[SURBL-Discuss] Re: One way to handle the Geocities spam
warren_ro at compuserve.com
Fri Dec 16 21:07:02 CET 2005
With regard to the latest subevil.cf could you please include "ar" in the
Also would appreciate if the score is 5.0 ?
----- Original Message -----
From: "Eric Montréal" <erv at mailpeers.net>
To: "SURBL Discussion list" <discuss at lists.surbl.org>
Sent: Friday, December 16, 2005 11:55 PM
Subject: Re: [SURBL-Discuss] Re: One way to handle the Geocities spam
> mouss wrote:
>> Eric Montréal a écrit :
>>> To really make the rules more effective I need to get more raw data.
>>> Some people are already sending me their URLs, but I would need
>>> more of them to get a better coverage.
>> I will send you mine. now, I would prefer to find less "exhaustive" ways.
>> sometimes ago, I've looked at some (many) and they seemed to follow few
>> patterns (two patterns covered most of the spams I've checked manually).
>> so I think it would be good to share not just the URLs, but the full
> You can send full messages if you want to, I did not ask for them to
> dealing with privacy issues, and since my automated filters are based on
> the URLs,
> but full mails would help me see the patterns used.
> patterns are fine as long as you keep them private. As soon as you share
> in a public place, they quickly stop being effective ... spammy is
> For Geocities spams, it happened with this rule (and other similar ones) :
> body GeocitiesRd
> describe GeocitiesRd Geocities Redirector spam.
> score GeocitiesRd 3.0
> They simply stopped using the ID tag ...
> The majority of Geocities spams I get could be flagged by detecting the
> Geocities link
> + "F-R-E-E TODAY ONLY" + "charities" + "mail sending service" +
> but my goal is less against some particular spams than against the whole
> principle of
> (ab)using free hosts as redirectors, since this makes detection more
> difficult and creates a
> disproportionate number of false negatives. If this possibility is closed,
> that will force them
> in parts of the internet where the ham / spam separation is easier than
> on places like
> Geocities, Tripod and other free hosts.
> My goal with the ruleset, beyond Geocities is also to see if a near
> realtime URL blocking
> (1 hour updates) is practical, both for traditional spams and phishing
> URLs detection.
> Also, please see the "WebRedirect SpamAssassin Plugin for use with
> 'Geocities Spam'"
> thread. Hopefully, the whole issue with Yahoo / Geocities will soon be
> Where will they go next ? Keep sending your best spams to
> spamslut at mailpeers.net ;-)
> Discuss mailing list
> Discuss at lists.surbl.org
More information about the Discuss