Dave Funk wrote: > On Fri, 15 Mar 2013, Kevin A. McGrail wrote: > >> On 3/15/2013 9:17 AM, Tom Kinghorn wrote: >> On 15/03/2013 15:11, Christopher Nido wrote: >> >> >> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs >> >> >> Now this is a guy with "cahona's grande' " for spamming the >> spamassassin list. >> >> Poor sucker. >> >> >> It's a compromised Yahoo! account. One of the #1 spamming issues >> right now for us. >> >> Regards, >> KAM > > Not only a compromised Yahoo! account but also a compromised website > so listing the URLs in some kind of RBL will be probelmatic for FPs.
I wrote a custom plug-in to detect certain things about these messages that, so far, have not resulted in any FPs (one would have to have a yahoo account and make the message look just like the spams) and I have looked a some of the messages caught and something I noticed in all, so far cases, is that if you attempt to pull the link from wget without using a user agent string you will get ERROR 405: Not Allowed every time, so far. I also find that there are *several* common traits within the body of the web pages, for instance a fox news copyright, specific class names and links names such as '<li><a href="http--//www.buy-berryrasp.com/order.php">Home</a></li>' (remove the --) If anyone has a chance to verify this, especially the 404 without a user-agent string I would think something could easily be done with a custom plug-in to detect that. Oh, and they all do a 301 or 302 redirect at the intial request Rick