On Sunday, March 13, 2005, 5:12:30 AM, Jeff Chan wrote:
On Friday, March 11, 2005, 11:27:52 PM, Jeff Chan wrote:
Does anyone have or know about a list of spam-advertised URIs where the spam they appeared in was sent through open relays, zombies, open proxies, etc. In other words does anyone know of a list of spamvertised web sites or their domains that's been cross referenced to exploited hosts?
We could use that information as a valuable tool for getting more records into SURBLs.
One fairly easy for anyone running a large SpamAssassin installation to help us get this data would be to simply grep for "XBL" and "SURBL" rules hitting the same message and report out the URI domains from those messages.
Perhaps some kind person could write a reporting function in SpamAssassin for this?
Hmm, perhaps if we could extract *all* URI domains from messages sent through XBLed senders then prioritize those say by frequency of appearance, we could create a new SURBL list of spamvertised domains sent through exploited hosts. That would pretty directly address the use of zombies, etc. and put a penalty on using them to advertise sites through them. Even with volume weighting such a list of sites could be attacked by major joe job unless we took additional countermeasures, but does anyone else think this might be a useful type of data source for SURBLs?
Jeff C. -- "If it appears in hams, then don't list it."