Block spam based on URLs they contain

[AlphaCentauri]

I just filter for "http://%" as well as various combinations of hexcode and regular text for ".com," ".biz," etc., like ".b%69z"

Almost all will have the link in clickable form, as they would lose a lot of responses otherwise. (I mean, we're talking about people who answer spam emails about genital enlargement pills; you can't count on them being bright enough to type a URL). But the ad copy itself is often an image, so you can't filter for topics, only URLs

[Merlyn]

A good anti-spam program like K9, which includes the ability to add

DNS Blackhole Lists (like sbl-xbl.spamhaus.org) which now includes

"ROKSO" Register of Known spam Operations - seem to solve this.

1759[/snapback]

K9 works along with your mail client. I does nothing for administrating servers. It seems at the current time for administrators IP based blocklists are the best way to go.

[dbiel]

What I and presumably others propose is to build a blacklist of those sites and block messages that reference those URLs.  At the same time a whitelist of the many common legitimate sites would need to be created to prevent spammers from getting legitimate sites blacklisted.  A probably very successful first pass would be to blacklist the sites or IP blocks in China (or other spam friendly ISPs) and whitelist the rest. Further refinement could be made from there, but this would probably successfully stop 90% of spam that currently makes it through existing RBLs.

There is one major flaw (challenge) in the sucessful implementation of this and that is the fact that spammers are starting to use "throwaway" url's. That is a url that does not have any web site attached to it but simply forwards the user to the real web site (or yet another throwaway url, and so on).

[PeterJ]

To those who have recently posted to this thread, if you have a sincere interest in Jeff Chan's initial idea, please note that he first posted regarding this quite a while ago. Since that time it is no longer an idea, it is real. Jeff Chan and others have developed the means to handle redirection sites, not sure about the use of unicode. SURBLs (spam URI Realtime Blocklists) have proven quite effective when combined with traditional blocklists, bayesian filtering, and other types of spam detection/scoring.

I mention this only because I have not seen Jeff Chan around these forums for many months and would be surprised of his accidental return unless someone tells him his original thread is still alive. If you wish to reach him, his website on this topic has info on SURBLs, his email address, and available surbl mailing lists. Check it all out at: http://www.surbl.org/

A question for JT: Can we please implement URI checking in SpamCop's SpamAssassin setup? (Note that this will be included with v3.0 of SpamAssassin, soon to be released) If you are waiting for SA 3.0 to come out before trying this, I understand.

[PeterJ]

I forgot to inlcude a quote from JT (Feb 17, 04) in these forums:

I probably don't have a problem with those. I'll look into that. That said, it's my intention that the rules we use are very safe. We use the standard rules, plus Big Evil. Big Evil is intended to be a zero-false-positive list. It's all URLs and if you show legit email with a URL in it, he'll remove the URL from Big Evil.

This was part of his response to a request for improving SpamCop's SpamAssassin implementation. I wanted to bring this back up because it is very relevant to the topic of SURBLs. "Big Evil" was great while it lasted, I nice list of spammy URLs that SpamAssassin could check against and Chris Santerre (of SA fame) did a great job of manually maintaining the list. As JT mentions above, one had to email Chris and request that a legitimate URL be removed from the list and then every time an updated list would come out SpamAssassin administrators would then need to incorporate this. It becomes pretty clear that over the long haul this became too cumbersome...guess what replaced it? SURBLs! At least one of the SURBLs that Jeff Chan and company have developed has absorbed the "Big Evil" list. Just wanted to bring this up as further evidence as to why SpamCop should implement the use of a SURBL in the SpamCop SpamAssassin implementation. My logic on this as follows: JT liked and was using "Big Evil", JT likes "very safe" rules, "Big Evil" is no longer being developed and has been absorbed by a SURBL, therefore JT should look into implementing a SURBL to maintain SpamCop's SpamAssassin efficacy.

JT? (I know you have not posted in the forums for months probably, but if you read this it would be great to know your thoughts.)

[travisrabe]

Imail by Ipswitch does this. I currently have 70,000 URLs in my DB to scan for at it blocks all spam not caught by the DNS blacklists I use.

Travis