On Sunday, July 18, 2004, 4:16:35 PM, Patrik Nilsson wrote:
At 00:06 2004-07-19 +0200, Raymond Dijkxhoorn wrote:
Hi!
Very fresh example: instantbodyhealer.com Not listed in any SURBL list at the moment. NS servers IPs listed in SBL since May 2nd.
That same page i added a zillion times with all kinds of .biz ones, so sure, in those cases it will work. But! Most likely a REGULAR rbl would also block those.
Not really. These are spammers using fresh trojaned home computers and non-blacklisted Chinese/Korean/Brazil/Russian/etc IPs to send their email. The IP this specific spam was relayed through (218.71.205.198) was not in SBL, CBL, DSBL, ORDB, NJABL, nor even Spews. As it was sent from China and dynamic/dsl IPs, it did end up in the "very likely spam" box, but I still believe in people being able to send emails from Chinese as well as dynamic/dsl IPs, so that is not conclusive in itself in my book...
If you list them there.
Listing almost all of the relays used by spammers is hard. Listing almost all of the domains in URIs used by spammers is less hard. Listing almost all of the NS servers for those domains is even less hard. At least at the moment...
All that's needed to defeat the NS server detection and listing is for ratware/trojans/zombies/etc. to start doing DNS....
Jeff C.