[SURBL-Discuss] Re: One way to handle the Geocities spam

Warren Robinson warren_ro at compuserve.com
Fri Dec 16 21:07:02 CET 2005 

With regard to the latest subevil.cf could you please include "ar" in the 
countres list.
Also would appreciate if the score is 5.0 ?
Regards
Warren

----- Original Message ----- 
From: "Eric Montréal" <erv at mailpeers.net>
To: "SURBL Discussion list" <discuss at lists.surbl.org>
Sent: Friday, December 16, 2005 11:55 PM
Subject: Re: [SURBL-Discuss] Re: One way to handle the Geocities spam


>
> Hi,
>
> mouss wrote:
>
>> Eric Montréal a écrit :
>>
>>> To really make the rules more effective I need to get more raw data.
>>> Some people are already sending me their URLs, but I would need
>>> more of them to get a better coverage.
>>
>> I will send you mine. now, I would prefer to find less "exhaustive" ways. 
>> sometimes ago, I've looked at some (many) and they seemed to follow few 
>> patterns (two patterns covered most of the spams I've checked manually). 
>> so I think it would be good to share not just the URLs, but the full 
>> messages.
>>
> You can send full messages if you want to, I did not ask for them to 
> prevent
> dealing with privacy issues, and since my automated filters are based on 
> the URLs,
> but full mails would help me see the patterns used.
>
> patterns are fine as long as you keep them private. As soon as you share 
> them
> in a public place, they quickly stop being effective ... spammy is 
> listening.
>
> For Geocities spams, it happened with this rule (and other similar ones) :
>
> body         GeocitiesRd 
> /(?i)http\:\/\/(it|uk|sg|ca|www|au|in|mx|de|es)\.Geocities(\.yahoo|)\.com\/[A-Z_\-a-z0-9%]{1,60}\/\?[A-Z_\-a-z0-9%&]{1,100}/
> describe     GeocitiesRd   Geocities Redirector spam.
> score        GeocitiesRd   3.0
>
> They simply stopped using the ID tag ...
>
> The majority of Geocities spams I get could be flagged by detecting the 
> Geocities link
> + "F-R-E-E TODAY ONLY" + "charities" + "mail sending service" + 
> "non-commercial",
> but my goal is less against some particular spams than against the whole 
> principle of
> (ab)using free hosts as redirectors, since this makes detection more 
> difficult and creates a
> disproportionate number of false negatives. If this possibility is closed, 
> that will force them
> in parts of  the internet where the ham / spam separation is easier than 
> on places like
> Geocities, Tripod and other free hosts.
>
> My goal with the ruleset, beyond Geocities is also to see if a near 
> realtime URL blocking
> (1 hour updates) is practical, both for traditional spams and phishing 
> URLs detection.
>
> Also, please see the "WebRedirect SpamAssassin Plugin for use with 
> 'Geocities Spam'"
> thread. Hopefully, the whole issue with Yahoo / Geocities will soon be 
> history.
>
> Where will they go next ? Keep sending your best spams to 
> spamslut at mailpeers.net ;-)
>
> Regards,
>
> Eric.
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list