Andre Nicholson
Fri, 05 Aug 2005 20:07:55 -0700
Kelson wrote:
Over the last few days, we've been seeing a lot of spam that contains nothing but a pair of names and a link to a URL at uk.geocities.com. No image, no obfuscation, only a small percent has any bayes poison. Just the link and two names. Most of it is pill spam, some mortgage.SURBL can't catch it, because all it sees is geocities.com. Some of have tripped SARE header tests, but most haven't. Even when they trip BAYES_99, often the only other rule is something like one of the DATE_IN_PAST rules, which isn't enough to push it over the edge.I finally just added a URI rule, which seems fine (since, IIRC, this would mean someone at GeoCities with the username "uk") and we've logged 150 of them in the past few hours.Is anyone else seeing these?
I see spam messages with links to GeoCities web sites all of the time. Although my experience is a little different than yours: the messages are always for porn. So I use the following rule to catch them:
uri __GEOCITIES_NUM /uk\.geocities\.com\/[a-z_0-9]{1,30}/i
meta GEOCITIES_NUM (SUBJECT_SEXUAL && __GEOCITIES_NUM)
describe GEOCITIES_NUM Possible UK Geocities spam site
score GEOCITIES_NUM 5.0
This works for me and I have yet to see any FP. Also, these type of
messages for me usually will land BAYES_99 and a few DNS_FROM_RFC_*
rules which help bring up the score.
Andre Nicholson