Spamassassin rules for subdomain spam (Geocities, Tripod, AOL, etc..)

These rules are frequently updated, please use an automated script to get them.


960 entries in subevil.cf (958 still alive)
1005 entries in alive_spammy.txt - alive_spammy2.txt
1846 entries in rip_spammy.txt
2 entries in alive_spammy_malware.txt

Place subevil.cf in /etc/mail/spamassassin
( Debian in /etc/spamassassin & FreeBSD in /usr/local/etc/mail/spamassassin )

For heavily loaded servers, here ( subevil200.cf ) is a new version limited to the
200 most recent entries


 NEW:  (Dec 21, 2005)

  • fresh_alive_spammy.txt : The most recent entries, actively used in current spam runs (The ones you *really* want down !)
  • alive_spammy_malware.txt : When lazy hosts don't use antivirus, their service become  a malware heaven.
  • spammy_targets.txt : The real target behind the redirector  (unencrypted only, with country code)
  • Automated submission: If you run Spamassassin and are willing to participate, I'd like to hear from you (it involves a simple 4 lines patch and adding a cron job)

 NEW:  (Dec 17, 2005) A new version of the active sites list, with complete analysis
 NEW:  (Dec 16, 2005) The script now checks hometown.aol.com & specific rule added
 NEW:  See the automated update script below.


Please upload with the following command, not more often than once per hour.


cd /etc/mail/spamassassin/; wget -N http://nospam.mailpeers.net/subevil.cf

 

Test the new rules 

spamassassin --lint


once everything is ok, restart Spamassassin (You'll find a complete update script below).

A list of spammy sites that are still active can be found here.

Complete version with destination analysis, including malware detection (with ClamAv),
popular redirection tricks detection and more. Check it out here

The RIP (dead) list is right here

You can now use the form below to send either spam sources or subdomain / subdirectory
spammy URL(s). URLs already listed by SURBL should not be added here.
All data will be verified and added to the rules when appropriate.


You can also use the form to send comments (add your email if you want an answer !).


 Automated update script

Since the rules are way more effective when they're fresh, you'll find here an auto update
script whose function is equivalent to the excellent Rules-Du-Jour but designed to be
used for very frequent updates of subevil.cf or subevil200.cf.
The script needs to be configured manually and should work without any trouble.
Processor intensive commands (wget & spamassassin --lint) are executed at the lowest
priority level and there is an option to exit without doing the update if the processor load
is too high (optional, adjustable, see script).
Rules are only retrieved when newer and spamassassin is tested both before and after the
update. For better reliability, the old rules are restored if any problem is detected.
An optional email is sent whenever a problem is detected.

Once you are sure it works properly on your server, you can create a cron job to execute
it every few hours. Please do not run more than once an hour, and use a random number
of minutes for the cron job time to prevent download peaks.

Comments and feedback welcome : spamslut@mailpeers.net

Here is what a first run should look like (in verbose mode) :

 

[root@localhost]# sa_subevil_update -v
server load (x100) is 132
--21:42:53--  http://nospam.mailpeers.net/subevil.cf
           => `subevil.cf'
Resolving nospam.mailpeers.net... 127.0.0.1
Connecting to nospam.mailpeers.net[127.0.0.1]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 60,656 [text/plain]

100%[======================================>] 60,656        --.--K/s

21:42:53 (122.82 MB/s) - `subevil.cf' saved [60,656/60,656]

New rules downloaded
Test if spamassassin is ok before proceeding
Test if spamassassin is ok after the update
Everything ok, reloading spamassassin.
Shutting down spamd:                                       [  OK  ]
Starting spamd:                                            [  OK  ]
Spamassassin reloaded successfully (3 process running)
[root@localhost]#

As usual, this should be considered experimental, use at your own risk, you've been warned.

Submit spams, comments, death threats : spamslut@mailpeers.net