I have created a small plugin I am calling SpamcopURI for SpamAssassin. What this basically does is cache locally the list of spamvertised URLs spamcop.net publishes at: http://www.spamcop.net/w3m?action=inprogress&type=www for a few days and runs uri_eval tests against the URLs found in in the potential spam. I created two new tests SPAMCOP_URI and SPAMCOP_HOST_URI. The former registers a hit if the host + path are found in the local database. The latter registers a hit if just the host is found. I am considering adding second level domain + path matching so spammers who use wildcard dns records and place random stuff in the sub-domains would get hit if they had at least one spam url with a common path.
I had to patch both PerMsgStatus.pm and Conf.pm to support uri_eval tests, though it was a pretty minor change. I am only checking the spamcop.net site at most every 10 minutes. I have been running something similar to this for several weeks and found it to be very effective since the spamcop.net community is very good about reporting active spam. Would anyone be interested in me posting this somewhere for others to use/try? I noticed there is some work being done using a URIDNSRBL plugin. I think if we could get the hostnames from the spamcop.net list into spamhaus or some other RBL, it would be nearly as effective doing host+path comparison and a bit more consistent with the other checks being done. Efforts to get spamcop.net to open up their spamvertised sites database have failed, so if anyone has any friends over there, it would be nice if they could either provide an RSS feed or setup a DNSRBL based on the hostnames so we don't have to push them from one datasource to another. thanks, --eric
