[SURBL-Discuss] Re: One way to handle the Geocities spam

Eric Montréal erv at mailpeers.net
Fri Dec 16 11:55:58 CET 2005


Hi,

mouss wrote:

> Eric Montréal a écrit :
>
>> To really make the rules more effective I need to get more raw data.
>> Some people are already sending me their URLs, but I would need
>> more of them to get a better coverage.
>
> I will send you mine. now, I would prefer to find less "exhaustive" 
> ways. sometimes ago, I've looked at some (many) and they seemed to 
> follow few patterns (two patterns covered most of the spams I've 
> checked manually). so I think it would be good to share not just the 
> URLs, but the full messages.
>
You can send full messages if you want to, I did not ask for them to prevent
dealing with privacy issues, and since my automated filters are based on 
the URLs,
but full mails would help me see the patterns used.

patterns are fine as long as you keep them private. As soon as you share 
them
in a public place, they quickly stop being effective ... spammy is 
listening.

For Geocities spams, it happened with this rule (and other similar ones) :

body         GeocitiesRd   /(?i)http\:\/\/(it|uk|sg|ca|www|au|in|mx|de|es)\.Geocities(\.yahoo|)\.com\/[A-Z_\-a-z0-9%]{1,60}\/\?[A-Z_\-a-z0-9%&]{1,100}/
describe     GeocitiesRd   Geocities Redirector spam.
score        GeocitiesRd   3.0

They simply stopped using the ID tag ...

The majority of Geocities spams I get could be flagged by detecting the 
Geocities link
+ "F-R-E-E TODAY ONLY" + "charities" + "mail sending service" + 
"non-commercial",
but my goal is less against some particular spams than against the whole 
principle of
(ab)using free hosts as redirectors, since this makes detection more 
difficult and creates a
disproportionate number of false negatives. If this possibility is 
closed, that will force them
in parts of  the internet where the ham / spam separation is easier than 
on places like
Geocities, Tripod and other free hosts.

My goal with the ruleset, beyond Geocities is also to see if a near 
realtime URL blocking
(1 hour updates) is practical, both for traditional spams and phishing 
URLs detection.

Also, please see the "WebRedirect SpamAssassin Plugin for use with 
'Geocities Spam'"
thread. Hopefully, the whole issue with Yahoo / Geocities will soon be 
history.

Where will they go next ? Keep sending your best spams to 
spamslut at mailpeers.net ;-)

Regards,

Eric.




More information about the Discuss mailing list