blacklist forbidden URLs
A large majority of spam now contains a URL: either pointing to some kind of store where suckers can spend money, or carrying images or web bugs, or something else. A quick count shows the string "http" in over 90% of recent spam.
I'd like a spamassassin plugin that scans messages for URLs, resolves the URL, and then checks whether the URL is in a blacklisted IP space. As a start you could just check against the usual Spamhaus lists; eventually it might want to be turned
Tracking by source IP is not working so well anymore. It's too easy for spammers to send through a compromised Windows machine or open proxy. Websites, however, are a bit more established, possibly need to be on larger machines, and need to be pointed to by DNS. I suspect there are fewer of them and they move more slowly.
It's a shame SA is in Perl...
I guess Bill Stearn's blacklists come close to this, but I think listing IP blocks might be a little better than listing domains.
The most recent crap mentions http://railway.cosmic.demarcate.excretory.breast. d.bunny.deere.halfoffsalenow.biz/.
This IP is in the SBL. As of now, the Stearns blacklist blocks mail from that domain, but not mail mentioning that domain.
(Actually I think I would be pretty happy just not seeing any mail from .biz, or indeed anyone who has a bizness.)
Looking through spam missed by SpamAssassin, I see one case which would have failed, which is a supposed porn site on Geocities. It's dead now, and presumably was dead by the time I looked at the mail.
Another loophole is a goatse-style redirector: http://g.msn.com/0AD0000G/573055.1?http://128jyw.com/?rd=12&e=
That's really MSN's problem though.
posted Mon 29 Mar 2004 in /issues/spam | link
Archives 2008: Apr Feb 2007: Jul May Feb Jan 2006: Dec Nov Oct Sep Aug Jul Jun Jan 2005: Sep Aug Jul Jun May Apr Mar Feb Jan 2004: Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan 2003: Dec Nov Oct Sep Aug Jul Jun May
Copyright (C) 1999-2007 Martin Pool.