Re: GeoCities Link-only spam
On 8/22/2005 4:14 PM, Dallas L. Engelken wrote: >>IP::Country use Whois lookups instead though > Hrmm? Where does it say it uses Real-Time Whois lookups? The docu for IP::Country::Fast is empty and refers to IP::Country, which describes the use of whois. See my follow-up post though -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: [SPAM] RE: GeoCities Link-only spam
On 8/22/2005 3:50 PM, Eric A. Hall wrote: > IP::Country use Whois lookups instead though, and UDP/DNS lookups are > going to be faster than chained TCP/Whois queries. > I'll play with the plugin and see what kind of times and load I get Some poking around, IP::Country::Fast uses a pre-built mapping database instead of issuing lookups (IP::Country::Slow) or caching lookups (IP::Country::Medium). The pre-built databse is stored in the ".gif" files in /usr/lib/perl5/site_perl/5.8.6/IP/Country/Fast/ on my system, and presumably this stuff gets repackaged when IP allocations change. This means keeping the package synched, of course, but it does seem to be somewhat faster and requires less overhead. BTW, lookups for dead domain names are really slow and block the rest of the message processing. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: GeoCities Link-only spam
> -Original Message- > From: Eric A. Hall [mailto:[EMAIL PROTECTED] > Sent: Monday, August 22, 2005 2:50 PM > To: Derek Harding > Cc: users@spamassassin.apache.org > Subject: Re: [SPAM] RE: GeoCities Link-only spam > > > On 8/22/2005 3:34 PM, Derek Harding wrote: > > On Sun, 2005-08-21 at 20:05 -0400, Eric A. Hall wrote: > > > >>What's the benefit of using this instead of the uridnsbl > plugin? The > >>code below will look for the IP address behind a URI and then query > >>the cn-kr.blackholes.us RBL to see if that addr is in China: > > > > This one doesn't require a DNS lookup which makes it faster. > > IP::Country use Whois lookups instead though, and UDP/DNS > lookups are going to be faster than chained TCP/Whois queries. > Hrmm? Where does it say it uses Real-Time Whois lookups? "This module comes bundled with a database of countries where various IP addresses have been assigned." "With a random selection of 65,000 IP addresses, the module can look up over 15,000 IP addresses per second on a 730MHz PIII (Coppermine) and over 25,000 IP addresses per second on a 1.3GHz Athlon." D
Re: [SPAM] RE: GeoCities Link-only spam
On 8/22/2005 3:34 PM, Derek Harding wrote: > On Sun, 2005-08-21 at 20:05 -0400, Eric A. Hall wrote: > >>What's the benefit of using this instead of the uridnsbl plugin? The code >>below will look for the IP address behind a URI and then query the >>cn-kr.blackholes.us RBL to see if that addr is in China: > > This one doesn't require a DNS lookup which makes it faster. IP::Country use Whois lookups instead though, and UDP/DNS lookups are going to be faster than chained TCP/Whois queries. > blackholes.us only covers a limited set. Just an example for discussion purposes (worth noting that their main web site is down too). http://countries.nerd.dk/more.html is another one I'll play with the plugin and see what kind of times and load I get -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: [SPAM] RE: GeoCities Link-only spam
On Sun, 2005-08-21 at 20:05 -0400, Eric A. Hall wrote: > What's the benefit of using this instead of the uridnsbl plugin? The code > below will look for the IP address behind a URI and then query the > cn-kr.blackholes.us RBL to see if that addr is in China: This one doesn't require a DNS lookup which makes it faster. Also it can work for just about any country, blackholes.us only covers a limited set. Derek
Re: [SPAM] RE: GeoCities Link-only spam
On 8/8/2005 5:05 PM, Derek Harding wrote: >>>It allows rules such as: >>>uricountry URICOUNTRY_CN CN >>>header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') >>>describeURICOUNTRY_CN Contains a URI hosted in China >>>tflags URICOUNTRY_CN net >>>score URICOUNTRY_CN 2.0 What's the benefit of using this instead of the uridnsbl plugin? The code below will look for the IP address behind a URI and then query the cn-kr.blackholes.us RBL to see if that addr is in China: uridnsblURIBL_CNKR cn-kr.blackholes.us TXT bodyURIBL_CNKR eval:check_uridnsbl('URIBL_CNKR') tflags URIBL_CNKR net score URIBL_CNKR 2.0 I'm sure there's a difference but I guess I'm not seeing it -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: GeoCities Link-only spam
I went with the RBL method. More than 1 way to skin a spammer. :-) Anyways, they put themselves into my bayes with the extra points of the china RBL. Life is good... Now I can back down on the China points some since my bayes will more likely catch this garbage. Content preview: myrtis http://uk.geocities.com/Guillermo_Ratermann/?NKN7j=This_is_your_way_to_red u ce_the_outflow_on_tiptop_reemedies. bye :-) [...] Content analysis details: (11.3 points, 5.0 required) pts rule name description -- -- 1.3 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.] 5.0 RCVD_IN_CHINA RBL: Received via China IP china.blackholes.us [58.33.99.179 listed in china.blackholes.us] > -Original Message- > From: Jonathan Nichols [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 09, 2005 2:36 PM > To: Kelson > Cc: SpamAssassin Users > Subject: Re: GeoCities Link-only spam > > > > > Of course, if you want to match *any* Geocities URL (which I think is a > > bit much for a 4-point score), you'd want something like this: > > > > uri GEOCITIES /\.geocities\.com\b/i > > > > or if you want to make sure it matches the domain name, > > > > uri GEOCITIES /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i > > > > Cool! thanks. I think that will work a lot better. :) > > I got one today based on my previous feeble rule attempt. It got 4 > points.. my rule was the only one that it hit. > > Bloody Geocities. :| > > >
Re: GeoCities Link-only spam
Of course, if you want to match *any* Geocities URL (which I think is a bit much for a 4-point score), you'd want something like this: uri GEOCITIES /\.geocities\.com\b/i or if you want to make sure it matches the domain name, uri GEOCITIES /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i Cool! thanks. I think that will work a lot better. :) I got one today based on my previous feeble rule attempt. It got 4 points.. my rule was the only one that it hit. Bloody Geocities. :|
Re: GeoCities Link-only spam
Jonathan Nichols wrote: uri GEOCITIES /uk.geocities.com/i describe GEOCITIESHigh amounts of spam from Geocities. score GEOCITIES 4.0 ... spamassassin --lint came out ok. Will this work, or have I accomplished something that I wasn't actually trying to do? ;) A better approach: uri GEOCITIES /\buk\.geocities\.com\b/i A "." by itself will match any single character, so ukrgeocities2com would match. "\." matches a period specifically. Not that this is likely to show up in this case, but it's worth remembering for rule writing in general. Also, "\b" matches a word boundary. That prevents it from matching something like "geocities.commander" -- again, not a likely problem in this case, but useful for future reference. You could even get very specific, with this: uri GEOCITIES /^http:\/\/uk\.geocities\.com\b/i The "^" anchors the match to the beginning of the URI, and the "\/" indicates that the forward slash is part of the match, not the closing delimiter. Of course, if you want to match *any* Geocities URL (which I think is a bit much for a 4-point score), you'd want something like this: uri GEOCITIES /\.geocities\.com\b/i or if you want to make sure it matches the domain name, uri GEOCITIES /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i -- Kelson Vibber SpeedGate Communications
RE: GeoCities Link-only spam
> -Original Message- > From: Greg Allen [mailto:[EMAIL PROTECTED] > If it wasn't for a handful of users I would block everything > outside the continental US, and certain companies can still > do that if they do not do business outside the US. > RBLs in SA with judicious use of: WHITELIST_FROM_RCVD and/or SUBJECT_IN_WHITELIST (These were add-ons I believe but both are going to be standard by SA 3.10 "real soon now.") Or whitelisting your front end RBLs that block. (a local DNS server works great for this.) But my favorite (this week) is using HELO names and patterns, RBLs, and even SpamAssassin to drive greylisting. Greylisting knocks down 92% of everything we ask it to check -- and so far we have identified ZERO lost mail. We do NOT greylist all email, which practically avoids the only significant greylist "issue" of delaying "good mail." Most of the items greylisted are not useful, and the few that are get delayed once. Usually the delay is 10 minutes to an hour, and even most of that stuff is "optional" mail. Having SA (spamd) checks drive greylisting for Spam=Yes mail means that even less gets through; less requires review by users. (We check Spam=yes AND_NOT Already_Greylisted to avoid unnecessary checks although that would not really hurt if the same IP/sender/rcpt is used.) -- Herb Martin
RE: GeoCities Link-only spam
Here is an RBL test for china IP addresses that connect to your server to pass email. I tested it and it works. I have score of 5 for a while, but you can change that for anything you want. Add it to your local.cf if you like it. You should be able to modify for other countries, see the country list here: http://www.blackholes.us ---start example code header RCVD_IN_CHINAeval:check_rbl('country', 'china.blackholes.us') describe RCVD_IN_CHINA Received via a China IP address in china.blackholes.us tflags RCVD_IN_CHINAnet score RCVD_IN_CHINA 5 ---end example code- Here is another way to do it as well. www.blackholes.us/docs/usage.html (Above example makes more sense to me though.) -Original Message- From: Jonathan Nichols [mailto:[EMAIL PROTECTED] Sent: Monday, August 08, 2005 9:24 PM To: SpamAssassin Users Subject: Re: GeoCities Link-only spam Back on topic.. Since Geocities has done exactly *nothing* to delete the spamvertized sites, I have no objection to adding 3 points to anything with *.geocities.com in the URL. I tried this: uri GEOCITIES /uk.geocities.com/i describe GEOCITIESHigh amounts of spam from Geocities. score GEOCITIES 4.0 ... spamassassin --lint came out ok. Will this work, or have I accomplished something that I wasn't actually trying to do? ;)
Re: GeoCities Link-only spam
Back on topic.. Since Geocities has done exactly *nothing* to delete the spamvertized sites, I have no objection to adding 3 points to anything with *.geocities.com in the URL. I tried this: uri GEOCITIES /uk.geocities.com/i describe GEOCITIESHigh amounts of spam from Geocities. score GEOCITIES 4.0 ... spamassassin --lint came out ok. Will this work, or have I accomplished something that I wasn't actually trying to do? ;)
RE: GeoCities Link-only spam
lol I look at it like this. My users (certain ones) want to be able to receive an odd internet email/order of lets say...copier parts from someone in China. Now, the odds are they won't get more than 1 email every 6 months from China. So, they get pounded with China spam for 6 months hoping for one email. Difficult situation. An RBL at the front end would not let the odd email in. So, If I can give it a 3 or 4 point value and at the very least send it to their spam folder. They can get it if they really want it (or) know it's coming. If they then complain, I can whitelist that individual company in China. If it wasn't for a handful of users I would block everything outside the continental US, and certain companies can still do that if they do not do business outside the US. -Original Message- From: Kelson [mailto:[EMAIL PROTECTED] Sent: Monday, August 08, 2005 6:55 PM To: SpamAssassin Users Subject: Re: GeoCities Link-only spam > Yes, all the nasty countries could be added. Great idea going here. Based on my server logs, if I block mail coming from Earth, I'll take care of 100% of incoming spam! Now all I need to do is look up the subnet for the International Space Station so I can whitelist it... -- Kelson Vibber SpeedGate Communications
Re: GeoCities Link-only spam
From: "Kelson" <[EMAIL PROTECTED]> > > Yes, all the nasty countries could be added. Great idea going here. > > Based on my server logs, if I block mail coming from Earth, I'll take > care of 100% of incoming spam! > > Now all I need to do is look up the subnet for the International Space > Station so I can whitelist it... Actually for Art Bell I am not sure even that would solve his spam problem. {O,o} (For those who don't get it http://www.coasttocoastam.com/ And seriously, when off the air Art is NOT NEARLY that goofy.)
Re: GeoCities Link-only spam
From: "wolfgang" <[EMAIL PROTECTED]> > Hi jdow, > > In an older episode (Monday, 8. August 2005 23:07), jdow wrote: > > > Those guys are annoying. The "ro" folks are just plain not nice people. > > If it comes from Romania it's a phish, keylogger, or worse. > > I'd like to state that I deeply feel that this statement, just like any > generalization and especially generalizations based on geographical/national > prejudice, is dead wrong. I bet that most romanians receive emails almost > exclusively from romania, and i also bet that not all of those emails are > phish, keylogger or worse. > > Here's one more generalization to think about: > Funny that I somehow suspect that all u.s. americans are somewhat ignorant > about the vast majority of this planet's inhabitants and their ways of life, > isn't it? > > cheers, > > wolfgang Wolfgang, I steadfastly refuse to be politically correct. And I refuse to base decisions on other person's hearsay alone. My factual information here is an apparent utter lack of email from .ro addresses that is not malware or spam. On that basis it makes no difference to me how "nice" the .ro people may be. *I NEVER SEE IT." So I suppose I am using a form of racial profiling. If it works I shall use it. I'm not a dumb backend of a donkey who refuses to use what works because it is not politically correct. (The British are losing some of their political correctness I see. All it takes is a few "South Asian" kids with bombs to change attitudes to match reality.) {^_^} Joanne said that and stands behind it.
Re: GeoCities Link-only spam
Yes, all the nasty countries could be added. Great idea going here. Based on my server logs, if I block mail coming from Earth, I'll take care of 100% of incoming spam! Now all I need to do is look up the subnet for the International Space Station so I can whitelist it... -- Kelson Vibber SpeedGate Communications
RE: [SPAM] RE: GeoCities Link-only spam
Sorry, I misunderstood at first what you had there. You are checking uri... This is good, but it might be even better to have a check for connecting IP (or use in conjunction with the uri) since the spammers can auto-flip websites from UK, to china, Korea, RU, etc within a few seconds. I am not a coder, so I may not be able to help much here...but I can take a whack at it. Basically, what I would like to see would be a check of the connecting IP against a China (or whatever) RBL. If the connecting IP matches an IP in the China RBL we could add a point value. Country RBL source preferably from something like here. http://www.blackholes.us Some RBL's already post code like this on their websites, but I am not sure those would be usable with ALL RBL systems. Basically, something like this...but with China, Korea, etc. to place in local.cf ---start example header X_RBL_INTERSIL_NET eval:check_rbl('INTERSIL_NET', 'blackholes.intersil.net') describe X_RBL_INTERSIL_NET Sender IP has a bad track record tflags X_RBL_INTERSIL_NET net score X_RBL_INTERSIL_NET .5 header RCVD_IN_DYNABLOCKeval:check_rbl('sorbs-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10') describe RCVD_IN_DYNABLOCK Sent directly from dynamic IP address tflags RCVD_IN_DYNABLOCKnet score RCVD_IN_DYNABLOCK .5 ---end example Actually, something similar to the above syntax might work for the bad countries, if I just go through the time to type several of them in and test them. I am just not sure yet. :-) -Original Message- From: Derek Harding [mailto:[EMAIL PROTECTED] Sent: Monday, August 08, 2005 5:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Apache. Org Subject: Re: [SPAM] RE: GeoCities Link-only spam On Mon, 2005-08-08 at 15:53 -0500, [EMAIL PROTECTED] wrote: > > > > It allows rules such as: > > uricountry URICOUNTRY_CN CN > > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > > describeURICOUNTRY_CN Contains a URI hosted in China > > tflags URICOUNTRY_CN net > > score URICOUNTRY_CN 2.0 > > > > Derek > > > Oh yes, that type code would be very nice to have indeed for people like > me who can't outright RBL them. Do you also have code for Korea even? But > dare I ask too much. :-) I could give it a score of 4 or so... and up it > even more when spammer simpletons start thinking they are on to the latest > greatest China spam idea. :-) The code will work for any country. Just write a rule for that country. Here's what's needed in your local.cf loadplugin Mail::SpamAssassin::Plugin::URICountry uricountry URICOUNTRY_CN CN header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') describeURICOUNTRY_CN Contains a URI hosted in China tflags URICOUNTRY_CN net score URICOUNTRY_CN 2.0 uricountry URICOUNTRY_KR KR header URICOUNTRY_KR eval:check_uricountry('URICOUNTRY_KR') describeURICOUNTRY_KR Contains a URI hosted in Korea tflags URICOUNTRY_KR net score URICOUNTRY_KR 2.0 uricountry URICOUNTRY_BR BR header URICOUNTRY_BR eval:check_uricountry('URICOUNTRY_BR') describeURICOUNTRY_BR Contains a URI hosted in Brazil tflags URICOUNTRY_BR net score URICOUNTRY_BR 2.0 Derek -- code for the plugin follows -- =head1 NAME URICountry - add message metadata indicating the country code of each relay =head1 SYNOPSIS loadplugin Mail::SpamAssassin::Plugin::URICountry =head1 REQUIREMENT This plugin requires the IP::Country::Fast module from CPAN. =cut package Mail::SpamAssassin::Plugin::URICountry; use Mail::SpamAssassin::Plugin; use strict; use bytes; use vars qw(@ISA); @ISA = qw(Mail::SpamAssassin::Plugin); # constructor: register the eval rule sub new { my $class = shift; my $mailsaobject = shift; # some boilerplate... $class = ref($class) || $class; my $self = $class->SUPER::new($mailsaobject); bless ($self, $class); $self->register_eval_rule ("check_uricountry"); return $self; } # this is just a placeholder; in fact the results are dealt with later sub check_uricountry { my ($self, $permsgstatus, $rulename) = @_; return 0; } # and the eval rule itself sub parsed_metadata { my ($self, $opts) = @_; my $scanner = $opts->{permsgstatus}; my $reg; eval { require IP::Country::Fast; $reg = IP::Country::Fast->new(); }; if ($@) { dbg ("failed to load 'IP::Country::Fast', skipping"); return 1; } my %domlist = (); foreach my $uri ($scanner->get_uri_list()) { my $dom = my_uri_to_domain($uri); dbg("debug: URICountry $uri in $dom"); if ($dom) { $domlist{$dom} = 1; } } # Build a list of the countries for
Re: GeoCities Link-only spam
Hi jdow, In an older episode (Monday, 8. August 2005 23:07), jdow wrote: > Those guys are annoying. The "ro" folks are just plain not nice people. > If it comes from Romania it's a phish, keylogger, or worse. I'd like to state that I deeply feel that this statement, just like any generalization and especially generalizations based on geographical/national prejudice, is dead wrong. I bet that most romanians receive emails almost exclusively from romania, and i also bet that not all of those emails are phish, keylogger or worse. Here's one more generalization to think about: Funny that I somehow suspect that all u.s. americans are somewhat ignorant about the vast majority of this planet's inhabitants and their ways of life, isn't it? cheers, wolfgang germany, europe, northern earth -- don't judge a man before you have walked a mile in his TLD
RE: GeoCities Link-only spam
Yes, all the nasty countries could be added. Great idea going here. -Original Message- From: jdow [mailto:[EMAIL PROTECTED] Sent: Monday, August 08, 2005 5:07 PM To: users@spamassassin.apache.org Subject: Re: GeoCities Link-only spam From: <[EMAIL PROTECTED]> > > On Sun, 2005-08-07 at 12:27 -0400, Greg Allen wrote: > >> They are also using non-Geocities addresses now. Most of the IPs they > >> use seem to been from China, so you could RBL china at the front end, > >> if you are allowed to block China that is... (my users won't let me > >> block China...uggh) > >> > >> > >> ---example-- > >> http://enlighteningvaluezone.com?djBK=nNSn7m > >> ---end example--- > >> > > > > I wrote a SpamAssassin plugin that enables scoring of URIs based on > > country using IP::Country::Fast. It's kind of a companion to > > RelayCountry.pm. I meant to make it public but never got round to > > tidying up the code. Would people be interested in my posting it? > > > > It allows rules such as: > > uricountry URICOUNTRY_CN CN > > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > > describeURICOUNTRY_CN Contains a URI hosted in China > > tflags URICOUNTRY_CN net > > score URICOUNTRY_CN 2.0 > > > > Derek > > > Oh yes, that type code would be very nice to have indeed for people like > me who can't outright RBL them. Do you also have code for Korea even? But > dare I ask too much. :-) I could give it a score of 4 or so... and up it > even more when spammer simpletons start thinking they are on to the latest > greatest China spam idea. :-) Those guys are annoying. The "ro" folks are just plain not nice people. If it comes from Romania it's a phish, keylogger, or worse. {^_^}
Re: [SPAM] RE: GeoCities Link-only spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 awesome! any chance you could put this on the wiki, linked from CustomPlugins? - --j. Derek Harding writes: > On Mon, 2005-08-08 at 15:53 -0500, [EMAIL PROTECTED] wrote: > > > > > > It allows rules such as: > > > uricountry URICOUNTRY_CN CN > > > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > > > describeURICOUNTRY_CN Contains a URI hosted in China > > > tflags URICOUNTRY_CN net > > > score URICOUNTRY_CN 2.0 > > > > > > Derek > > > > > > Oh yes, that type code would be very nice to have indeed for people like > > me who can't outright RBL them. Do you also have code for Korea even? But > > dare I ask too much. :-) I could give it a score of 4 or so... and up it > > even more when spammer simpletons start thinking they are on to the latest > > greatest China spam idea. :-) > > The code will work for any country. Just write a rule for that country. > > Here's what's needed in your local.cf > > loadplugin Mail::SpamAssassin::Plugin::URICountry > > uricountry URICOUNTRY_CN CN > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > describeURICOUNTRY_CN Contains a URI hosted in China > tflags URICOUNTRY_CN net > score URICOUNTRY_CN 2.0 > > uricountry URICOUNTRY_KR KR > header URICOUNTRY_KR eval:check_uricountry('URICOUNTRY_KR') > describeURICOUNTRY_KR Contains a URI hosted in Korea > tflags URICOUNTRY_KR net > score URICOUNTRY_KR 2.0 > > uricountry URICOUNTRY_BR BR > header URICOUNTRY_BR eval:check_uricountry('URICOUNTRY_BR') > describeURICOUNTRY_BR Contains a URI hosted in Brazil > tflags URICOUNTRY_BR net > score URICOUNTRY_BR 2.0 > > Derek > > -- code for the plugin follows -- > =head1 NAME > > URICountry - add message metadata indicating the country code of each > relay > > =head1 SYNOPSIS > > loadplugin Mail::SpamAssassin::Plugin::URICountry > > =head1 REQUIREMENT > > This plugin requires the IP::Country::Fast module from CPAN. > > =cut > > package Mail::SpamAssassin::Plugin::URICountry; > > use Mail::SpamAssassin::Plugin; > use strict; > use bytes; > > use vars qw(@ISA); > @ISA = qw(Mail::SpamAssassin::Plugin); > > # constructor: register the eval rule > sub new { > my $class = shift; > my $mailsaobject = shift; > > # some boilerplate... > $class = ref($class) || $class; > my $self = $class->SUPER::new($mailsaobject); > bless ($self, $class); > > $self->register_eval_rule ("check_uricountry"); > > return $self; > } > > # this is just a placeholder; in fact the results are dealt with later > sub check_uricountry { > my ($self, $permsgstatus, $rulename) = @_; > return 0; > } > > # and the eval rule itself > sub parsed_metadata { > my ($self, $opts) = @_; > my $scanner = $opts->{permsgstatus}; > > my $reg; > > eval { > require IP::Country::Fast; > $reg = IP::Country::Fast->new(); > }; > if ($@) { > dbg ("failed to load 'IP::Country::Fast', skipping"); > return 1; > } > > my %domlist = (); > foreach my $uri ($scanner->get_uri_list()) { > my $dom = my_uri_to_domain($uri); > dbg("debug: URICountry $uri in $dom"); > if ($dom) { > $domlist{$dom} = 1; > } > } > > # Build a list of the countries for URIs in the message. > my %countries = (); > foreach my $dom (keys(%domlist)) { > my $cc = $reg->inet_atocc($dom) || "XX"; > dbg("debug: URICountry $dom in $cc"); > $countries{lc($cc)} = 1; > } > > # Now check if any match any defined rules. > foreach my $rule (keys(%{$scanner->{conf}->{uricountry}})) { > my $country = lc($scanner->{conf}->{uricountry}->{$rule}); > if($countries{$country}) { > dbg ("debug: URICountry hit rule: $country"); > $scanner->got_hit($rule, ""); > } > } > > return 1; > } > > sub parse_config { > my ($self, $opts) = @_; > > my $key = $opts->{key}; > > if ($key eq 'uricountry') { > if ($opts->{value} =~ /^(\S+)\s+(\S+)\s*$/) { > my $rulename = $1; > my $country = $2; > > dbg("debug: URICountry: registering $rulename"); > $opts->{conf}->{uricountry}->{$rulename} = $country; > $self->inhibit_further_callbacks(); return 1; > } > } > > return 0; > } > > # Taken from the one in Util.pm but we don't want to drop the hostname > doing so > # often leaves us with no A record. > sub my_uri_to_domain { > my ($uri) = @_; > > # Javascript is not going to help us, so return. > return if ($uri =~ /^javascript:/i); > > $uri =~ s,#.*$,,gs; # drop fragment > $uri =~ s#^[a-z]+:/{0,2}##gsi;# drop the protocol > $uri =~ s,^[^/]*\@,,gs; # username/passwd > $uri =~ s,[/\?\&].*$,,gs; # path/cgi params > $uri =~ s,:\d+$,,gs; # port > > return if $uri =~ /\%/; # skip undecoded URIs. >
Re: GeoCities Link-only spam
From: <[EMAIL PROTECTED]> > > On Sun, 2005-08-07 at 12:27 -0400, Greg Allen wrote: > >> They are also using non-Geocities addresses now. Most of the IPs they > >> use seem to been from China, so you could RBL china at the front end, > >> if you are allowed to block China that is... (my users won't let me > >> block China...uggh) > >> > >> > >> ---example-- > >> http://enlighteningvaluezone.com?djBK=nNSn7m > >> ---end example--- > >> > > > > I wrote a SpamAssassin plugin that enables scoring of URIs based on > > country using IP::Country::Fast. It's kind of a companion to > > RelayCountry.pm. I meant to make it public but never got round to > > tidying up the code. Would people be interested in my posting it? > > > > It allows rules such as: > > uricountry URICOUNTRY_CN CN > > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > > describeURICOUNTRY_CN Contains a URI hosted in China > > tflags URICOUNTRY_CN net > > score URICOUNTRY_CN 2.0 > > > > Derek > > > Oh yes, that type code would be very nice to have indeed for people like > me who can't outright RBL them. Do you also have code for Korea even? But > dare I ask too much. :-) I could give it a score of 4 or so... and up it > even more when spammer simpletons start thinking they are on to the latest > greatest China spam idea. :-) Those guys are annoying. The "ro" folks are just plain not nice people. If it comes from Romania it's a phish, keylogger, or worse. {^_^}
Re: [SPAM] RE: GeoCities Link-only spam
On Mon, 2005-08-08 at 15:53 -0500, [EMAIL PROTECTED] wrote: > > > > It allows rules such as: > > uricountry URICOUNTRY_CN CN > > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > > describeURICOUNTRY_CN Contains a URI hosted in China > > tflags URICOUNTRY_CN net > > score URICOUNTRY_CN 2.0 > > > > Derek > > > Oh yes, that type code would be very nice to have indeed for people like > me who can't outright RBL them. Do you also have code for Korea even? But > dare I ask too much. :-) I could give it a score of 4 or so... and up it > even more when spammer simpletons start thinking they are on to the latest > greatest China spam idea. :-) The code will work for any country. Just write a rule for that country. Here's what's needed in your local.cf loadplugin Mail::SpamAssassin::Plugin::URICountry uricountry URICOUNTRY_CN CN header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') describeURICOUNTRY_CN Contains a URI hosted in China tflags URICOUNTRY_CN net score URICOUNTRY_CN 2.0 uricountry URICOUNTRY_KR KR header URICOUNTRY_KR eval:check_uricountry('URICOUNTRY_KR') describeURICOUNTRY_KR Contains a URI hosted in Korea tflags URICOUNTRY_KR net score URICOUNTRY_KR 2.0 uricountry URICOUNTRY_BR BR header URICOUNTRY_BR eval:check_uricountry('URICOUNTRY_BR') describeURICOUNTRY_BR Contains a URI hosted in Brazil tflags URICOUNTRY_BR net score URICOUNTRY_BR 2.0 Derek -- code for the plugin follows -- =head1 NAME URICountry - add message metadata indicating the country code of each relay =head1 SYNOPSIS loadplugin Mail::SpamAssassin::Plugin::URICountry =head1 REQUIREMENT This plugin requires the IP::Country::Fast module from CPAN. =cut package Mail::SpamAssassin::Plugin::URICountry; use Mail::SpamAssassin::Plugin; use strict; use bytes; use vars qw(@ISA); @ISA = qw(Mail::SpamAssassin::Plugin); # constructor: register the eval rule sub new { my $class = shift; my $mailsaobject = shift; # some boilerplate... $class = ref($class) || $class; my $self = $class->SUPER::new($mailsaobject); bless ($self, $class); $self->register_eval_rule ("check_uricountry"); return $self; } # this is just a placeholder; in fact the results are dealt with later sub check_uricountry { my ($self, $permsgstatus, $rulename) = @_; return 0; } # and the eval rule itself sub parsed_metadata { my ($self, $opts) = @_; my $scanner = $opts->{permsgstatus}; my $reg; eval { require IP::Country::Fast; $reg = IP::Country::Fast->new(); }; if ($@) { dbg ("failed to load 'IP::Country::Fast', skipping"); return 1; } my %domlist = (); foreach my $uri ($scanner->get_uri_list()) { my $dom = my_uri_to_domain($uri); dbg("debug: URICountry $uri in $dom"); if ($dom) { $domlist{$dom} = 1; } } # Build a list of the countries for URIs in the message. my %countries = (); foreach my $dom (keys(%domlist)) { my $cc = $reg->inet_atocc($dom) || "XX"; dbg("debug: URICountry $dom in $cc"); $countries{lc($cc)} = 1; } # Now check if any match any defined rules. foreach my $rule (keys(%{$scanner->{conf}->{uricountry}})) { my $country = lc($scanner->{conf}->{uricountry}->{$rule}); if($countries{$country}) { dbg ("debug: URICountry hit rule: $country"); $scanner->got_hit($rule, ""); } } return 1; } sub parse_config { my ($self, $opts) = @_; my $key = $opts->{key}; if ($key eq 'uricountry') { if ($opts->{value} =~ /^(\S+)\s+(\S+)\s*$/) { my $rulename = $1; my $country = $2; dbg("debug: URICountry: registering $rulename"); $opts->{conf}->{uricountry}->{$rulename} = $country; $self->inhibit_further_callbacks(); return 1; } } return 0; } # Taken from the one in Util.pm but we don't want to drop the hostname doing so # often leaves us with no A record. sub my_uri_to_domain { my ($uri) = @_; # Javascript is not going to help us, so return. return if ($uri =~ /^javascript:/i); $uri =~ s,#.*$,,gs; # drop fragment $uri =~ s#^[a-z]+:/{0,2}##gsi;# drop the protocol $uri =~ s,^[^/]*\@,,gs; # username/passwd $uri =~ s,[/\?\&].*$,,gs; # path/cgi params $uri =~ s,:\d+$,,gs; # port return if $uri =~ /\%/; # skip undecoded URIs. # we'll see the decoded version as well # keep IPs intact if ($uri !~ /^\d+\.\d+\.\d+\.\d+$/) { # get rid of hostname part of domain, understanding delegation #$uri = Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain($uri); # ignore invalid domains return unless (Mail::SpamAssassin::Util::RegistrarBoundaries::is_domain_valid($uri)); } # $uri is now the domain only return lc $uri; } sub dbg { Mail::SpamAssassin::dbg (@_); } 1; -- end code --
RE: GeoCities Link-only spam
> On Sun, 2005-08-07 at 12:27 -0400, Greg Allen wrote: >> They are also using non-Geocities addresses now. Most of the IPs they >> use seem to been from China, so you could RBL china at the front end, >> if you are allowed to block China that is... (my users won't let me >> block China...uggh) >> >> >> ---example-- >> http://enlighteningvaluezone.com?djBK=nNSn7m >> ---end example--- >> > > I wrote a SpamAssassin plugin that enables scoring of URIs based on > country using IP::Country::Fast. It's kind of a companion to > RelayCountry.pm. I meant to make it public but never got round to > tidying up the code. Would people be interested in my posting it? > > It allows rules such as: > uricountry URICOUNTRY_CN CN > header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') > describeURICOUNTRY_CN Contains a URI hosted in China > tflags URICOUNTRY_CN net > score URICOUNTRY_CN 2.0 > > Derek Oh yes, that type code would be very nice to have indeed for people like me who can't outright RBL them. Do you also have code for Korea even? But dare I ask too much. :-) I could give it a score of 4 or so... and up it even more when spammer simpletons start thinking they are on to the latest greatest China spam idea. :-)
RE: GeoCities Link-only spam
On Sun, 2005-08-07 at 12:27 -0400, Greg Allen wrote: > They are also using non-Geocities addresses now. Most of the IPs they > use seem to been from China, so you could RBL china at the front end, > if you are allowed to block China that is... (my users won't let me > block China...uggh) > > > ---example-- > http://enlighteningvaluezone.com?djBK=nNSn7m > ---end example--- > I wrote a SpamAssassin plugin that enables scoring of URIs based on country using IP::Country::Fast. It's kind of a companion to RelayCountry.pm. I meant to make it public but never got round to tidying up the code. Would people be interested in my posting it? It allows rules such as: uricountry URICOUNTRY_CN CN header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') describeURICOUNTRY_CN Contains a URI hosted in China tflags URICOUNTRY_CN net score URICOUNTRY_CN 2.0 Derek
RE: GeoCities Link-only spam
They are also using non-Geocities addresses now. Most of the IPs they use seem to been from China, so you could RBL china at the front end, if you are allowed to block China that is... (my users won't let me block China...uggh) ---example-- http://enlighteningvaluezone.com?djBK=nNSn7m ---end example--- -Original Message- From: Rakesh [mailto:[EMAIL PROTECTED] Sent: Sunday, August 07, 2005 10:51 AM To: Michele Neylon Cc: Raymond Dijkxhoorn; Greg Allen; Kelson; [EMAIL PROTECTED] Apache. Org Subject: Re: GeoCities Link-only spam On Sun, 2005-08-07 at 15:36 +0100, Michele Neylon wrote: > We're also seeing general geocities references, such as: > > Welcome to College Fuck Tour the most unique web site dedicated to the > beauty (and naivety) of young college girl. We’re a group of horny guys > who cruise campuses around the US to find the hottest chicks, take them > for a ride and talk them into fucking and sucking.. > http://www.geocities.com/ticollefghffdgh > > This ruleset http://antispam.imp.ch/rules/asciispam.cf helped me to crack down on these kind of Geocities spam.
Re: GeoCities Link-only spam
We're also seeing general geocities references, such as: Welcome to College Fuck Tour the most unique web site dedicated to the beauty (and naivety) of young college girl. We’re a group of horny guys who cruise campuses around the US to find the hottest chicks, take them for a ride and talk them into fucking and sucking.. http://www.geocities.com/ticollefghffdgh
RE: GeoCities Link-only spam
Hi! Yea...here is an example. They are getting through here to and I have everything turned on except dcc and razor. Here is an example. Hopefully they will use up all their spam IPs and start getting blocked by RBLs. These type break-throughs usually don't last too long. This is going on for at least 8 days now. We have like 15.000 examples over that period of time. We also notified geocities but they dont respond at all. SURBL can't catch it, because all it sees is geocities.com. Some of have tripped SARE header tests, but most haven't. Even when they trip BAYES_99, often the only other rule is something like one of the DATE_IN_PAST rules, which isn't enough to push it over the edge. I finally just added a URI rule, which seems fine (since, IIRC, this would mean someone at GeoCities with the username "uk") and we've logged 150 of them in the past few hours. Uh, you mean the country UK! :) but indeed, thats how we block them currently also. If geocities doesnt respond we will leave it in, we take the FP's for granted. UK Geocities wasnt mentioned _once_ in our HAM archives so its up to them now to clean out and report back that its cleaned. Meanwhile we leave the rule active. uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/uk\.geocities\.com\// score PROLO_PUBWEB_UKGEO_CHECK1 15.0 describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body Bye, Raymond.
RE: GeoCities Link-only spam
Yea...here is an example. They are getting through here to and I have everything turned on except dcc and razor. Here is an example. Hopefully they will use up all their spam IPs and start getting blocked by RBLs. These type break-throughs usually don't last too long. -start- Subject: Expect it. Reduce prices on tiptop ointment at our chemisst site. :-) Your services are really convenient. With on time delivery, I got the stuff without any delay. I will refer your site to others who like to cut costs on remeddy. -- william Deiters in DC. What is the real issue? Gain quicker curatives? Fight the discomforts with our assistance. Stay away from bad heaadaches, sevvere stress, embarrassing disorrders, and unheealthy ccholesterol. We dispense a great aassortment of genericcs for sshopper's convenience. http://uk.geocities.com/Adan_smith001/?q=RLbQ3BdGeWgQY While she remained, a bush of low rambling holly protected her, undertaken a pilgrimage to the grave of Homer. Among the strangers was a minstrel from the north, the home of the clouds and the brilliant could be properly interesting only to the principals. Mrs Croft --end--- Alsoanother like above had the spam link http://uk.geocities.com/andy_grove95/?q=MPqr1uWa5gJqTNfs -Original Message- From: Kelson [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 6:03 PM To: users@spamassassin.apache.org Subject: GeoCities Link-only spam Over the last few days, we've been seeing a lot of spam that contains nothing but a pair of names and a link to a URL at uk.geocities.com. No image, no obfuscation, only a small percent has any bayes poison. Just the link and two names. Most of it is pill spam, some mortgage. SURBL can't catch it, because all it sees is geocities.com. Some of have tripped SARE header tests, but most haven't. Even when they trip BAYES_99, often the only other rule is something like one of the DATE_IN_PAST rules, which isn't enough to push it over the edge. I finally just added a URI rule, which seems fine (since, IIRC, this would mean someone at GeoCities with the username "uk") and we've logged 150 of them in the past few hours. Is anyone else seeing these? -- Kelson Vibber SpeedGate Communications
Re: GeoCities Link-only spam
Kelson wrote: Over the last few days, we've been seeing a lot of spam that contains nothing but a pair of names and a link to a URL at uk.geocities.com. No image, no obfuscation, only a small percent has any bayes poison. Just the link and two names. Most of it is pill spam, some mortgage. SURBL can't catch it, because all it sees is geocities.com. Some of have tripped SARE header tests, but most haven't. Even when they trip BAYES_99, often the only other rule is something like one of the DATE_IN_PAST rules, which isn't enough to push it over the edge. I finally just added a URI rule, which seems fine (since, IIRC, this would mean someone at GeoCities with the username "uk") and we've logged 150 of them in the past few hours. Is anyone else seeing these? I see spam messages with links to GeoCities web sites all of the time. Although my experience is a little different than yours: the messages are always for porn. So I use the following rule to catch them: uri __GEOCITIES_NUM /uk\.geocities\.com\/[a-z_0-9]{1,30}/i meta GEOCITIES_NUM(SUBJECT_SEXUAL && __GEOCITIES_NUM) describe GEOCITIES_NUMPossible UK Geocities spam site score GEOCITIES_NUM5.0 This works for me and I have yet to see any FP. Also, these type of messages for me usually will land BAYES_99 and a few DNS_FROM_RFC_* rules which help bring up the score. Andre Nicholson
GeoCities Link-only spam
Over the last few days, we've been seeing a lot of spam that contains nothing but a pair of names and a link to a URL at uk.geocities.com. No image, no obfuscation, only a small percent has any bayes poison. Just the link and two names. Most of it is pill spam, some mortgage. SURBL can't catch it, because all it sees is geocities.com. Some of have tripped SARE header tests, but most haven't. Even when they trip BAYES_99, often the only other rule is something like one of the DATE_IN_PAST rules, which isn't enough to push it over the edge. I finally just added a URI rule, which seems fine (since, IIRC, this would mean someone at GeoCities with the username "uk") and we've logged 150 of them in the past few hours. Is anyone else seeing these? -- Kelson Vibber SpeedGate Communications