From: Marc P. <ma...@pe...> - 2003-04-20 18:45:01
|
Well - I'm still working out the details - but here's some spam assassin rules I've written that seem to work really well. ########################################### # URI RULES # ########################################### uri IP_LINK_PLUS /^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id\=)/i describe IP_LINK_PLUS Dotted-decimal IP address followed by GCI, clickthru, etc. uri YAHOO_REDIR /^https?\:\/\/rd.yahoo.com\/[0-9]{4,}/i describe YAHOO_REDIR Yahoo Redirect uri LINK_WITH_AT_SIGN /^https?\:\/\/.*@.*\//i describe LINK_WITH_AT_SIGN Link has @ in it. uri ASIAN_LINKS /(?:^https?\:\/\/|^mailto\:).*\.(?:kr|jp|cn)\//i describe ASIAN_LINKS Links to Korea, Japan, China, etc. uri BIZ_LINKS /(?:^https?\:\/\/|^mailto\:).*\.bi?z/i describe BIZ_LINKS Links to .biz .bz uri MORTGAGE_LINKS /(?:^https?\:\/\/|^mailto\:).{0,20}(?:low|about).*mortgage/i describe MORTGAGE_LINKS Links to discount mortgage spammers uri STRANGE_CHAR_LINKS /^https?\:\/\/.{0,20}(?:[\%\@\*])/i describe STRANGE_CHAR_LINKS Links with strange characters uri SEX_BANNED_LINKS /(?:^https?\:\/\/|^mailto\:).{0,15}(?:hugefist|enlargepills|yourpenis|freakyfarm|latex-teens|animalobsession|bukkake|traceloop|nastyfucking|bronzealliance|femaleceleb)/i describe SEX_BANNED_LINKS Links to Sex Sites uri SEX_PHRASE_LINKS /(?:^https?\:\/\/|^mailto\:).{0,20}(?:bimbos|farmsex|porn.*mail|girls4u|cumslut)/i describe SEX_PHRASE_LINKS Links with Sex Phrases uri PHRASE_COMBO_LINKS /(?:^https?\:\/\/|^mailto\:).(?:free|hot|cash|money|click|track|gold|platinum|bargain|prize|save).{0,15}(?:click|track|cash|money|offer|deal|card|quotes|promo)/i describe PHRASE_COMBO_LINKS Links containing suspicious phrase combinations uri SUSPICIOUS_LINKS /(?:^https?\:\/\/|^mailto\:).{0,25}(?:poker\.net|get-deal|bargain[zs\-]|clicks|spree|members\=|lotto|offer[sz]|4you|casino|revshare|debtfree).*\//i describe SUSPICIOUS_LINKS Links containing suspicious phrases uri BANNED_LINKS1 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:needanewjob|valodata|jutan|bridgewater|youngblue|rocketfibre|shopnow|affistats|priceisright|compare-lender).*\//i describe BANNED_LINKS1 Links to Banned Companies 1 uri BANNED_LINKS2 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:ientry|mybill|dyfyi|farmsex|affinitycommerce|unsecured-credit|e-centives|fyi01|clicktrack|emailads|zizi|vistaprint).*\//i describe BANNED_LINKS2 Links to Banned Companies 2 uri BANNED_LINKS3 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:radarline|optilc|biosweep|dealnetwork|myobmail|yourvling|xeemo|incestuals|mnjmtech|escript|m0rtage).*\//i describe BANNED_LINKS3 Links to Banned Companies 3 uri BANNED_LINKS4 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:ltracker|premiumsmail|rxmedical|bannedcd|raveonmail|postdirect|5moni|gammae|freeht|ns-hosting|domainsforeveryone).*\//i describe BANNED_LINKS4 Links to Banned Companies 4 uri BANNED_LINKS5 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:freedigitalppv|fastbustzone|dailycomnet|zoanmail|ew01|executive-level|cyberforce|adserver|flipside.com|faqchat).*\//i describe BANNED_LINKS5 Links to Banned Companies 5 uri BANNED_LINKS6 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:dforyi|totemmail|addsaturation|securediscounts|emode.com|router5.com|bingonet|hookah1up|obbizopp|epinions).*\//i describe BANNED_LINKS6 Links to Banned Companies 6 uri BANNED_LINKS7 /(?:^https?\:\/\/|^mailto\:).{0,20}(?:bargaineye|liquidgeneration|emailcourier|foryourfamily|linksynergy|coolspecnet|smilepop).*\//i describe BANNED_LINKS7 Links to Banned Companies 7 uri OFFER_URI /^https?:\/\/.*?(?:offers?\.\w|[.\/]offer|offer=)/i describe OFFER_URI Offer in link address rawbody HIDDEN_EQUAL /(?:href|src)=3D\"/i describe HIDDEN_EQUAL Uses =3D instead of = rawbody HIDDEN_PERIOD /^https?:\/\/.{0,15}\=2E/i describe HIDDEN_PERIOD Link used =2E for periods Rod wrote: >Hi Marc, > > > >>Anyhow - for Spamassassin I'm thinking about the idea of both system >>maintained and user maintained black lists based on links alone. For >>Razor I'm thinking about a message fingerprinting system bases in links >>alone. >> >>Who likes this idea? >> >> > >I think its a great idea - in fact I have been using this very same >technique using procmail filters (in conjunction with the usual Razor >checks, of course) for considerable time now. > >One of my more succesful filters for this has been to simply filter on >dotted quad address links, on the basis that only spammers would try to hide >the domain names that the links point to. >This may be a little to pro-active for some people/servers likings though >(and I've had to whitelist several legitimate addresses), but generally >speaking, it works a charm. > >Cheers >Rod > > > > > |