If it helps, I agree with Chris. One point to note: Virtual hosters can't use IP addresses in their URLs, because the web server needs a http host header to differentiate between all the possible virtual hosted sites. However, it really wouldn't be difficult to have the SURBL URI detection algorithm find dotted quad URLs, and store these in the SURBL database just like any other domain name...
-Matthew
-----Original Message----- From: discuss-bounces@lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Chris Santerre Sent: Thursday, September 09, 2004 4:19 PM To: 'Raymond Dijkxhoorn'; Alex Broens Cc: SURBL Discussion list (E-mail); Spamassassin-Talk (E-mail); users-return-15498-sa-list=alexb.ch@spamassassin.apache.org Subject: [SURBL-Discuss] RE: Start an IP list to block?
-----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] Sent: Thursday, September 09, 2004 5:10 PM To: Alex Broens Cc: users-return-15498-sa-list=alexb.ch@spamassassin.apache.org; SURBL Discussion list (E-mail); Spamassassin-Talk (E-mail) Subject: Re: Start an IP list to block?
Hi!
Chris, Raymond ,
I went thru a random few of these and they're were listed at
Spamhaus.
Using spamhaus at SMTP level or SA doing RBL lookups would
have caught and
stopped them... Spamcop probably has quite a few of them
listed as well
No, that wont work. The spams are sended in via trojans/proxys only the
websites are static. SOME are blocked with DSBL and so but most of the time they start a spamrun with a fresh set it seems.
So yes, they are inside spamhaus, but only the websites, didnt see mails sended out from there (yet).
Agreed. They may be listed, but for mail, not hosting. They use other IPs to send, and keep the host on their IPs. SOme of the bigger spammers are saying "Screw SURBL, I've got enough dough to get a new domain for every run, and it still remains profitible."
To which we have 2 replies: 1) Those registers are going to feel some rath soon from the antispam community. 2) We gonna mark the IP, you silly little monkeys!
I think the code should be added into the SURBL code. It would need to be a patch for SA 3.0 as it is prbly too late for it to go in now. But it should be simple to grab the IP of the 20 random URL domains and match against SURBL as well. Then they can purchase as many domains as they like, won't matter a bit.
--Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Thursday, September 9, 2004, 2:41:22 PM, Matthew Wilson wrote:
If it helps, I agree with Chris. One point to note: Virtual hosters can't use IP addresses in their URLs, because the web server needs a http host header to differentiate between all the possible virtual hosted sites. However, it really wouldn't be difficult to have the SURBL URI detection algorithm find dotted quad URLs, and store these in the SURBL database just like any other domain name...
-Matthew
Unless they own the IP, in which case it's ok to list, which we would do. In other words if we see http://1.2.3.4/ in multiple spams, we would tend to list it.
We may already have some collateral damage because of IP listings.
Perhaps we should change the way SURBL handles numeric URIs to include them only if the IP address also appears in SBL. That might miss some phishers though.
As a safety measure against uber joe jobs *against good guy IP addresses* we should consider doing something like that.
Comments?
Jeff C.
Jeff Chan wrote:
Comments?
URLs with an IP are no virtual hosts sharing the same IP - if that was the question. http://127.0.0.1/pillz results in
| GET /pillz HTTP/1.0 [...] | Host: 127.0.0.1
If a host has more than one IP the other IPs aren't affected by a listing of the spamvertized IP. There's only a problem if one host with one IP has many virtual hosts (= users), and the spammer abuses the virtual host corresponding to the real IP. That should be almost impossible, in that case the hoster would be the spammer. In other words it's not your problem.
Bye, Frank
On Thursday, September 9, 2004, 6:25:47 PM, Frank Ellermann wrote:
If a host has more than one IP the other IPs aren't affected by a listing of the spamvertized IP.
Yes, naturally.
There's only a problem if one host with one IP has many virtual hosts (= users), and the spammer abuses the virtual host corresponding to the real IP.
Yes, that's the problem.
That should be almost impossible, in that case the hoster would be the spammer. In other words it's not your problem.
Probably right. It means the hoster has control over the IP, which I agree most virtual hosting customers do not have.
Jeff C.
Jeff Chan wrote:
That should be almost impossible, in that case the hoster would be the spammer. In other words it's not your problem.
Probably right. It means the hoster has control over the IP, which I agree most virtual hosting customers do not have.
Thinking again (new day, more coffee): Let's say I'm the spammer and care shit about my account and other users. Then I could replace http://www.xyzzy.claranet.de/ by a traditional http://home.de.clara.net/xyzzy/. And I could replace the host by its IP http://212.82.225.58/xyzzy/. That could hit another http://212.82.225.58/user/. OTOH, why should "user" mention this kind of URL with an IP in his mail ? Even if he doesn't like http://www.user.claranet.de for obscure reasons he could still use the URL http://home.de.clara.net/user or http://home.claranet.de/user instead of an IP.
And I as spammer would know that users don't like IPs in URLs, I'd use a double redirection like http://xyzzy.webhop.info/. Abusing the IP makes no sense, neither directly nor as joe job.
Bye, Frank
On Friday, September 10, 2004, 9:17:47 AM, Frank Ellermann wrote:
Jeff Chan wrote:
That should be almost impossible, in that case the hoster would be the spammer. In other words it's not your problem.
Probably right. It means the hoster has control over the IP, which I agree most virtual hosting customers do not have.
Thinking again (new day, more coffee): Let's say I'm the spammer and care shit about my account and other users. Then I could replace http://www.xyzzy.claranet.de/ by a traditional http://home.de.clara.net/xyzzy/. And I could replace the host by its IP http://212.82.225.58/xyzzy/. That could hit another http://212.82.225.58/user/. OTOH, why should "user" mention this kind of URL with an IP in his mail ? Even if he doesn't like http://www.user.claranet.de for obscure reasons he could still use the URL http://home.de.clara.net/user or http://home.claranet.de/user instead of an IP.
Certainly many users don't even know what a numeric IP address is, so I agree they'd be more likely to use a name. We do see a few IP addresses in spam URIs, but they're rare.
And I as spammer would know that users don't like IPs in URLs, I'd use a double redirection like http://xyzzy.webhop.info/. Abusing the IP makes no sense, neither directly nor as joe job.
But remember that some of the code using SURBLs *can* follow some redirection to the final destination. So the redirection doesn't always hide them.
Jeff C.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Matthew Wilson writes:
If it helps, I agree with Chris. One point to note: Virtual hosters can't use IP addresses in their URLs, because the web server needs a http host header to differentiate between all the possible virtual hosted sites. However, it really wouldn't be difficult to have the SURBL URI detection algorithm find dotted quad URLs, and store these in the SURBL database just like any other domain name...
now *that* is a good point ;)
- --j.
-Matthew
-----Original Message----- From: discuss-bounces@lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Chris Santerre Sent: Thursday, September 09, 2004 4:19 PM To: 'Raymond Dijkxhoorn'; Alex Broens Cc: SURBL Discussion list (E-mail); Spamassassin-Talk (E-mail); users-return-15498-sa-list=alexb.ch@spamassassin.apache.org Subject: [SURBL-Discuss] RE: Start an IP list to block?
-----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] Sent: Thursday, September 09, 2004 5:10 PM To: Alex Broens Cc: users-return-15498-sa-list=alexb.ch@spamassassin.apache.org; SURBL Discussion list (E-mail); Spamassassin-Talk (E-mail) Subject: Re: Start an IP list to block?
Hi!
Chris, Raymond ,
I went thru a random few of these and they're were listed at
Spamhaus.
Using spamhaus at SMTP level or SA doing RBL lookups would
have caught and
stopped them... Spamcop probably has quite a few of them
listed as well
No, that wont work. The spams are sended in via trojans/proxys only the
websites are static. SOME are blocked with DSBL and so but most of the time they start a spamrun with a fresh set it seems.
So yes, they are inside spamhaus, but only the websites, didnt see mails sended out from there (yet).
Agreed. They may be listed, but for mail, not hosting. They use other IPs to send, and keep the host on their IPs. SOme of the bigger spammers are saying "Screw SURBL, I've got enough dough to get a new domain for every run, and it still remains profitible."
To which we have 2 replies:
- Those registers are going to feel some rath soon from the antispam
community. 2) We gonna mark the IP, you silly little monkeys!
I think the code should be added into the SURBL code. It would need to be a patch for SA 3.0 as it is prbly too late for it to go in now. But it should be simple to grab the IP of the 20 random URL domains and match against SURBL as well. Then they can purchase as many domains as they like, won't matter a bit.
--Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
on Thu, Sep 09, 2004 at 03:42:42PM -0700, Justin Mason wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Matthew Wilson writes:
If it helps, I agree with Chris. One point to note: Virtual hosters can't use IP addresses in their URLs, because the web server needs a http host header to differentiate between all the possible virtual hosted sites. However, it really wouldn't be difficult to have the SURBL URI detection algorithm find dotted quad URLs, and store these in the SURBL database just like any other domain name...
now *that* is a good point ;)
Yeah, but when was the last time you saw a spammer co-hosted with a legitimate host on the same IP? Crikey, the spammers I see have their own IPs in such ridiculous abundance that it makes a mockery of the fact that I can only get a /27 for some hundred domains we host...
Not that I'm bitter, or anything. But it /does/ seem that money talks, even highly redolent pink money.
-
Frank Ellermann -
Jeff Chan -
jm@jmason.org -
Matthew Wilson -
Steven Champeon