I saw a post on NANAE over the weekend about surbl and it looks like one of the best ideas I've seen.
Almost every spam mail I get contains a spamvertized domain, so with good data this method has the potential to block nearly 100% of spam.
Spamvertized domains are an essential resource for spammers and are usually longer lived then the abused servers used to send out spam runs.
I've set up SpamAssassin and SpamCopURI. I've checked the emails which are not being picked up by surbl and there is a recurring pattern: 1) Redirects 2) Obfuscated urls
For example, this was not picked up. <a href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s hopinternetbuy.biz/%75n%73ub.html target=_blank>
shopinternetbuy.biz is in sc.surbl.org.
The logic of the parsing engine needs to be enhanced to deal with these cases. This is probably only the start, because spammers will find other ways to get around surbl once it starts being used widely.
I'd offer to look at it, but I wouldn't know where to start with perl.
John
On Tuesday, April 13, 2004, 2:07:58 AM, John Fawcett wrote:
I saw a post on NANAE over the weekend about surbl and it looks like one of the best ideas I've seen.
:blush: Thanks, as I recently mentioned off list we can hope it's one of those ideas that's obvious afterwards. Actually many people wanted to do something like this. It's been a thrill to actually do it and see it work pretty well so far. The support from everyone has been fantastic too.
Almost every spam mail I get contains a spamvertized domain, so with good data this method has the potential to block nearly 100% of spam.
Spamvertized domains are an essential resource for spammers and are usually longer lived then the abused servers used to send out spam runs.
Indeed. sc.surbl.org hit rates are running about 60%. We hope to increase that significantly in the next version of the data engine. The general strategy is mentioned in the thread:
http://lists.surbl.org/pipermail/discuss/2004-April/000002.html
I've set up SpamAssassin and SpamCopURI. I've checked the emails which are not being picked up by surbl and there is a recurring pattern:
- Redirects
- Obfuscated urls
For example, this was not picked up. <a href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s hopinternetbuy.biz/%75n%73ub.html target=_blank>
shopinternetbuy.biz is in sc.surbl.org.
The logic of the parsing engine needs to be enhanced to deal with these cases. This is probably only the start, because spammers will find other ways to get around surbl once it starts being used widely.
Yes, we had been making similar noises on the spamassassin-developers list and we have opened a bugzilla about a redirect handling feature for SpamAssassin 3.0 URIBL at:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3261
Jeff C.
From: Jeff Chan Yes, we had been making similar noises on the spamassassin-developers list and we have opened a bugzilla about a redirect handling feature for SpamAssassin 3.0 URIBL at:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3261
Jeff C.
I added a note about the obfuscated urls that begin with %68ttp instead of http.
John
On Tuesday, April 13, 2004, 3:11:41 AM, John Fawcett wrote:
From: Jeff Chan Yes, we had been making similar noises on the spamassassin-developers list and we have opened a bugzilla about a redirect handling feature for SpamAssassin 3.0 URIBL at:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3261
Jeff C.
I added a note about the obfuscated urls that begin with %68ttp instead of http.
And I added a somewhat confused follow up ;-) that some browsers assume http as a protocol and .com as a tld if unspecified in a URI context.
Jeff C.
-
Jeff Chan -
John Fawcett