when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to enter a spamtrap address I just noticed that quite a few of the pages look extremely similar, DNS lookups show:
$ host www.signoffcorp.biz www.signoffcorp.biz has address 217.107.217.8 $ host www.bestcds.biz www.bestcds.biz has address 217.107.217.8 $ host www.wonder-pills.com www.wonder-pills.com has address 217.107.217.8 $ host www.multimed.ws www.multimed.ws has address 217.107.217.8
$ host 217.107.217.8 8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa. 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. $ host webrider.ru webrider.ru has address 217.107.216.26
so i wonder if it is possible (or already done) to also list (and save) the IPs of URIBL listed domains and check newly queried, yet unlisted domains against those IPs.
any comments?
regards,
wolfgang
On Thursday, May 12, 2005, 2:20:02 PM, wolfgang wolfgang wrote:
when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to enter a spamtrap address I just noticed that quite a few of the pages look extremely similar, DNS lookups show:
$ host www.signoffcorp.biz www.signoffcorp.biz has address 217.107.217.8 $ host www.bestcds.biz www.bestcds.biz has address 217.107.217.8 $ host www.wonder-pills.com www.wonder-pills.com has address 217.107.217.8 $ host www.multimed.ws www.multimed.ws has address 217.107.217.8
$ host 217.107.217.8 8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa. 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. $ host webrider.ru webrider.ru has address 217.107.216.26
so i wonder if it is possible (or already done) to also list (and save) the IPs of URIBL listed domains and check newly queried, yet unlisted domains against those IPs.
any comments?
Yes, spammers often use the same IP addresses or networks for their hosting infrastructure. It's one of the reasons the sbl.spamhaus.org IP RBLs work well for detecting spam, for example with uridnsbl in SpamAssassin 3.
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...
SURBLs will remain lists of mostly domains because IP lists of web hosting in particular can easily lead to false positives. If one domain on a shared web hosting server gets used for spam, and the IP of that server were listed and checked, then all other web sites on that server (on the same IP) could get identified as spammy, even if they're not. That's too much collateral damage (harming innocent bystanders) for us. Instead we list domains which specifically appear in spam. That way only the spam sites get listed.
That said, we will be using resolved IP addresses to bias inclusion on sc.surbl.org in future. In other words we will detect the spammers' infrastructure and include new domains much sooner if they are found to be in that infrastructure.
This is addressed in the FAQ as:
http://www.surbl.org/faq.html#numbered
Cheers,
Jeff C. -- Don't harm innocent bystanders.
-
Jeff Chan -
wolfgang