Jeff (and list),
I'm worried that spammers can use SURBL to identify honeypot email servers by using unique subdomains. A spammer must merely send a unique subdomain URL to every address on their list, and if that unique subdomain is blacklisted in SURBL, they have identified a potential honeypot and will no longer send spam to that address/server.
It is therefore my humble opinion that only the second-to-top domain name should be listed in SURBL, and not any of the subdomains.
Thoughts?
-Matthew Wilson
On Thursday, March 10, 2005, 9:01:07 AM, Matthew Wilson wrote:
Jeff (and list),
I'm worried that spammers can use SURBL to identify honeypot email servers by using unique subdomains. A spammer must merely send a unique subdomain URL to every address on their list, and if that unique subdomain is blacklisted in SURBL, they have identified a potential honeypot and will no longer send spam to that address/server.
It is therefore my humble opinion that only the second-to-top domain name should be listed in SURBL, and not any of the subdomains.
Yes, we discard subdomains:
http://www.surbl.org/faq.html#random
How are randomized URI subdomains or host names handled? The randomized subdomain problem is solved by extracting the base domain on both the SURBL data and message-checking client sides then comparing those base domains. In this way any random stuff added to the base domain is ignored. (The base domain is what would be registered with a name registrar.)
We've seen quite a few randomized or customized (to a username for example) host names in some of the top pharmaspam sites. There are different possible reasons for the randomization: to add chaos to the names to throw off message body checkers, or perhaps to "key" spam site web visits to specific mailings in order to build a confirmed mailing list. (Such confirmed mailing lists themselves are probably a valuable commodity to sell to other spammers.) Randomization doesn't throw us off though; we catch them from the base domain part, which can't change.
Jeff C. -- "If it appears in hams, then don't list it."
On Thu, Mar 10, 2005 at 05:08:09PM -0800, Jeff Chan wrote:
On Thursday, March 10, 2005, 9:01:07 AM, Matthew Wilson wrote:
It is therefore my humble opinion that only the second-to-top domain name should be listed in SURBL, and not any of the subdomains.
Yes, we discard subdomains:
randomized, key and/or user@... 3rd level domains have been in use for a while. so only 2nd level in surbl has always seemed reasonable to me.
but today, a spam came through with a low score, it had a domain in the form something.com.au but might as well have been notrandom.co.uk or similar.
In these cases it would seem reasonable to check the 3rd level name in surbl.
I don't know exactly how SA (which is what I use) modules send the query but it occurs to me that if "co.uk" is sent to surbl, the response might should be a code ip for "give me another level" which would be cached locally and a subsequent "site.co.uk" surbl query sent, which would be evaluated like 2nd level domain normally are.
Is this something that could or has been worked in?
// George
On Monday, March 14, 2005, 8:00:58 PM, George Georgalis wrote:
but today, a spam came through with a low score, it had a domain in the form something.com.au but might as well have been notrandom.co.uk or similar.
In these cases it would seem reasonable to check the 3rd level name in surbl.
I don't know exactly how SA (which is what I use) modules send the query but it occurs to me that if "co.uk" is sent to surbl, the response might should be a code ip for "give me another level" which would be cached locally and a subsequent "site.co.uk" surbl query sent, which would be evaluated like 2nd level domain normally are.
Is this something that could or has been worked in?
// George
Yep, we thought of that. :-)
http://www.surbl.org/faq.html#cctlds http://www.surbl.org/implementation.html
Cctld domains are processed at either 2 or 3 levels depending on whether registrars for that country allow second or third level registrations or some combination of those levels. The easiest way to do this seemed to be a table lookup, so applications using SURBLs and the SURBL data engine have a list of reserved second level cctlds that will get checked at at the third level:
http://spamcheck.freeapp.net/two-level-tlds
Since the two level cctld list has "co.uk", it means that any domain ending in .co.uk is checked at the third level foo.co.uk. But any second level cctld that's not in the list will be checked at the second level. IIRC .uk doesn't allow direct registrations under their top level, but if they did, this table lookup would still work as long as that second level wasn't listed. So if they changed their policy and allowed foo.uk, foo.uk would still get checked and could be listed. Therefore this also works with countries that do allow second level registrations like .fr . "com.fr" is in the list but "somedomain.fr" isn't, so otherdomain.com.fr and somedomain.fr would both get checked and either or both could be blacklisted.
It's possible that we should have a more generalized way to handle cctlds, but so far spammers have not seemed to use geographic domains very often, other than .us.
Jeff C. -- "If it appears in hams, then don't list it."
[clarifying myself:]
On Monday, March 14, 2005, 9:22:35 PM, Jeff Chan wrote:
Since the two level cctld list has "co.uk", it means that any domain ending in .co.uk is checked at the third level foo.co.uk. But any second level cctld that's not in the list will be checked at the second level. IIRC .uk doesn't allow direct registrations under their top level, but if they did, this table lookup would still work as long as that second level wasn't listed.
[...wasn't explicitly and incorrectly in the two-level-tld list, which would be very unlikely. E.g., .uk isn't going to sell co.uk or ac.uk to a spammer any time soon.]
So if they changed their policy and allowed foo.uk, foo.uk would still get checked and could be listed.
Jeff C. -- "If it appears in hams, then don't list it."
-
George Georgalis -
Jeff Chan -
Matthew Wilson