-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Saturday, October 09, 2004 3:10 AM To: SURBL Discussion list Subject: Re: [SURBL-Discuss] Revised DMOZ data, got Wikipedia domains too
On Friday, October 8, 2004, 11:37:03 PM, Alex Broens wrote:
tripod and geocities have given spammers a home for many years... and there's many other freehosters who have become "victims" as well.
if not permitted to blacklist, at least treat as 2nd level
tld so we can
get rid of the spam coming from them
That's possible, but not something we've done so far. I don't see shared domain hosting as a major spam destination. Maybe they are a minor annoyance, but nothing like the pill spammers hosted in China, Korea, Brazil, etc.
The difference is that geocities, tripod, angelfire, etc. ought to have some incentive to get rid of these minor abusers since they make so little money from them. The pill/mortgage/warez/etc. spam hosters probably make a lot more money from their spamming customers, so they have an incentive too keep them.
In the case where there is some legitimate company like Yahoo or Lycos (parents of geocities, tripod, etc) to police their customers and enforce their AUPs, then spam victims should report them and let them do the enforcing. Since these companies are mostly legitimate and probably do spend some resources dealing with abuse, they have an incentive to reduce abuse since it probably costs them more money than it gains them.
One of the main reasons for doing SURBLs was to be able to do something about the hosting companies who don't have AUPs against spam or don't enforce them.
Bottom line is that tripod, etc. are mostly irrelevant compared to the professional spam gangs who send a lot more spam. SURBLs are for listing the domains of the bigger fish who have found spam-friendly hosts, regardless of where those hosts are.
All I can say to that is, it is small amount....for now.
I don't see any harm in treating these as second and thrid TLDs. We are already doing all the same work, and seeing the same domains anyway while looking at spams. Why not just add them as 2-3 level? We are doing all the work now, and just throwing the listing away.
--Chris
On Saturday, October 9, 2004, 6:20:13 AM, Chris Santerre wrote:
I don't see any harm in treating these as second and thrid TLDs. We are already doing all the same work, and seeing the same domains anyway while looking at spams. Why not just add them as 2-3 level? We are doing all the work now, and just throwing the listing away.
One reason for not doing it is that there was not an easy programatic way (on the client side) to distinguish subdomain.tripod.com as something to be checked instead of tripod.com. One quick answer is to check them both, and SpamAssassin or SpamCopURI may do that, but if so, that's probably more for convenience than correctness.
Remember the original goal was to find registrar domains in order to go after the BIG spammers who register new domains very frequently. That is the target we're going after: the professional spam gangs who burn through a bazillion domains, not the occasionally abused legitimate site.
Jeff C. -- "If it appears in hams, then don't list it."
At 07:54 2004-10-09 -0700, Jeff Chan wrote:
On Saturday, October 9, 2004, 6:20:13 AM, Chris Santerre wrote:
I don't see any harm in treating these as second and thrid TLDs. We are already doing all the same work, and seeing the same domains anyway while looking at spams. Why not just add them as 2-3 level? We are doing all the work now, and just throwing the listing away.
One reason for not doing it is that there was not an easy programatic way (on the client side) to distinguish subdomain.tripod.com as something to be checked instead of tripod.com. One quick answer is to check them both, and SpamAssassin or SpamCopURI may do that, but if so, that's probably more for convenience than correctness.
Another quick answer is - check them against a dns list...
Just create a separate "TLDs or treat as TLDSs" zone that can be checked and cached client side.
Or even better - give "TLDs or treat as TLDSs" a distinguished A value in existing lists. If a lookup returns XXX.XXX.XXX.XXX, it is a "TLD or treat as TLD" and should be further recursed. If we think there is a risk that some bad client implementatins treat any returned A record as a hit, use TXT records.
Patrik
This is one of the most bizarre e-mails I've ever seen. It is even fascinating and entertaining to contemplate.
SEE HERE: http://www.pvsys.com/dumbphisher.txt
Is this:
A. A dumb phisher who doesn't realize that identity theft is traceable and prosecutable when done by someone who doesn't live in Siberia?
B. A "spoof", where someone hijacked their homepage?
C. A "legitimate" message from a real banker where they actually (and sincerely) DO purposely ask for the same things that phishers ask for? (perhaps they saw phishing e-mails and, not realizing that they were scams, thought that this was, in fact, the way to do business?)
D. Something else? If so, what is going on here?
Rob McEwen
On Saturday, October 9, 2004, 4:29:45 PM, Rob McEwen wrote:
This is one of the most bizarre e-mails I've ever seen. It is even fascinating and entertaining to contemplate.
SEE HERE: http://www.pvsys.com/dumbphisher.txt
Is this:
A. A dumb phisher who doesn't realize that identity theft is traceable and prosecutable when done by someone who doesn't live in Siberia?
B. A "spoof", where someone hijacked their homepage?
C. A "legitimate" message from a real banker where they actually (and sincerely) DO purposely ask for the same things that phishers ask for? (perhaps they saw phishing e-mails and, not realizing that they were scams, thought that this was, in fact, the way to do business?)
D. Something else? If so, what is going on here?
Rob McEwen
The domain sicomputerconsulting.net doesn't resolve at all, so I'm not sure what the purpose of this phish is either.
Perhaps it's some kind of counter-intelligence move by spammers to see who is checking on or reporting spam?
Jeff C. -- "If it appears in hams, then don't list it."
Wow. Earlier today, it resolved to 205.209.169.210 (now inoperable) and it really did look like this page: https://banking.commercebank.com/
Maybe it was a phishing attempt which got caught and closed down by the ISP?
Anyways, case closed.
Rob McEwen
On Saturday, October 9, 2004, 5:48:41 PM, Rob McEwen wrote:
Wow. Earlier today, it resolved to 205.209.169.210 (now inoperable) and it really did look like this page: https://banking.commercebank.com/
Maybe it was a phishing attempt which got caught and closed down by the ISP?
Sounds like it.
Anyways, case closed.
Rob McEwen
:-)
Jeff C. -- "If it appears in hams, then don't list it."
Hello-
Perhaps I'm missing something, but shouldn't anything that's in WS also be in multi?
Yet, here's a domain that made it through our scanners:
On Saturday, October 9, 2004, 1:09:43 PM, Patrik Nilsson wrote:
Just create a separate "TLDs or treat as TLDSs" zone that can be checked and cached client side.
Or even better - give "TLDs or treat as TLDSs" a distinguished A value in existing lists. If a lookup returns XXX.XXX.XXX.XXX, it is a "TLD or treat as TLD" and should be further recursed. If we think there is a risk that some bad client implementatins treat any returned A record as a hit, use TXT records.
This is still an interesting idea, but I'd still be somewhat concerned about putting out a list that looks like a regular SURBL that it could get misused.
But perhaps the larger issues is that the hard core spammers don't seem to use *subdomains of legitimate shared-domain hosting providers*. They just register their own full domain names and use those (lots of them).
If some legitimate hosting provider has an abuse issue, then it's in their own interest to stop the abuse.
SURBLs are arguably best suited for cases where the ISP is spam-friendly and allows spam hosting on custom domains. The reality is that's a much larger and tougher problem than shared, common-domain hosting, like a geocities or tripod.
The best use of our time is to focus on the biggest spammers first, and we're not catching all of those yet.
Jeff C. -- "If it appears in hams, then don't list it."
-
Chris Santerre -
Jeff Chan -
Patrik Nilsson -
Rob McEwen -
Thomas Johnson