on Tue, Oct 11, 2005 at 04:55:30PM -0700, Jeff Chan wrote:
On Tuesday, October 11, 2005, 10:42:28 AM, Steven Champeon wrote:
I've noticed that SURBL (and URIBL, who I will contact later) lists several domains that have appeared in spam header contents as well as in body contents. I'd like to use SURBL (probably multi) as an optional domains BL check against headers known to contain domains, such as the Message-ID, From, and Reply-To headers, a la
Message-Id: 200510020442.j924gBkv021479@expoactive.net From: ExpoActive advertising@expoactive.net Reply-To: advertising@expoactive.net
Are these spams being sent from zombies? If not, then we possibly should not be listing them. If they're sending from their own mailservers then it's vastly more efficient to just block their IPs at a low level, i.e., regular (local or global) RBL.
You misunderstand me, I think. I'm not deliberately listing any domains in SURBLs, I'm proposing using the SURBLs DNS zone (e.g. "multi") to check domains that may be embedded in headers such as From, Reply-To, and Message-Id, where they are often used to direct bounces and replies back to the domain owners, while evading the meager blocks on sender host/domain and/or SMTP Rcpt To, or used as tracking devices.
Regarding using SURBLs on headers, I guess I'd view that as mission creep and somewhat away from our original focus of URI domains.
I'm not asking for SURBLs to list domains found in headers, I'm suggesting that domains found in SURBLs because of their use in the bodies of spam may also be found on occasion in less-inspected message headers of spam that may also find them in the body.
I'm just trying to reduce my spam inspection workload here by using reliable sources of known spammy domains to allow rejection of the message without body inspection (which in SA and procmail, et al requires that the message be accepted and inspection undertaken prior to delivery). I estimate that some 30% or more of spam we'd accepted and delivered or quarantined could have been rejected during the SMTP conversation, using SURBLs.
Do any spam gangs put the URI domain on their headers when they use zombies? Seems to me they tend to forge everything except the URI.
I don't know. But I do know that spammer domains - listed in SURBL and URIBL already - do tend to be found in headers likely to direct replies back to the spammer, and which may contain tracking devices also useful to the spammer (when inserted by compliant clients as References: or In-Reply-To: in the reply). I'm advocating rejecting these known spammy messages, which would otherwise be caught/tagged by SURBLs after delivery (and delivered or quarantined, after which it's in the hands of users to know whether or not to reply to ask to be removed), during the SMTP conversation, not after.