Re: Loads of recent low-scoring snowshoe spam

2019-09-26 Thread John Hardin 

On Thu, 26 Sep 2019, Amir Caspi wrote:


On Sep 26, 2019, at 10:18 AM, John Hardin  wrote:


Some of those are following a pattern I've recently noticed - fairly obviously 
bogus spamvertising domain URLs with some .gov URLs thrown in as well. I'm 
assuming that's an attempt to leverage naïve domain whitelisting. One has a 
Humane Society URL, I presume the goal is similar.


Although they may not be in the spamples I provided, I've also seen .edu links.


Yeah, I'm starting to see those too. Added __URI_DOTEDU to see what it's 
worth.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Our politicians should bear in mind the fact that the American
  Revolution was touched off by the then-current government
  attempting to confiscate firearms from the people.
---
 3 days until the 78th anniversary of the massacre at Babi Yar
 Disarmament enables genocide - Registration enables disarmament

Re: Loads of recent low-scoring snowshoe spam

2019-09-26 Thread Amir Caspi 
On Sep 26, 2019, at 10:18 AM, John Hardin  wrote:
> 
> Some of those are following a pattern I've recently noticed - fairly 
> obviously bogus spamvertising domain URLs with some .gov URLs thrown in as 
> well. I'm assuming that's an attempt to leverage naïve domain whitelisting. 
> One has a Humane Society URL, I presume the goal is similar.

Although they may not be in the spamples I provided, I've also seen .edu links. 
 And in today's spam I got a .gov.on.ca  link.  So we might 
need some variants, but then again, I suspect these will require a lot of 
tuning to guard against FPs.

My new AC_ rules (particularly AC_LARGE_INDENT and AC_POST*EXTRAS) do really 
well locally, but not so much in masscheck ... but they hit otherwise very 
low-scoring spam.  I would request that someone more talented than I am look at 
tuning those against FPs, if they are willing...

Cheers.

--- Amir

Re: Loads of recent low-scoring snowshoe spam

2019-09-26 Thread John Hardin 

On Wed, 25 Sep 2019, Amir Caspi wrote:


Just a few (of many) spamples here:
https://pastebin.com/wRFBSCEZ
https://pastebin.com/FUdFEdhT
https://pastebin.com/LkqSEdAh


Some of those are following a pattern I've recently noticed - fairly 
obviously bogus spamvertising domain URLs with some .gov URLs thrown in as 
well. I'm assuming that's an attempt to leverage naïve domain 
whitelisting. One has a Humane Society URL, I presume the goal is similar.


I added __URI_DOTGOV but the performance isn't that great at the moment. I 
expect the masscheck corpora aren't seeing a lot of these (yet?). It's 
possible some of the DOTGOV combinations would work better in the Real 
World than they currently are in masschecks...



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 3 days until the 78th anniversary of the massacre at Babi Yar
 Disarmament enables genocide - Registration enables disarmament