Hi list,
One of the main strengths of SpamAssassin is the ability to allow the
user to write their own custom rules. However, writing good rules is not
always easy and one of the hardest parts is identifying trends in spam
worth targeting.
So what trends have you noticed this week?
Here's one I spotted whilst reviewing the weeks spam. I've seen a bunch
of URIs with the following pattern:
http://some.example.domain.com/profile/12BobSmith/
There's even an example sent the LKML here:
https://lkml.org/lkml/2011/11/26/55
and have written a rule to match the /profile/12FirstnameLastname/ part.
So in the spirit of sharing, enjoy my rule:
# URIs matching http://some.domain.com/profile/12FirstLastname/
uri LOCAL_URI_PROFILE
m{https?://.{1,40}/profile/\d\d[A-Z][a-z]{1,20}[A-Z][a-z]{1,20}/}
describe LOCAL_URI_PROFILE Spammy URI with profile
score LOCAL_URI_PROFILE 1
Score as you see fit.
So far these URIs have been redirectors to "jobs" sites. Clearly there
is some malware that is compromising web hosts using this same template
so this type of rule nullifies them all in one go - no need to collect
the domains and feed them into the black lists (although this is still a
good idea).
So have you spotted any decent trends worth sharing this week?
