[SURBL-Discuss] Redirects and obfuscated urls

Jeff Chan jeffc at surbl.org
Tue Apr 13 03:36:09 CEST 2004


On Tuesday, April 13, 2004, 2:07:58 AM, John Fawcett wrote:
> I saw a post on NANAE over the weekend about surbl
> and it looks like one of the best ideas I've seen.

:blush:  Thanks, as I recently mentioned off list we
can hope it's one of those ideas that's obvious
afterwards.  Actually many people wanted to do
something like this.  It's been a thrill to actually
do it and see it work pretty well so far. The support
from everyone has been fantastic too.

> Almost every spam mail I get contains a spamvertized
> domain, so with good data this method has the potential to
> block nearly 100% of spam.

> Spamvertized domains are an essential resource for
> spammers and are usually longer lived then the
> abused servers used to send out spam runs.

Indeed.  sc.surbl.org hit rates are running about 60%.
We hope to increase that significantly in the next
version of the data engine.  The general strategy is
mentioned in the thread:

  http://lists.surbl.org/pipermail/discuss/2004-April/000002.html

> I've set up SpamAssassin and SpamCopURI.
> I've checked the emails which are not being picked
> up by surbl and there is a recurring pattern:
> 1) Redirects
> 2) Obfuscated urls

> For example, this was not picked up.
> <a
> href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s
> hopinternetbuy.biz/%75n%73ub.html target=_blank>

> shopinternetbuy.biz is in sc.surbl.org.

> The logic of the parsing engine needs to be
> enhanced to deal with these cases. This is
> probably only the start, because spammers
> will find other ways to get around surbl
> once it starts being used widely.

Yes, we had been making similar noises on the
spamassassin-developers list and we have opened a bugzilla about
a redirect handling feature for SpamAssassin 3.0 URIBL at:

  http://bugzilla.spamassassin.org/show_bug.cgi?id=3261

Jeff C.



More information about the Discuss mailing list