finally getting a handle on their abuse.
Jeff C. -- Don't harm innocent bystanders.
=?ISO-8859-1?Q?Eric_Montr=E9al?= writes:
Looks like, after months ignoring the problem, a miracle finally happened at Yahoo / Geocities tonight ...
Yesterday, my list of alive Geocities spammy sites was more than 350 names long.
Tonight it's down to ... 14 Geocities sites ! All others have been shutdown http://nospam.mailpeers.net/alive_spammy.txt
Hmm. Unfortunately we're still seeing a lot. Here's a small selection:
http://es.geocities.comMUNGED/manuel_skye/ http://in.geocities.comMUNGED/shannon_mezera/ http://geocities.yahoo.comMUNGED.br/abraham_gerdeman/ http://geocities.yahoo.comMUNGED.br/clemente_vaneyck/ http://uk.geocities.comMUNGED/robert_smull/ http://it.geocities.comMUNGED/joel_abreu9/ http://uk.geocities.comMUNGED/z2440azzaai/ http://geocities.yahoo.comMUNGED.br/elvin_bigda/ http://uk.geocities.comMUNGED/hayley64368stanwood80846/ http://geocities.yahoo.comMUNGED.br/leonel_laster/ http://uk.geocities.comMUNGED/alphonsealexanderhall/
Looks pretty similar; perhaps they've started shutting down accounts on your list?
--j.
Hi,
Justin Mason wrote:
=?ISO-8859-1?Q?Eric_Montr=E9al?= writes:
Looks like, after months ignoring the problem, a miracle finally happened at Yahoo / Geocities tonight ...
Yesterday, my list of alive Geocities spammy sites was more than 350 names long.
Tonight it's down to ... 14 Geocities sites ! All others have been shutdown http://nospam.mailpeers.net/alive_spammy.txt
Hmm. Unfortunately we're still seeing a lot. Here's a small selection:
Unfortunately, I get them too ... and the new ones are still alive.
http://es.geocities.comMUNGED/manuel_skye/ http://in.geocities.comMUNGED/shannon_mezera/ http://geocities.yahoo.comMUNGED.br/abraham_gerdeman/ http://geocities.yahoo.comMUNGED.br/clemente_vaneyck/ http://uk.geocities.comMUNGED/robert_smull/ http://it.geocities.comMUNGED/joel_abreu9/ http://uk.geocities.comMUNGED/z2440azzaai/ http://geocities.yahoo.comMUNGED.br/elvin_bigda/ http://uk.geocities.comMUNGED/hayley64368stanwood80846/ http://geocities.yahoo.comMUNGED.br/leonel_laster/ http://uk.geocities.comMUNGED/alphonsealexanderhall/
Looks pretty similar; perhaps they've started shutting down accounts on your list?
I hope that's not the way they did it, or at least not the *only* way !
Anyways, I've added them to the filtered list.
I think Geocities need *a few* days to setup their filters and cleanup the servers, we'll keep watching the situation and see where is spammy going ...
Eric.
Looks like, after months ignoring the problem, a miracle finally happened at Yahoo / Geocities tonight ...
Yesterday, my list of alive Geocities spammy sites was more than 350 names long.
Tonight it's down to ... 14 Geocities sites ! All others have been shutdown http://nospam.mailpeers.net/alive_spammy.txt
Yee-HAW! :)
Just for fun, here is the RIP list: http://nospam.mailpeers.net/rip_spammy.txt
Definitely fun. :>
Let's hope this continues.
-
ariel@spambouncer.org -
Daryl C. W. O'Shea -
Eric Montréal -
Jeff Chan -
jm@jmason.org