spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chip M." <sa_c...@IowaHoneypot.com>
Subject Re: new campaign: bitly & appengine.google
Date Wed, 13 Sep 2017 17:36:41 GMT
KAM, thanks!
I took a look at your rules, and like your scoring. :)
Over my years, I've seen enough BBB scare campaigns which use
shorteners, that perhaps it would make sense to add "KAM_SHORT"
to your additive list of metas (I forget what that's called).

To all the other repliers:
Thanks for your input.
All my BitLy spam complaints have been thru SpamCop, and (together
with my data) have left me with a poor impression of BitLy's abuse
handling.

For example, between 2017-Jul-11 and Aug-22, at one of my key
domains, 4.0% of the spam (all Snowshoe) contained the same 
shortener:
	bit.ly/2sLdd2P
The SA killrate (generic install only) was 53.02% for those.
During that period, the Location domain ("programmingkeeda") was
almost always on URIBL's blocklist (mostly "black" sometimes
"red"), though not on SpamHaus or Surbl.

I reported at least four (4) samples via SpamCop between Jul-17
and Jul-20, usually with an explicit note/comment to BitLy.

As of this morning, that shortener is still active. :(

Next time I'll try a direct submission, based on the credibility
of some of you who state you've had good experiences. :)

If anybody does have a direct contact with somebody at BitLy that
they trust, I would still appreciate that (off-list).
7 years ago, I posted some rambling ideas about cooperative data
sharing with shortener providers:
	http://mail-archives.apache.org/mod_mbox/spamassassin-users/201002.mbox/%3c20100224.00000053@iowahoneypot.com%3e
About 4 years ago, I implemented HTTP HEAD and adding Location
URLs to my regular processing, and have been generally pleased
with its performance & efficacy. :)
I did include (and am using) the ability to include the SA score
in the Agent, and would like to have contact with any legit 
shortener providers who would use that (and other data).

My suggestion about using UDP was purely to improve performance
for the gateway filter, when used with an automatic smart 
quarantine approach, where the final decision would be made 
minutes later by a separate app.
For example, Splunk logging is often done via UDP, since it's 
typically viewed by humans, and a few second (or often minutes)
delay is not a big issue, and the potential for lost data packets
is less relevant than performance.
	- "Chip"


Mime
View raw message