Here's some additional info on some of the recent sa-blacklist/ws.surbl.org/6dos goings on, copied from a message I sent to the SpamAssassin-users list:
1477667 Jun 21 18:48 /etc/spamassassin/RulesDuJour/blacklist.cf.20040623-0106 421286 Jun 21 18:49 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040623-0106 1459329 Jun 23 00:03 /etc/spamassassin/RulesDuJour/blacklist.cf.20040624-1602 415544 Jun 23 00:04 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040624-1602 1484137 Jun 24 15:48 /etc/spamassassin/RulesDuJour/blacklist.cf.20040627-0301 422228 Jun 24 15:49 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040627-0301 1559813 Jun 27 02:17 /etc/spamassassin/RulesDuJour/blacklist.cf.20040628-1544 443922 Jun 27 02:18 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040628-1544 5432965 Jun 28 15:25 /etc/spamassassin/RulesDuJour/blacklist.cf.20040628-1558 1544207 Jun 28 15:28 /etc/spamassassin/blacklist-uri.cf 7070231 Jun 28 15:54 /etc/spamassassin/blacklist.cf
I think I can help explain why sa-blacklist went from 1.5 MB to 5.5 MB in size suddenly. Chris Santerre added a fairly large set of records from 6dos (6 degrees of spam) around that time in order to get the records into ws.surbl.org and sa-blacklist. Chris, Bill and I then discussed this and decided to take them back out of sa-blacklist and therefore ws.surbl.org, and put the 6dos entries into its own SURBL instead.
However Bill's server experienced a hard disk problem around the same time so the entries have not come out of sa-blacklist yet. But they will come out once Chris gets access to Bill's server again. Until then, backing off to an earlier version of sa-blacklist makes perfect sense and it's what we've done for ws.surbl.org.
When Chris gets in again, he will get the 6dos entries off sa-blacklist, it will come back down in size, and I'll restore live feeds of ws.surbl.org from the sa-blacklist data instead of freezing it at the older version, as it is now.
Hopefully this makes some sense. If not I'll glady try to answer any questions or comments anyone has, though I'm not the original source of the changes.
Jeff C.
Hi!
Here's some additional info on some of the recent sa-blacklist/ws.surbl.org/6dos goings on, copied from a message I sent to the SpamAssassin-users list:
1477667 Jun 21 18:48 /etc/spamassassin/RulesDuJour/blacklist.cf.20040623-0106 421286 Jun 21 18:49 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040623-0106 1459329 Jun 23 00:03 /etc/spamassassin/RulesDuJour/blacklist.cf.20040624-1602 415544 Jun 23 00:04 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040624-1602 1484137 Jun 24 15:48 /etc/spamassassin/RulesDuJour/blacklist.cf.20040627-0301 422228 Jun 24 15:49 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040627-0301 1559813 Jun 27 02:17 /etc/spamassassin/RulesDuJour/blacklist.cf.20040628-1544 443922 Jun 27 02:18 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040628-1544 5432965 Jun 28 15:25 /etc/spamassassin/RulesDuJour/blacklist.cf.20040628-1558 1544207 Jun 28 15:28 /etc/spamassassin/blacklist-uri.cf 7070231 Jun 28 15:54 /etc/spamassassin/blacklist.cf
Hopefully this makes some sense. If not I'll glady try to answer any questions or comments anyone has, though I'm not the original source of the changes.
We however started SURBL for a reason, also to offload heavy rulesets, why are you still using the .cf format ? I mean, go lookup via DNS and you would bot even have noticed this at all.
Bye, Raymond.
On Tuesday, June 29, 2004, 11:54:21 PM, Raymond Dijkxhoorn wrote:
We however started SURBL for a reason, also to offload heavy rulesets, why are you still using the .cf format ? I mean, go lookup via DNS and you would bot even have noticed this at all.
Yes, I suggested on the SA list that they look into using SURBLs instead of rulesets. :-)
Jeff C.
Hi!
We however started SURBL for a reason, also to offload heavy rulesets, why are you still using the .cf format ? I mean, go lookup via DNS and you would bot even have noticed this at all.
Yes, I suggested on the SA list that they look into using SURBLs instead of rulesets. :-)
Good point, little stupid to load such large rulesets into SA directly. Waste of resources.
Bye, Raymond.
Raymond Dijkxhoorn wrote:
We however started SURBL for a reason, also to offload heavy rulesets, why are you still using the .cf format ? I mean, go lookup via DNS and you would bot even have noticed this at all.
SURBL can't blacklist by e-mail sender - I agree this isn't a major thing, but it's a feature provided by Bill's list that SURBL can't replicate.
It would be nice if there was a way to do this through DNS however.
David
On Wednesday, June 30, 2004, 12:00:28 AM, David Coulson wrote:
Raymond Dijkxhoorn wrote:
We however started SURBL for a reason, also to offload heavy rulesets, why are you still using the .cf format ? I mean, go lookup via DNS and you would bot even have noticed this at all.
SURBL can't blacklist by e-mail sender -
Yes, that's by design.... :-) SURBLs are meant to work on URI domains instead of sender domains.
I agree this isn't a major thing, but it's a feature provided by Bill's list that SURBL can't replicate.
It would be nice if there was a way to do this through DNS however.
Wouldn't the many sender-focussed RBLs like spamhaus do that though?
Jeff C.
Hi!
We however started SURBL for a reason, also to offload heavy rulesets, why are you still using the .cf format ? I mean, go lookup via DNS and you would bot even have noticed this at all.
SURBL can't blacklist by e-mail sender - I agree this isn't a major thing, but it's a feature provided by Bill's list that SURBL can't replicate.
It would be nice if there was a way to do this through DNS however.
Its not like most spammers use a static 'from' or something.... :)
Bye, Raymond.
Raymond Dijkxhoorn wrote:
Its not like most spammers use a static 'from' or something.... :)
Sure they do - @comcast.net :-)
Actually, Bill's blacklist_from list used to get quite a few hits for me - I just don't bother using it anymore now I use his URI list through SURBLs.
David
Hi!
Sure they do - @comcast.net :-)
Actually, Bill's blacklist_from list used to get quite a few hits for me
- I just don't bother using it anymore now I use his URI list through
SURBLs.
So, why not use a specific RBL that completely blocks comcast.net, you could do with less resources at MTA level.
Bye, Raymond.
Hello,
David Coulson wrote:
Raymond Dijkxhoorn wrote:
Its not like most spammers use a static 'from' or something.... :)
Sure they do - @comcast.net :-)
Yes, but there are many real people using address of the kind rr.com, comcast.net, yahoo.com, and so...
So, people managing blacklists like surbl, and others, shall put into their lists only data that is considered as spam to everybody in the world.
comcast.net, rr.com, may be considered spam to you, but it isn't for me.
As said Raymond, it's easier to solve your "particular" problem with rules at your MTA.
Actually, Bill's blacklist_from list used to get quite a few hits for me
- I just don't bother using it anymore now I use his URI list through
SURBLs.
David
On Thursday, July 1, 2004, 2:28:15 AM, Jose Cruz wrote:
David Coulson wrote:
Raymond Dijkxhoorn wrote:
Its not like most spammers use a static 'from' or something.... :)
Sure they do - @comcast.net :-)
Yes, but there are many real people using address of the kind rr.com, comcast.net, yahoo.com, and so...
comcast.net, rr.com, may be considered spam to you, but it isn't for me.
And note:
Date: Wed, 30 Jun 2004 17:31:32 -0700 From: Kenneth Porter shiva@sewingwitch.com To: spamassassin-users@incubator.apache.org Subject: SlashDot: Comcast blocking port 25
Posted by timothy on Wednesday June 30, @07:29PM from the choke-it-off dept.
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses. Comcast's efforts are starting to pay off. They announced the amount of spam from their network has dropped 35 percent since they began port blocking and traffic estimates from SenderBase seem to confirm the claims. Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased'."
It looks like Comcast is trying to clean up their act and it may be having an effect.
Jeff C.
Jeff Chan wrote:
It looks like Comcast is trying to clean up their act and it may be having an effect.
You couldn't tell that anything is being done at comcast/attbi those two comprise close to 75% of the zombie (spamshooters) I am STILL being hit by. Though the RBL's I'm using at the MTA level mean that, at least, they're being 550'd. But sure makes it hard to even look through my logs. All those blocked entries. ::sigh::
But so it goes.
-Doc (D-Ninja D means Depressed today)
ps. Am just depressed cause I'm still sick. Been sick and off work for a week now and no end in sight. Going to the Doctors in a bit though.
Jeff Chan wrote:
It looks like Comcast is trying to clean up their act and it may be having an effect.
I'd certainly agree that adding comcast.blackholes.us to SURBL would be a _fatal_ error, but OTOH I'd never believe in Spamcast's PR. For details see SpamCop's hall of shame:
http://www.spamcop.net/w3m?action=hoshame#domsum
Bye, Frank
On Thursday, July 1, 2004, 12:14:23 PM, Frank Ellermann wrote:
Jeff Chan wrote:
It looks like Comcast is trying to clean up their act and it may be having an effect.
I'd certainly agree that adding comcast.blackholes.us to SURBL would be a _fatal_ error
Yes, and we would never do that.
It wouldn't have much effect either since people generally use SURBLs as intended, that is, on message bodies and not headers.
Jeff C.
-
David Coulson -
Doc Schneider -
Frank Ellermann -
Jeff Chan -
Jose Marcio Martins da Cruz -
Raymond Dijkxhoorn