[SURBL-Discuss] RFC: Adding SpamBouncer phishing data to ph.surbl.org

Catherine Hampton ariel at spambouncer.org
Tue Aug 2 19:07:14 CEST 2005


> Outstanding. I get a ton of phishes. The SURBL checks I already use 
> (primarily the SpamCop and Spamhaus SBL/XBL checks IIRC) catch most of the 
> other crap I get.

SURBLs do tend to get the phish domains and IPs listed quickly,
and Jeff's extremely strict "No false positives" standards have 
done a pretty decent job of keeping out domains belonging to 
innocent bystanders and (a trickier matter) domains belonging
to servers that were hacked/trojaned/0wn3D and then used to 
host a phish site.  That doesn't catch all phishes, of course,
but it catches a good many of them.

The SpamBouncer filters catch a lot of new phishes, because of 
my set of "Phish Target" filters.  These filters check for 
email claiming to be from a company targeted by phishers (like
Ebay, Paypal, Washington Mutual Bank, etc.) to see whether it 
really came from there.  If it isn't, it tags it, "Phish Target/
Forged Origin", and then my spamtrap puts it in a file of 
probable phishes that weren't caught by the "Phish Domains",
"Phish IPs" or "Phish URLs" filters.

So I usually update my phish recipes pretty quickly.  It seemed
a shane not to share that data more widely.

> The other thing I'd love to figure out is how to reliably tag 
> all the 419 scams I tend to receive.

SpamBouncer doesn't catch them all, but it catches most of 
them.  Want a couple of Procmail recipes for this?  I don't
think, however, that SURBLs will be much help with 419 spam
because most of it doesn't use a domain or IP that belongs
to the spammer/419er.  Most of it uses free email sites and
phone numbers for contacts.

> Jeff, if you can make this work, I owe both you and Catherine 
> a keg of beer. :)

Diet coke for me, please, but I'll happily accept. ;)


-- 
Catherine Hampton <ariel at spambouncer.org>
The SpamBouncer         *     <http://www.spambouncer.org/>
Personal Home Page      *         <http://www.devsite.org/>


More information about the Discuss mailing list