>... >List Mail User wrote: >> Of course, the originals transmogrify quite quickly and the '/?' >> was posted a couple of days ago. > >Actually it was posted a couple weeks ago. About two or three days >later I started to get spams without the query string. The rule worked >well for a few weeks before it was posted. Of course that may or may >not be a coincidence. > I'd be willing to bet dollars to donuts that it was no coincidence (though in this area, donuts are often 75 cents US - so in Canada, that would be an "even money" bet). The few day lag is likely due to the time to distribute new ratware/zombie code and the "master" sources were probably changed almost immediately. We could "ruin" a lot of other signatures by publishing them too. Which leaves, how to share such information so *everyone* can use it, without tipping off the spammer. Maybe it will come to having to support "encrypted" and/or "binary" coded rules, that can not be read, much as the Bayes DB was changed to hold hashes instead of the actual tokens (still leaving the ability to run SA to test the spam templates open, but that is more work than just reading mailing list archives and scanning Rules de Jour). That becomes scary, because them users have to trust the rule providers and lose the ability to modify the rules locally (fine for groups that are well known like SARE, but no good for individuals who post to the mailing list, or otherwise distribute rules publicly). Maybe this would also imply the need for a "clearinghouse" for rules, where they could be sent to, then encrypted and possibly signed by some trusted authority (I'd nominate SARE - who wouldn't have to endorse them, just perform or check the encryption and vouch for the conversion itself); It would certainly make it much more difficult to find errors in rule REs or understand why a rule FPs (both, not good).
A check show I have no '/?' strings after Sept. 25 (well over a few days ago), and since then all have a format '/firstName digits lastname moredigits/' (not a RE, and no spaces); And a few of these have identical templates to the original '/firstName_lastname/?' spams. At least Geocities/Yahoo! has begun to nuke these much more rapidly, and some have arrived DOA (site already gone - just ratware/zombie latency showing). >Random stat -- over the last 5 weeks 9-10% of the spam I've received has >contained Geocities links. The vast majority of it scores over 20 with >custom rules and usually at least 10 without, with net tests. > That sounds about right - as previously noted, without custom rules, the net tests do a pretty good job for all but the first few people; Also some of the zombie clients hit enough header rules to score much higher (I've seen > 20 with stock 3.0.4 rules) or just get blocked by DUL, XBL, etc. at the MTA level. > >Daryl > Paul Shupak [EMAIL PROTECTED]