On Thursday, March 10, 2005, 9:01:07 AM, Matthew Wilson wrote:
Jeff (and list),
I'm worried that spammers can use SURBL to identify honeypot email servers by using unique subdomains. A spammer must merely send a unique subdomain URL to every address on their list, and if that unique subdomain is blacklisted in SURBL, they have identified a potential honeypot and will no longer send spam to that address/server.
It is therefore my humble opinion that only the second-to-top domain name should be listed in SURBL, and not any of the subdomains.
Yes, we discard subdomains:
http://www.surbl.org/faq.html#random
How are randomized URI subdomains or host names handled? The randomized subdomain problem is solved by extracting the base domain on both the SURBL data and message-checking client sides then comparing those base domains. In this way any random stuff added to the base domain is ignored. (The base domain is what would be registered with a name registrar.)
We've seen quite a few randomized or customized (to a username for example) host names in some of the top pharmaspam sites. There are different possible reasons for the randomization: to add chaos to the names to throw off message body checkers, or perhaps to "key" spam site web visits to specific mailings in order to build a confirmed mailing list. (Such confirmed mailing lists themselves are probably a valuable commodity to sell to other spammers.) Randomization doesn't throw us off though; we catch them from the base domain part, which can't change.
Jeff C. -- "If it appears in hams, then don't list it."