At Thu Jul 15 03:44:25 CEST 2004, Jeff Chan wrote:
On Thursday, July 15, 2004, 2:21:49 AM, Robert Brooks wrote:
William Stearns wrote:
TOP SPAM RULES FIRED
RANK RULE NAME COUNT PERCENT
-> 1 URIBL_WS_SURBL 13057 5.36% -> 2 URIBL_SBL 12907 5.30%
does sbl.spamhaus.org work with Mail-SpamAssassin-SpamCopURI? The few
spam
(uri) domains I've checked don't seem to return records.
sbl is not really intended to be used with message body URI checkers like SpamCopURI or urirhsbl, but it may get a few hits since I think Spamhaus may include a few spam URI domains in SBL. But the results will probably not be too useful or productive, since it's not an intended use of sbl.spamhaus.org.
Actually, having done some tests using uridnsbl under SA 3 as well as manual checks, I would say that SBL is an excellent tool for catching spam domains in message body URIs.
I don't think everyone is aware of what uridnsbl, as an alternative to urirhsbl/urirhssub, actually does, so I'll try to explain it.
First - SBL does not just list IPs used by known spammers to relay mail. It lists any ips used by known spammers, for whatever purpose. That includes web sites as well as, and most importantly, dns servers.
uridnsbl checks the ns records for domains in URIs, resolves those ns records to ip adresses, and then checks those IP adresses in SBL (by default - you can add/change what RBLs it checks). If any of the name servers for a domain is listed in SBL, you get a rule hit.
Spammers does not change their dns servers nearly as often as they change domains.
This means that most of all the new domains that spammers introduce hit the uridnsbl SBL rule immediately, even if the domain hasn't been reported to any blacklist yet.
I picked the 10 most recently reported domains to the SC blocklist and manually checked what dns servers they used, and if the IPs for those dns servers where already listed in SBL. For 9 out of 10, they where. Data included below.
This doesn't mean that we should list resolved IPs in SURBL lists. Since there is already good data in SBL, there is no reason to.
But - I think it would be a good idea to encourage SURBL implementations to include functionality similar to uridnsbl in addition to regular urirhsbl-style SURBL list checks. For me, it's the main reason why I plan to update all servers to SA 3 ASAP, as it's not possible to do this with SA 2.63 and SpamCopURI.
Also - as long as you only check the ns records for a domain, rather than going further and resolving the host name in the URI, there isn't any need to fear "keyed domain name" address verification by spammers of the type discussed in the SURBL FAQ.
/patrik
-------------------------------------------------------------------------- 2004-07-18 09:08 digestion5594rneds.us
digestion5594rneds.us nameserver = NS3.AIRMARAMBA.biz Name: NS3.AIRMARAMBA.biz Address: 61.250.93.207 SBL listed - http://www.spamhaus.org/query/bl?ip=61.250.93.207
digestion5594rneds.us nameserver = NS2.AUDI56SEW.biz Name: NS2.AUDI56SEW.biz Address: 221.143.42.30 SBL listed - http://www.spamhaus.org/query/bl?ip=221.143.42.30
-------------------------------------------------------------------------- 2004-07-18 09:10 acdfiaj.info
acdfiaj.info nameserver = second.muchaagua.info Name: second.muchaagua.info Address: 221.139.2.84 SBL listed - http://www.spamhaus.org/query/bl?ip=221.139.2.84
acdfiaj.info nameserver = first.muchaagua.info Name: first.muchaagua.info Address: 221.143.42.209 SBL listed: http://www.spamhaus.org/query/bl?ip=221.143.42.209
acdfiaj.info nameserver = third.muchaagua.info Name: third.muchaagua.info Address: 61.128.198.11 SBL listed - http://www.spamhaus.org/query/bl?ip=61.128.198.11
-------------------------------------------------------------------------- 2004-07-18 09:24 pro-svcs.com
pro-svcs.com nameserver = ns2.3070.biz ns2.3070.biz internet address = 202.104.237.173 SBL listed - http://www.spamhaus.org/query/bl?ip=202.104.237.173
pro-svcs.com nameserver = ns3.3070.biz ns3.3070.biz internet address = 200.153.20.31 SBL listed - http://www.spamhaus.org/query/bl?ip=200.153.20.31
pro-svcs.com nameserver = ns1.3070.biz ns1.3070.biz internet address = 200.40.40.1 NOT SBL listed.
-------------------------------------------------------------------------- 2004-07-18 10:35 tophgh.com
tophgh.com nameserver = ns2.dns.com.cn Name: ns2.dns.com.cn Address: 218.244.47.6 NOT SBL listed.
tophgh.com nameserver = ns1.dns.com.cn Name: ns1.dns.com.cn Address: 218.244.47.5 NOT SBL listed.
-------------------------------------------------------------------------- 2004-07-18 11:26 fox621dryg.us
fox621dryg.us nameserver = NS2.AUDI56SEW.biz Name: NS2.AUDI56SEW.biz Address: 221.143.42.30 SBL listed - http://www.spamhaus.org/query/bl?ip=221.143.42.30
fox621dryg.us nameserver = NS3.AIRMARAMBA.biz Name: NS3.AIRMARAMBA.bi Address: 61.250.93.207 SBL listed - http://www.spamhaus.org/query/bl?ip=61.250.93.207
-------------------------------------------------------------------------- 2004-07-18 12:08 polishebertikas.org
polishebertikas.org nameserver = ns1.kaleinc-dns-server.org Name: ns1.kaleinc-dns-server.org Address: 201.3.240.234 SBL listed - http://www.spamhaus.org/query/bl?ip=201.3.240.234
polishebertikas.org nameserver = ns1.kaleinc-dns-server2.org Name: ns1.kaleinc-dns-server2.org Address: 201.3.240.234 SBL listed - http://www.spamhaus.org/query/bl?ip=201.3.240.234
polishebertikas.org nameserver = ns1.koleyfore.org Name: ns1.koleyfore.org Address: 211.158.15.58 SBL listed - http://www.spamhaus.org/query/bl?ip=211.158.15.58
-------------------------------------------------------------------------- 2004-07-18 12:20 greenpill.info
greenpill.info nameserver = ns1.greenpill.info ns1.greenpill.info internet address = 219.148.49.244 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.244
greenpill.info nameserver = ns2.greenpill.info ns2.greenpill.info internet address = 219.148.49.245 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.245
-------------------------------------------------------------------------- 2004-07-18 13:20 medsparadise.info
medsparadise.info nameserver = ns2.medsparadise.info ns1.medsparadise.info internet address = 219.148.49.244 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.244
medsparadise.info nameserver = ns1.medsparadise.info ns2.medsparadise.info internet address = 219.148.49.245 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.245
-------------------------------------------------------------------------- 2004-07-18 14:24 misogynist2527dryg.biz
misogynist2527dryg.biz nameserver = www.misogynist2527dryg.biz Name: misogynist2527dryg.biz Address: 200.193.29.211 Aliases: www.misogynist2527dryg.biz SBL listed - http://www.spamhaus.org/query/bl?ip=200.193.29.211
-------------------------------------------------------------------------- 2004-07-18 14:32 hedhoncho.net
hedhoncho.net nameserver = ns2.3070.biz ns2.3070.biz internet address = 202.104.237.173 http://www.spamhaus.org/query/bl?ip=202.104.237.173
hedhoncho.net nameserver = ns3.3070.biz ns3.3070.biz internet address = 200.153.20.31 http://www.spamhaus.org/query/bl?ip=200.153.20.31
hedhoncho.net nameserver = ns1.3070.biz ns1.3070.biz internet address = 200.40.40.1 NOT SBL listed.
--------------------------------------------------------------------------
On Sunday, July 18, 2004, 8:43:09 AM, Patrik Nilsson wrote:
Actually, having done some tests using uridnsbl under SA 3 as well as manual checks, I would say that SBL is an excellent tool for catching spam domains in message body URIs.
I don't think everyone is aware of what uridnsbl, as an alternative to urirhsbl/urirhssub, actually does, so I'll try to explain it.
First - SBL does not just list IPs used by known spammers to relay mail. It lists any ips used by known spammers, for whatever purpose. That includes web sites as well as, and most importantly, dns servers.
uridnsbl checks the ns records for domains in URIs, resolves those ns records to ip adresses, and then checks those IP adresses in SBL (by default - you can add/change what RBLs it checks). If any of the name servers for a domain is listed in SBL, you get a rule hit.
Spammers does not change their dns servers nearly as often as they change domains.
[...]
Also - as long as you only check the ns records for a domain, rather than going further and resolving the host name in the URI, there isn't any need to fear "keyed domain name" address verification by spammers of the type discussed in the SURBL FAQ.
Thanks for the explanation of what uridnsbl in SA 3 does. That agrees with what I remember from the discussion on the SA-Talk list. IIRC, uridnsbl was intended to be used with an sbl.spamhaus.org type list, which does include spammer name servers.
What I was trying to say is that using sbl.spamhaus.org with urirhsbl (the program that checks URI domains, not name servers) may not give as good results as using it with SURBLs. Probably I was responding to a configuration Bill was not actually using, but I know the question has come up before.
In a nutshell urndnsbl was intended to be used with lists like sbl.spamhaus.org, while urirhsbl and urirhssub were meant to be used with SURBLs. It's possible to feed either program with the *other* kind of list, but the results aren't as good.
That said, it looks like the original good scores Bill Stearns reported for URIBL_SBL probably were for using uridnsbl with sbl, as intended. It's nice to see it works well when used as intended. Maybe Bill can confirm that for us.
The only downside is that even the resolution of NS records does have a finite time penalty, which can get into many seconds for non-matches (i.e. when a domain no longer has NS records which resolve). So there is still a resolution penalty for using uridnsbl which using urirhsbl with SURBLs doesn't have.
Jeff C.
Hi!
sbl is not really intended to be used with message body URI checkers like SpamCopURI or urirhsbl, but it may get a few hits since I think Spamhaus may include a few spam URI domains in SBL. But the results will probably not be too useful or productive, since it's not an intended use of sbl.spamhaus.org.
Actually, having done some tests using uridnsbl under SA 3 as well as manual checks, I would say that SBL is an excellent tool for catching spam domains in message body URIs.
I don't think everyone is aware of what uridnsbl, as an alternative to urirhsbl/urirhssub, actually does, so I'll try to explain it.
First - SBL does not just list IPs used by known spammers to relay mail. It lists any ips used by known spammers, for whatever purpose. That includes web sites as well as, and most importantly, dns servers.
I picked the 10 most recently reported domains to the SC blocklist and manually checked what dns servers they used, and if the IPs for those dns servers where already listed in SBL. For 9 out of 10, they where. Data included below.
But those are also in SURBL, except one, but that one isnt active anymore. So for me, i would save the resolving and use SURBL for now :) Its however a nice addon to what SURBL does, it goes 2 steps further, but it also more expensive on busy servers to do many more lookups and resolving.... instead of resolving on a fast RBL server you can encounter relatively slow span DNS servers, and it will delay your mailflow...
Bye, Raymond.
At 22:14 2004-07-18 +0200, Raymond Dijkxhoorn wrote:
I picked the 10 most recently reported domains to the SC blocklist and manually checked what dns servers they used, and if the IPs for those dns servers where already listed in SBL. For 9 out of 10, they where. Data included below.
But those are also in SURBL, except one, but that one isnt active anymore. So for me, i would save the resolving and use SURBL for now :)
They are in SURBL now, but where they when the first spam run using those domains started? I see a few spam (not many, but more than I would like...) getting under the SURBL radar daily, using new domains that are not reported/listed until a few hours later. The point is that the IPs for the NS records had been listed in SBL for quite some time before the domains even showed up in spam.
Very fresh example: instantbodyhealer.com Not listed in any SURBL list at the moment. NS servers IPs listed in SBL since May 2nd.
Its however a nice addon to what SURBL does, it goes 2 steps further, but it also more expensive on busy servers to do many more lookups and resolving....
As the SBL catches the first run of the "new domain of the day" from certain domain morphing spammers that isn't caught by SURBLs, I can live with some extra dns lookups and potential time-outs.
But I agree, they are complementary.
Patrik
Hi!
Very fresh example: instantbodyhealer.com Not listed in any SURBL list at the moment. NS servers IPs listed in SBL since May 2nd.
That same page i added a zillion times with all kinds of .biz ones, so sure, in those cases it will work. But! Most likely a REGULAR rbl would also block those. If you list them there.
As the SBL catches the first run of the "new domain of the day" from certain domain morphing spammers that isn't caught by SURBLs, I can live with some extra dns lookups and potential time-outs.
But I agree, they are complementary.
Very true.
Bye, Raymond.
At 00:06 2004-07-19 +0200, Raymond Dijkxhoorn wrote:
Hi!
Very fresh example: instantbodyhealer.com Not listed in any SURBL list at the moment. NS servers IPs listed in SBL since May 2nd.
That same page i added a zillion times with all kinds of .biz ones, so sure, in those cases it will work. But! Most likely a REGULAR rbl would also block those.
Not really. These are spammers using fresh trojaned home computers and non-blacklisted Chinese/Korean/Brazil/Russian/etc IPs to send their email. The IP this specific spam was relayed through (218.71.205.198) was not in SBL, CBL, DSBL, ORDB, NJABL, nor even Spews. As it was sent from China and dynamic/dsl IPs, it did end up in the "very likely spam" box, but I still believe in people being able to send emails from Chinese as well as dynamic/dsl IPs, so that is not conclusive in itself in my book...
If you list them there.
Listing almost all of the relays used by spammers is hard. Listing almost all of the domains in URIs used by spammers is less hard. Listing almost all of the NS servers for those domains is even less hard. At least at the moment...
Patrik
Hi!
That same page i added a zillion times with all kinds of .biz ones, so sure, in those cases it will work. But! Most likely a REGULAR rbl would also block those.
Not really. These are spammers using fresh trojaned home computers and non-blacklisted Chinese/Korean/Brazil/Russian/etc IPs to send their email.
I mean, the IP is listed as spamnest, and even spamcop could list it, as the IP op the spamvertized site.
If you list them there.
Listing almost all of the relays used by spammers is hard. Listing almost all of the domains in URIs used by spammers is less hard. Listing almost all of the NS servers for those domains is even less hard. At least at the moment...
Sure :) Got the point.
Currently i think a mix of the above, and some local rulesets to detect the Vi@gra crap that will make things happen....
Thanks, Raymond.
On Sunday, July 18, 2004, 4:16:35 PM, Patrik Nilsson wrote:
At 00:06 2004-07-19 +0200, Raymond Dijkxhoorn wrote:
Hi!
Very fresh example: instantbodyhealer.com Not listed in any SURBL list at the moment. NS servers IPs listed in SBL since May 2nd.
That same page i added a zillion times with all kinds of .biz ones, so sure, in those cases it will work. But! Most likely a REGULAR rbl would also block those.
Not really. These are spammers using fresh trojaned home computers and non-blacklisted Chinese/Korean/Brazil/Russian/etc IPs to send their email. The IP this specific spam was relayed through (218.71.205.198) was not in SBL, CBL, DSBL, ORDB, NJABL, nor even Spews. As it was sent from China and dynamic/dsl IPs, it did end up in the "very likely spam" box, but I still believe in people being able to send emails from Chinese as well as dynamic/dsl IPs, so that is not conclusive in itself in my book...
If you list them there.
Listing almost all of the relays used by spammers is hard. Listing almost all of the domains in URIs used by spammers is less hard. Listing almost all of the NS servers for those domains is even less hard. At least at the moment...
All that's needed to defeat the NS server detection and listing is for ratware/trojans/zombies/etc. to start doing DNS....
Jeff C.
At 16:34 2004-07-18 -0700, Jeff Chan wrote:
On Sunday, July 18, 2004, 4:16:35 PM, Patrik Nilsson wrote: All that's needed to defeat the NS server detection and listing is for ratware/trojans/zombies/etc. to start doing DNS....
It's not that easy to do actually. There are certain requirements on a dns server that a trojan'd box has problems with. They are trying though...
Patrik
-
Jeff Chan -
Patrik Nilsson -
Raymond Dijkxhoorn