As postmaster, I see a lot of double-bounces for a user who forwards their mail to a server that implements the policy:
550 5.7.1 mail containing 8aa.tXokG4N.fagonyenomy.org rejected - sbl; see http://www.spamhaus.org/query/bl?ip=201.3.240.234
They appear to be using the milter mentioned in http://www.surbl.org/faq.html#numbered
Sure, fagonyenomy.org is in sc.surbl.org now, but these cretins register new domains pointing at the same IPs on a (at least) daily basis, and there is a time lag. The site they were spamming about this morning, thebest-search.com.sc.surbl.org, exists only on ob.surbl.or, not sc or ws.
For the reasons mentioned in the FAQ, I do not agree with uri-to-ip-based blacklisting as a blanket policy, but it does seem very effective in dealing with these rapidly morphing porn spammers. I would like to give such a rule a SA score of 4 or so.
In order to implement this nicely, I see a need for a *per surbl* switch in SpamCopURI telling it whether to look up the domain, or the domain as resolved to an IP. Configured something like
uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2') uri SPAMHAUS_URI eval:check_spamcop_uri_rbl('sbl.spamhaus.org','127.0.0.2','ip')
Obviously there is no point in looking up fagonyenomy.org in spamhaus, nor do I want to look up all resolved IPs in all surbls needlessly. I could write completely separate code to do this, but I'd like to reuse the url and redirector parsing infrastructure. Unfortunately I don't see a clean way to do this without changing the internal hash structure.
Ideas?
Should I just wait for (or start experimenting with now) SA3's uridnsbl and urirhsbl, which were designed for this? Yeah, that's what I was afraid of...
I think I just answered my own question, but I'm curious what others think and how others are dealing with this spam gang. I can't wait for a big ISP to hit them with the big clue stick.
on Tue, Aug 03, 2004 at 03:01:51PM -0400, Rich Graves wrote:
As postmaster, I see a lot of double-bounces for a user who forwards their mail to a server that implements the policy:
550 5.7.1 mail containing 8aa.tXokG4N.fagonyenomy.org rejected - sbl; see http://www.spamhaus.org/query/bl?ip=201.3.240.234
They appear to be using the milter mentioned in http://www.surbl.org/faq.html#numbered
Sure, fagonyenomy.org is in sc.surbl.org now, but these cretins register new domains pointing at the same IPs on a (at least) daily basis, and there is a time lag. The site they were spamming about this morning, thebest-search.com.sc.surbl.org, exists only on ob.surbl.or, not sc or ws.
These guys (I've been calling them "Sergey Katchenko", but it appears "Sergey" is a front for yet another spamgang) have been running a joe job against one of my domains for a couple of months now. Want to pre-emptively block all their crud? Run this script:
#!/usr/bin/perl
my @bits = ("akiana","bertikas","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }
Should give you 961 domains, approximately 300 or so of which are registered at the moment, but all of them have fallen into this pattern so far. He's registered 100 more since I first started keeping track last month, and AFAICT they're all on that generated list.
At 15:36 2004-08-03 -0400, Steven Champeon wrote:
These guys (I've been calling them "Sergey Katchenko", but it appears "Sergey" is a front for yet another spamgang) have been running a joe job against one of my domains for a couple of months now. Want to pre-emptively block all their crud? Run this script:
#!/usr/bin/perl
my @bits = ("akiana","bertikas","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }
Should give you 961 domains, approximately 300 or so of which are registered at the moment, but all of them have fallen into this pattern so far. He's registered 100 more since I first started keeping track last month, and AFAICT they're all on that generated list.
He seems to have added a few new bits:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&...
Anyway - this is why urirhsbl is such a good idea. All of those domains use the same SBL-listed name server IP.
Patrik
on Tue, Aug 03, 2004 at 10:06:09PM +0200, Patrik Nilsson wrote:
At 15:36 2004-08-03 -0400, Steven Champeon wrote:
These guys (I've been calling them "Sergey Katchenko", but it appears "Sergey" is a front for yet another spamgang) have been running a joe job against one of my domains for a couple of months now. Want to pre-emptively block all their crud? Run this script:
#!/usr/bin/perl
my @bits = ("akiana","bertikas","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }
Should give you 961 domains, approximately 300 or so of which are registered at the moment, but all of them have fallen into this pattern so far. He's registered 100 more since I first started keeping track last month, and AFAICT they're all on that generated list.
He seems to have added a few new bits:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&...
Hm. OK, I see 'sopinas', 'katanataro', and 'benoka'. Any others I missed?
Anyway - this is why urirhsbl is such a good idea. All of those domains use the same SBL-listed name server IP.
Yep, agreed.
At 16:25 2004-08-03 -0400, Steven Champeon wrote:
He seems to have added a few new bits:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&...
Hm. OK, I see 'sopinas', 'katanataro', and 'benoka'. Any others I missed?
karantinas
Patrik
On Tuesday, August 3, 2004, 1:25:51 PM, Steven Champeon wrote:
on Tue, Aug 03, 2004 at 10:06:09PM +0200, Patrik Nilsson wrote:
Anyway - this is why urirhsbl is such a good idea. All of those domains use the same SBL-listed name server IP.
Yep, agreed.
Actually it's uridnsbl that looks at name server IPs (for example from sbl.spamhaus.org) and yes, it's a good way to catch the spam gangs who register thousands of domains... but host them all on the same name servers. uridnsbl lets you catch (spammer) domains that use those (spammer) name servers.
urirhsbl and urirhssub are for use with SURBLs and don't do name resolution.
uridnsbl resolves NS records and checks them against an RBL.
Somewhat confusingly, all three programs are in the same PM called URIDNSBL or URIBL.
Jeff C.
On Tuesday, August 3, 2004, 3:43:46 PM, Jeff Chan wrote:
urirhsbl and urirhssub are for use with SURBLs and don't do name resolution.
To clarify slightly urirhs* of course resolve the extracted message URI stuff against a SURBL, but they don't take names originally found in URIs and resolve them into IP address, NS records, etc.
Jeff C.
At 15:43 2004-08-03 -0700, Jeff Chan wrote:
Actually it's uridnsbl that looks at name server IPs (for example from sbl.spamhaus.org) and yes, it's a good way to catch the spam gangs who register thousands of domains... but host them all on the same name servers. uridnsbl lets you catch (spammer) domains that use those (spammer) name servers.
urirhsbl and urirhssub are for use with SURBLs and don't do name resolution.
uridnsbl resolves NS records and checks them against an RBL.
Somewhat confusingly, all three programs are in the same PM called URIDNSBL or URIBL.
Sorry - yes, you are right. Both in uridnsbl being what I meant to refer to and to it all being somewhat confusing... :-)
Still, it's a great PM....
Patrik
-
Jeff Chan -
Patrik Nilsson -
Rich Graves -
Steven Champeon