sa_chip at IowaHoneypot
May 2, 2012, 11:26 PM
Post #1 of 1
There's a new campaign using "bitly.com", instead of "bit.ly".
Other characteristics are:
1. empty plain text Part, followed by a quoted-printable HTML Part
2. very long HTML Title
3. large Style section, with random text (Bayes salad like)
4. current Subject is "FW: your arrest record"
I expect the Subject to change, soon.
I had a few "hunh" moments trying to figure out why my system
wasn't extracting the shortener parameter, and why NONE of
my shortener code was kicking in, then had the "doh!" moment.
Figured I'd try to save someone else that headache. :)
As soon as I realized that "bitly.com" is (apparently) a
legit alias for the terser "bit.ly", I naively jumped to the
theory that I could probably kill all of those, because who
(other than spammers) would be thick enough to use a
longer URL as a shortener.
I've had plenty of naive "obvious" solutions foiled by Pakled
senders, so loaded up six months of my most diverse corpus.
Found two spam, and two ham.
Fortunately, the two ham were both political mailing lists,
which explains the twittery, and reinforces my prejudice that
it's ok to score this domain heavily, as long as one has a
good quarantine and FP pipeline.
I'll check some more corpora this weekend, and report back if
there's any non-trivial ham using this domain.