Hi,
rg3.net is listed in WS.
It is a redirection service, redirecting third level domains like polimidia.rg3.net.
They might have spammy third level domains, but they do have non-spammy ones as well.
Not sure whitelisting the second level domains is the best way to handle these kind of redirection services though.
If they are whitelisted, we can't blacklist third levels below those domains that are spammy, right?
Wouldn't it be better if we could treat these kind of third level redirectors similarly to the way we treat subdelegated country domains - checking the third level domain rather than the second?
Extending what is done in RegistrarBoundaries.pm for URIDNSBL would probably be easier than doing something similar in SpamCopURI though.
Patrik
On Thursday, August 5, 2004, 11:29:26 AM, Patrik Nilsson wrote:
Hi,
rg3.net is listed in WS.
It is a redirection service, redirecting third level domains like polimidia.rg3.net.
They might have spammy third level domains, but they do have non-spammy ones as well.
Thanks for that research. I've whitelisted them. Probably they should come out of sa-blacklist also.
Not sure whitelisting the second level domains is the best way to handle these kind of redirection services though.
They need to be whitelisted since they have some legitimate use.
If they are whitelisted, we can't blacklist third levels below those domains that are spammy, right?
Not under the current designs.
Wouldn't it be better if we could treat these kind of third level redirectors similarly to the way we treat subdelegated country domains - checking the third level domain rather than the second?
Yes and no. It might be nice to be able to block only spammy third level domains at redirection sites, but that could also rapidly expand the size of our lists.
Extending what is done in RegistrarBoundaries.pm for URIDNSBL would probably be easier than doing something similar in SpamCopURI though.
It's all technically probably doable, but I'd expect the data to get too large.
The best answer is to get the redirection sites to deny access to abusers, for example by using SURBLs as some have done:
http://www.surbl.org/news.html
# 4/30/04: Ask Bjørn Hansen of develooper.com is using SURBL data to block spammer domains in the Metamark Shorten Service URI shortening and redirection service. This is the first use of SURBL data to prevent abuse of a redirection site that we've heard of! Great going! Ask explains his motivation as: "I mostly did it to make it less likely that I'll have to deal with abusers of the service manually. Hopefully the other redirection services will realize that benefit soon as well."
# 7/23/04: SnipURL is now using SURBLs to deny abusers access to their URL shortening and redirection service.
Would you care to write to rg3.net for us about this? The following letter may be useful:
http://www.surbl.org/redirect.html
Jeff C.
At 13:57 2004-08-05 -0700, Jeff Chan wrote:
Wouldn't it be better if we could treat these kind of third level redirectors similarly to the way we treat subdelegated country domains - checking the third level domain rather than the second?
Yes and no. It might be nice to be able to block only spammy third level domains at redirection sites, but that could also rapidly expand the size of our lists.
Extending what is done in RegistrarBoundaries.pm for URIDNSBL would probably be easier than doing something similar in SpamCopURI though.
It's all technically probably doable, but I'd expect the data to get too large.
I'm not following you here. Why would the data get *too* large? If the added data consists of spammy third level domains, wouldn't it be just as valuable as spammy second level domains? Listing spammythirdlevel.secondlevel.com wouldn't mean much more data than listing spammysecondlevel.com would it?
The actual list of second level domains used for third level redirection would be separate, and not likely to grow particularly large.
The best answer is to get the redirection sites to deny access to abusers, for example by using SURBLs as some have done:
While having redirection sites doing this is a nice thing, we can't count on or hope for them doing so, and even if they do, we will still end up with spammy third level domains on those servers, since the uri they redirect to might not be listed yet - or even ever. If the spammers only use redirecting uri's in their spam bodies, there is good chance that their final redirected-to-uri will not be reported and listed for quite some time.
Suppose I'm Spammy, and I know how SURBL works currently.
I set up a site on the uri http://spammyssite.spammysfreshdomain.com/ I then set up a few redirects on different redirection sites, preferably ones that I know are actually whitelisted in SURBL. For example spammy.rg3.net. As spammysfreshdomain.com has not been used in any spam, the redirect sites that check surbl before allowing additions will not find anything. I then use only those redirects in uris in my spam, never spammysfreshdomain.com.
For spammysfreshdomain.com to end up on SURBL in this set-up, quite a bit of manual checking would be required.
Or am I missing something?
BTW - this is not only a problem with third-level-redirectors, but also with webhosting companies such as 150m.com, that delegate third level domains to their hosting customers.
Also - this is a type of spam URIs where SURBL could offer a solution but where checking dns servers in SBL can not.
Patrik
One problem with subdomains is combinations. The number of records can multiply rapidly if we get into additional levels of hosting or redirection domains.
Another problem is how to automatically distinguish an actual hosting subdomain or redirection site from a wildcarded DNS Address record:
my.pretty.fluffy.bunny.freehostingprovider.com
vs
random.or.keyed.gibberish.here.spamyisp.biz
It's not clear how these can be programatically distinguished.
Finally, it seems unlikely that these subdomain hosting or redirection sites would be major sources of spam; more like occasional, minor annoyances. There is a disincentive for a hosting or even redirection provider to host a spam site due to excessive traffic, complaints, retaliation, blocking, etc. Most providers in general tend to be mostly whitehat or mostly blackhat.
Most of the hard core spammers are already settled at the blackhat or clueless providers in China, Korea, Brazil, etc. A few professional spammers are probably responsible for most of the spam and are more important to focus on than the minor clueless abuser whose free site on a mostly legitimate provider is about to get shut down.
Jeff C.
Jeff Chan wrote:
Another problem is how to automatically distinguish an actual hosting subdomain or redirection site from a wildcarded DNS Address record:
my.pretty.fluffy.bunny.freehostingprovider.com vs random.or.keyed.gibberish.here.spamyisp.biz
I'm not sure why there's any difference for sc.surbl.org:
If an URL is reported as "spamvertized" we want it in a SURBL. Minus the wildcard gibberish. Minus whitelisted SLDs. So you'd first strip the wildcard stuff, i.e. get the IP of the complete URL, strip first part and get the IP of the remaining URL, repeat step 2 until the IPs are different.
This results in here.spamyisp.biz != spamyisp.biz or in spamyisp.biz != biz (because there's no IP for biz).
If spamyisp.biz is whitelisted add here.spamyisp.biz to sc.surbl.org, otherwise add spamyisp.biz.
Same procedure as for say co.uk, or for 3LDs below .cn Patrik's argument...
| Why would the data get *too* large? If the added data | consists of spammy third level domains, wouldn't it be | just as valuable as spammy second level domains? | Listing spammythirdlevel.secondlevel.com wouldn't mean | much more data than listing spammysecondlevel.com would it?
...is IMHO very convincing for SURBLs where all entries are created _and_ deleted automatically like sc.surbl.org
Bye, Frank
-
Frank Ellermann -
Jeff Chan -
Patrik Nilsson