Re: Patch to improve detection of offering SEO spam

Fri, 13 Dec 2024 16:41:17 -0800 

On Fri, 13 Dec 2024, Kirill A. Korinsky wrote:


Dear SA users,

I'd like to share with you a patch which allows me to catch an offering SEO
spam which I've encountered in my INBOX quite a few missed for last weeks.

Changes:
1. adds .xyz as suspicious zone because namecheap sells this domain for ~€1;
2. extends PDS_SEO2 regex to catch that spam.

An example of that spam email: https://pbot.rmdir.de/xbuEKl2kxv7AmPBRYzRU-g

The patch is inlined in this email:

diff --git a/rulesrc/sandbox/pds/20_ntld.cf b/rulesrc/sandbox/pds/20_ntld.cf
index 9b221486a..3492a67d0 100644
--- a/rulesrc/sandbox/pds/20_ntld.cf
+++ b/rulesrc/sandbox/pds/20_ntld.cf
@@ -27,6 +27,7 @@ enlist_addrlist (SUSP_NTLD) *@*.buzz
enlist_addrlist (SUSP_NTLD) *@*.trade
enlist_addrlist (SUSP_NTLD) *@*.cyou
enlist_addrlist (SUSP_NTLD) *@*.vip
+enlist_addrlist (SUSP_NTLD) *@*.xyz

enlist_uri_host (SUSP_URI_NTLD) icu
enlist_uri_host (SUSP_URI_NTLD) online
@@ -48,6 +49,7 @@ enlist_uri_host (SUSP_URI_NTLD) buzz
enlist_uri_host (SUSP_URI_NTLD) trade
enlist_uri_host (SUSP_URI_NTLD) cyou
enlist_uri_host (SUSP_URI_NTLD) vip
+enlist_uri_host (SUSP_URI_NTLD) xyz

enlist_uri_host (SUSP_URI_NTLD_PRO) pro
header   PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
@@ -92,7 +94,7 @@ score    GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
reuse    GOOGLE_DRIVE_REPLY_BAD_NTLD

body     __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) 
)?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page 
rank|guarantee you 1st|link.building/i
-body     __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank 
well on [a-z]+\b/i
+body     __PDS_SEO2 /(?:losing your|your website) (?:[a-z]+ 
)?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i

meta     SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 
1)
tflags   SEO_SUSP_NTLD publish
I don't know whether Paul is still actively maintaining his rule sandbox, his last commit there was four years ago. 

The changes seems reasonable, I'll apply them.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org                         pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Governments do not censor articles that they could expose as lies.
                                                             -- markm
-----------------------------------------------------------------------
 2 days until Bill of Rights day

Reply via email to