>...
>List Mail User wrote:
>> Of course, the originals transmogrify quite quickly and the '/?'
>> was posted a couple of days ago.
>
>Actually it was posted a couple weeks ago. About two or three days
>later I started to get spams without the query string. The rule worked
>well for a few weeks before it was posted. Of course that may or may
>not be a coincidence.
>
I'd be willing to bet dollars to donuts that it was no coincidence
(though in this area, donuts are often 75 cents US - so in Canada, that
would be an "even money" bet). The few day lag is likely due to the time
to distribute new ratware/zombie code and the "master" sources were
probably changed almost immediately. We could "ruin" a lot of other
signatures by publishing them too. Which leaves, how to share such
information so *everyone* can use it, without tipping off the spammer.
Maybe it will come to having to support "encrypted" and/or "binary"
coded rules, that can not be read, much as the Bayes DB was changed to
hold hashes instead of the actual tokens (still leaving the ability to
run SA to test the spam templates open, but that is more work than just
reading mailing list archives and scanning Rules de Jour). That becomes
scary, because them users have to trust the rule providers and lose the
ability to modify the rules locally (fine for groups that are well known
like SARE, but no good for individuals who post to the mailing list, or
otherwise distribute rules publicly). Maybe this would also imply the
need for a "clearinghouse" for rules, where they could be sent to, then
encrypted and possibly signed by some trusted authority (I'd nominate
SARE - who wouldn't have to endorse them, just perform or check the
encryption and vouch for the conversion itself); It would certainly
make it much more difficult to find errors in rule REs or understand
why a rule FPs (both, not good).
A check show I have no '/?' strings after Sept. 25 (well over
a few days ago), and since then all have a format '/firstName digits
lastname moredigits/' (not a RE, and no spaces); And a few of these
have identical templates to the original '/firstName_lastname/?' spams.
At least Geocities/Yahoo! has begun to nuke these much more rapidly,
and some have arrived DOA (site already gone - just ratware/zombie
latency showing).
>Random stat -- over the last 5 weeks 9-10% of the spam I've received has
>contained Geocities links. The vast majority of it scores over 20 with
>custom rules and usually at least 10 without, with net tests.
>
That sounds about right - as previously noted, without custom
rules, the net tests do a pretty good job for all but the first few
people; Also some of the zombie clients hit enough header rules to
score much higher (I've seen > 20 with stock 3.0.4 rules) or just get
blocked by DUL, XBL, etc. at the MTA level.
>
>Daryl
>
Paul Shupak
[EMAIL PROTECTED]
