spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chip M." <sa_c...@IowaHoneypot.com>
Subject Re: spample of not(?)-yet-registered "custom" URL Shortener in Phish
Date Sun, 25 Sep 2016 21:20:45 GMT
On Sun, 25 Sep 2016, RW wrote:
>If you mean you poison-pill anything with a redirect, then this
>doesn't seem all that clever because tinyurl is such a well known
>shortener.

I poison pill by default, not always. :)

If the arrival time HEAD is a redirect to a "skip" listed domain,
the poison pill is skipped (which is why I do the HEAD).

My quarantine is a smart/active quarantine, not a dumb/static one
so it's very rare for a legit ham shortener not to be released
semi or fully automatically.
Yes, there's a delay, however it's my view/opinion that anyone
who uses a shortener is self labelling the email as low priority.

My stats show that tinyurl is the most consistently abused of the
well known shorteners, so its poison pill score is higher than
some.  The other popular shorteners tend to have bursts of abuse.
It's less-dumb of the spammers to try this technique at tinyurl
first, then try it at BitLy/etc.

** I forgot to mention that while investigating this, I re-HEAD'd
all 2016 spam shorteners for my most diverse domain, and 87%
still redirect (i.e. 301 or 302 with a Location).  I briefly
skimmed the results, excluding any that did not look spammy
(most looked like snow or WP cracks).

That surprised even cynical me. :\
I'll be running a more thorough test, with more domains, soon.


>> * Does anyone have any idea of the significance of the "X-tiny"
> header in the Windows vs Linux output?  It's probably trivial.
>
>It seems to be a diagnostic header that's only added where the URL
>exits.

Thanks!  That makes sense. :)
	- "Chip"


Mime
View raw message