[SURBL-Discuss] Yahoo Single-Link spam

Dan Mahoney, System Admin danm at prime.gushi.org
Mon Mar 11 11:46:00 CET 2013

Hey all,

I'm getting a lot of single-link spam from Yahoo -- seems to be via 
compromised accounts, mostly (as in, via an account that my address would 
be in the addressbook of).  It's coming through legitimately via the 
Yahoo servers, with DKIM signatures intact and all.  As the message body 
is purely a link (at least, the text-plain portion is), this is an ideal 
job for SURBL and pretty hard for most other content matching.

One such example (spaces added by me):

http://dark  turn  ip.com/sxduvb/dgemdczfcmc/lzuc.php

Yahoo seem to be absolutely braindead about spam reporting on these 
compromised accounts.  So much so that I wrote a blog about it: 

I could easily create a SpamAssassin or Procmail rule to block these 
messages, but I think it makes sense to make better use of this data.

I often report things that get through SpamAssassin to SpamCop, which I 
understand feeds SURBL, but as SpamCop has to wait for me to go hit their 
webpage, this introduces a lag that need not be present, ergo I'm happy to 
feed traps directly from my system procmailrc -- where I have a couple 
hundred friends-and-family domains.

Anyone interested?



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the Discuss mailing list