[SURBL-Discuss] Re: uk DOT geocities DOT com

Eric Montréal erv at mailpeers.net
Sat Oct 8 23:04:45 CEST 2005


Hi,

I recently added some spamassassin rules that deal with these geocities 
spam as I gathered a list of them.

Here are my rules (used in my server & also posted in NANAE) :

Description :

PW_GEOCITIES adds a little 0.2 for any email containing a link to 
Geocities. Obviously, this rule will trigger some False Positives and 
the score is low.
I added it mainly as a way to check valid mails with a geocities link 
within them.

PW_GEOCITIES_DASH adds 1.0 when the address contains either "_" or "-" 
in the user name (used to bump the score a bit when no redirector is 
used). Few legitimate geocities accounts use these characters, but 
expect a few False Positives.

PW_GEOCITIES_RD adds a massive 10 points when a geocities account with 
redirection / tracking is detected (no normal geocities account owner 
would do that. False Positive rate should be very close to Zero)

# Deal with Geocities Spam

body         PW_GEOCITIES     
/(?i)(?i)http\:\/\/(it|uk|sg|ca|www|au|in|mx|de|es)\.geocities(\.yahoo|)\.com\// 

describe     PW_GEOCITIES        Contains a link to Geocities.
score         PW_GEOCITIES        0.2

body         PW_GEOCITIES_DASH 
/(?i)(?i)http\:\/\/(it|uk|sg|ca|www|au|in|mx|de|es)\.geocities(\.yahoo|)\.com\/[A-Za-z0-9%]{1,40}(_|\-)[A-Z_\-a-z0-9%]{1,60}/ 

describe     PW_GEOCITIES_DASH    Link to Geocities with a - or _
score         PW_GEOCITIES_DASH    1.0

body         PW_GEOCITIES_RD     
/(?i)(?i)http\:\/\/(it|uk|sg|ca|www|au|in|mx|de|es)\.geocities(\.yahoo|)\.com\/[A-Z_\-a-z0-9%]{1,60}\/\?[A-Z_\-a-z0-9%&]{1,100}/ 

describe     PW_GEOCITIES_RD        Geocities Redirector spam.
score         PW_GEOCITIES_RD        10.0


My 0.02

Eric

------------------------------------------------------------------------------------

Raymond Dijkxhoorn wrote:

> Hi!
>
>> Here's a recipe I've put in the SpamBouncer that catches most of
>> the spam with Geocities links I've been seeing.  Most of that spam
>> contains, not just a Geocities URL (not always uk.geocities.com),
>> but also a query right after the domain and first slash. If you
>> block that pattern, you'll catch a lot of spam. So far, I've seen
>> *no* false positives -- in the SpamBouncer spamtrap or as complaints
>> from users of SpamBouncer 2.1 beta.
>>
>> SpamBouncer is a huge set of Procmail recipes, so anyone who uses
>> Procmail might find this handy:
>
>
> We see a lot comming in with plain http://geocities.com lately, so you 
> might want to add that also.
>
> Bye,
> Raymond.
> _______________________________________________
> Discuss mailing list
> Discuss at lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
>



More information about the Discuss mailing list