Re: [Razor-users] New blacklisting ideas based on what smam links to

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Well - I'm still working out the details - but here's some spam assassin 
rules I've written that seem to work really well.

###########################################
#               URI RULES                 #
###########################################

uri IP_LINK_PLUS        
/^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id\=)/i
describe IP_LINK_PLUS        Dotted-decimal IP address followed by GCI, 
clickthru, etc.

uri YAHOO_REDIR            /^https?\:\/\/rd.yahoo.com\/[0-9]{4,}/i
describe YAHOO_REDIR        Yahoo Redirect

uri LINK_WITH_AT_SIGN        /^https?\:\/\/.*@.*\//i
describe LINK_WITH_AT_SIGN    Link has @ in it.

uri ASIAN_LINKS            /(?:^https?\:\/\/|^mailto\:).*\.(?:kr|jp|cn)\//i
describe ASIAN_LINKS        Links to Korea, Japan, China, etc.

uri BIZ_LINKS            /(?:^https?\:\/\/|^mailto\:).*\.bi?z/i
describe BIZ_LINKS        Links to .biz .bz

uri MORTGAGE_LINKS        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:low|about).*mortgage/i
describe MORTGAGE_LINKS        Links to discount mortgage spammers

uri STRANGE_CHAR_LINKS        /^https?\:\/\/.{0,20}(?:[\%\@\*])/i
describe STRANGE_CHAR_LINKS    Links with strange characters

uri SEX_BANNED_LINKS        
/(?:^https?\:\/\/|^mailto\:).{0,15}(?:hugefist|enlargepills|yourpenis|freakyfarm|latex-teens|animalobsession|bukkake|traceloop|nastyfucking|bronzealliance|femaleceleb)/i
describe SEX_BANNED_LINKS    Links to Sex Sites

uri SEX_PHRASE_LINKS        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:bimbos|farmsex|porn.*mail|girls4u|cumslut)/i
describe SEX_PHRASE_LINKS    Links with Sex Phrases

uri PHRASE_COMBO_LINKS        
/(?:^https?\:\/\/|^mailto\:).(?:free|hot|cash|money|click|track|gold|platinum|bargain|prize|save).{0,15}(?:click|track|cash|money|offer|deal|card|quotes|promo)/i
describe PHRASE_COMBO_LINKS    Links containing suspicious phrase 
combinations

uri SUSPICIOUS_LINKS        
/(?:^https?\:\/\/|^mailto\:).{0,25}(?:poker\.net|get-deal|bargain[zs\-]|clicks|spree|members\=|lotto|offer[sz]|4you|casino|revshare|debtfree).*\//i
describe SUSPICIOUS_LINKS    Links containing suspicious phrases

uri BANNED_LINKS1        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:needanewjob|valodata|jutan|bridgewater|youngblue|rocketfibre|shopnow|affistats|priceisright|compare-lender).*\//i
describe BANNED_LINKS1        Links to Banned Companies 1

uri BANNED_LINKS2        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:ientry|mybill|dyfyi|farmsex|affinitycommerce|unsecured-credit|e-centives|fyi01|clicktrack|emailads|zizi|vistaprint).*\//i
describe BANNED_LINKS2        Links to Banned Companies 2

uri BANNED_LINKS3        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:radarline|optilc|biosweep|dealnetwork|myobmail|yourvling|xeemo|incestuals|mnjmtech|escript|m0rtage).*\//i
describe BANNED_LINKS3        Links to Banned Companies 3

uri BANNED_LINKS4        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:ltracker|premiumsmail|rxmedical|bannedcd|raveonmail|postdirect|5moni|gammae|freeht|ns-hosting|domainsforeveryone).*\//i
describe BANNED_LINKS4        Links to Banned Companies 4

uri BANNED_LINKS5        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:freedigitalppv|fastbustzone|dailycomnet|zoanmail|ew01|executive-level|cyberforce|adserver|flipside.com|faqchat).*\//i
describe BANNED_LINKS5        Links to Banned Companies 5

uri BANNED_LINKS6        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:dforyi|totemmail|addsaturation|securediscounts|emode.com|router5.com|bingonet|hookah1up|obbizopp|epinions).*\//i
describe BANNED_LINKS6        Links to Banned Companies 6

uri BANNED_LINKS7        
/(?:^https?\:\/\/|^mailto\:).{0,20}(?:bargaineye|liquidgeneration|emailcourier|foryourfamily|linksynergy|coolspecnet|smilepop).*\//i
describe BANNED_LINKS7        Links to Banned Companies 7

uri OFFER_URI            
/^https?:\/\/.*?(?:offers?\.\w|[.\/]offer|offer=)/i
describe OFFER_URI        Offer in link address

rawbody HIDDEN_EQUAL        /(?:href|src)=3D\"/i
describe HIDDEN_EQUAL        Uses =3D instead of =

rawbody HIDDEN_PERIOD        /^https?:\/\/.{0,15}\=2E/i
describe HIDDEN_PERIOD        Link used =2E for periods

Rod wrote:

>Hi Marc,
>
>  
>
>>Anyhow - for Spamassassin I'm thinking about the idea of both system
>>maintained and user maintained black lists based on links alone. For
>>Razor I'm thinking about a message fingerprinting system bases in links
>>alone.
>>
>>Who likes this idea?
>>    
>>
>
>I think its a great idea -  in fact I have been using this very same
>technique using procmail filters (in conjunction with the usual Razor
>checks, of course) for considerable time now.
>
>One of my more succesful filters for this has been to simply filter on
>dotted quad address links, on the basis that only spammers would try to hide
>the domain names that the links point to.
>This may be a little to pro-active for some people/servers likings though
>(and I've had to whitelist several legitimate addresses), but generally
>speaking, it works a charm.
>
>Cheers
>Rod
>
>
>
>  
>