# Fighting url spam

Admin @ 01 May 2009

Recently I’ve noticed there are lots of spam with just text and URL. This spam passed through spamassassin’s checks all the time. Good news, there are some fabulous URL block lists. I’ve used two of them:

SURBL and URIBL
These two checks url block lists, mentioned in message body.

It seemed a bit unclear configuration for me, so here I will write a little tutorial how to enable these tests to spamassassin, and how to test new configuration. Tested on production server, using spamassassin v 3.x.

First, check for init.pre file in spamassassin’s config directory. The plugin URIDNSBL should be uncommented. Like this:

# URIDNSBL – look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

And ensure, that plugin really exists. It is file named URIDNSBL.pm in SA plugins directory.

If everything ok – add to local.cf spamassassin rules:

# Url spam check
#
urirhssub URIBL_JP_SURBL multi.surbl.org. A 64
body      URIBL_JP_SURBL eval:check_uridnsbl(‘URIBL_JP_SURBL’)
describe  URIBL_JP_SURBL Contains a URL listed in the JP SURBL list
tflags    URIBL_JP_SURBL net
score     URIBL_JP_SURBL 1.5

urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
body      URIBL_SC_SURBL eval:check_uridnsbl(‘URIBL_SC_SURBL’)
describe  URIBL_SC_SURBL Contains a URL listed in the SC SURBL list
tflags    URIBL_SC_SURBL net
score     URIBL_SC_SURBL 0.5

urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
body      URIBL_WS_SURBL eval:check_uridnsbl(‘URIBL_WS_SURBL’)
describe  URIBL_WS_SURBL Contains a URL listed in the WS SURBL list
tflags    URIBL_WS_SURBL net
score     URIBL_WS_SURBL 1.5

urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
body      URIBL_PH_SURBL eval:check_uridnsbl(‘URIBL_PH_SURBL’)
describe  URIBL_PH_SURBL Contains a URL listed in the PH SURBL list
tflags    URIBL_PH_SURBL net
score     URIBL_PH_SURBL 1.5

urirhssub URIBL_OB_SURBL multi.surbl.org. A 16
body      URIBL_OB_SURBL eval:check_uridnsbl(‘URIBL_OB_SURBL’)
describe  URIBL_OB_SURBL Contains a URL listed in the OB SURBL list
tflags    URIBL_OB_SURBL net
score     URIBL_OB_SURBL 1.5

urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
body      URIBL_AB_SURBL eval:check_uridnsbl(‘URIBL_AB_SURBL’)
describe  URIBL_AB_SURBL Contains a URL listed in the AB SURBL list
tflags    URIBL_AB_SURBL net
score     URIBL_AB_SURBL 1.9

urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl(‘URIBL_BLACK’)
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 2.0

You can adjust scores, to fit your server’s needs. With such scores, as shown below, in my server simple URL spam messages gets A BIG score (about 20 points).

If you interested what kind of URLs checks these rules – there is a list on SURBL website

Checking config

To check for typos or other config related errors use lint parameter in SA

spamassassin  lint

To check newly written rules – get a spam mail with URL, save it as TXT or EML file and execute SA with parameters:

spamassassin -D  lint < spam_mail.eml

At the end of output you should see something like this:

Content preview:  If diseases show themselves, it is time to click on our
site http://xxx.xxxx.xxx/ If diseases show themselves, it is time
to click on our site http://xxx.xxxx.xxx/ [...]

Content analysis details:   (22.5 points, 4.7 required)

pts rule name              description

0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
0.5 HTML_40_50             BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE           BODY: HTML included in message
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see ]
3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
[201.235.56.232 listed in zen.spamhaus.org]
0.0 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
[201.235.56.232 listed in zen.spamhaus.org]
2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
[URIs: xxxx.xxx]
0.5 URIBL_SC_SURBL         Contains a URL listed in the SC SURBL list
[URIs: xxxx.xxx]
1.9 URIBL_AB_SURBL         Contains a URL listed in the AB SURBL list
[URIs: xxxx.xxx]
1.5 URIBL_JP_SURBL         Contains a URL listed in the JP SURBL list
[URIs: xxxx.xxx]
1.5 URIBL_WS_SURBL         Contains a URL listed in the WS SURBL list
[URIs: xxxx.xxx]
1.5 URIBL_OB_SURBL         Contains a URL listed in the OB SURBL list
[URIs: xxxx.xxx]
4.0 AWL                    AWL: From: address is in the auto white-list

Also you can read my erlier article about writing custom rulesets on spamassassin

Leave a Reply

Spam protection by WP Captcha-Free