Kelson wrote:
Over the last few days, we've been seeing a lot of spam that contains
nothing but a pair of names and a link to a URL at uk.geocities.com. No
image, no obfuscation, only a small percent has any bayes poison. Just
the link and two names. Most of it is pill spam, some mortgage.
SURBL can't catch it, because all it sees is geocities.com. Some of
have tripped SARE header tests, but most haven't. Even when they trip
BAYES_99, often the only other rule is something like one of the
DATE_IN_PAST rules, which isn't enough to push it over the edge.
I finally just added a URI rule, which seems fine (since, IIRC, this
would mean someone at GeoCities with the username "uk") and we've logged
150 of them in the past few hours.
Is anyone else seeing these?
I see spam messages with links to GeoCities web sites all of the time.
Although my experience is a little different than yours: the messages
are always for porn. So I use the following rule to catch them:
uri __GEOCITIES_NUM /uk\.geocities\.com\/[a-z_0-9]{1,30}/i
meta GEOCITIES_NUM (SUBJECT_SEXUAL && __GEOCITIES_NUM)
describe GEOCITIES_NUM Possible UK Geocities spam site
score GEOCITIES_NUM 5.0
This works for me and I have yet to see any FP. Also, these type of
messages for me usually will land BAYES_99 and a few DNS_FROM_RFC_*
rules which help bring up the score.
Andre Nicholson
