-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Tuesday, March 08, 2005 2:22 AM To: SURBL Discussion list Subject: Re: [SURBL-Discuss] Spammer Anti-SURBL tactic
On Monday, March 7, 2005, 9:07:37 PM, Steven Champeon wrote:
Speaking of anti-SURBL tactics, I got this turdlet today (snippet of HTML email below):
<DIV>We are giving out Free Import / Export / Wholesales/
Distributers /
Retailers Contact Database</DIV>
<DIV> </DIV> <DIV>If You interested Pls get at Following URL</DIV> <DIV> </DIV> <DIV><A
onmouseover="window.status='http://www.impexp-data.com%27;return true;"
onmouseout="window.status=' ';return true;" href="http://indigisys.com/chawla1/open.htm" target=_blank>Business = Database</A> </DIV>
<DIV> </DIV> <DIV>Free Business / Marketing Tools ( Free SMS to All
over world Unl=
imited ) </DIV>
<DIV><A
onmouseover="window.status='http://www.impexp-data.com/sms%27;ret urn true;"
onmouseout="window.status=' ';return true;" href="http://indigisys.com/chawla1/open.htm"
target=_blank>FREE SMS = Tools
</A></DIV>
It *looks* like whoever owns indigisys.com wants to hide the fact that they're actually indigisys.com by pretending to be
impexp-data.com,
which doesn't exist. Does SURBL's lookup code catch this?
SpamAssassin 2.64 running SpamCopURI seems to check both domains:
debug: checking url: http://indigisys.com/chawla1/open.htm debug: returning cached data : indigisys.com.multi.surbl.org -> ARRAY(0x9351f4c) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 32 debug: no match
debug: checking url: http://www.impexp-data.com%27;return debug: returning cached data : impexp-data.com.multi.surbl.org -> ARRAY(0x9386f58) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 32
As does SpamAssassin 3.0.1:
debug: URIDNSBL: query for indigisys.com took 0 seconds to look up (multi.surbl.org.:indigisys.com) debug: URIDNSBL: query for impexp-data.com took 0 seconds to look up (multi.surbl.org.:impexp-data.com)
Those are the only SURBL applications I have easy access to, so I don't know how others may handle them. SpamAssassin does the right thing. :-)
Not only that, but the SARE rules look for this trick as well. Everytime they try to get around something, spammers end up painting themselves in a corner.
--Chris