[SURBL-Discuss] Re: Jeff's whitelists

[Jeff Chan]

On Saturday, July 17, 2004, 3:30:59 PM, Frank Ellermann wrote:
> Jeff Chan wrote:

>> It sounds like a spammer is abusing spamarrest.com's
>> services. Is that correct?

> No.  The spammer uses one of his zombies (probably), some
> arbitrary address as "From", and another arbitrary address
> as "To".  The "To" address happens to be a customer of
> spamarrest, and the "From" address in this example was...

> drussell_tb AT xyzzy.claranet.de

> Of course that's a bogus address, the spammers simply combine
> local parts like "drussel" plus junk like "_tb" with catch-all
> domains like xyzzy.claranet.de (in fact only "my" vanity host).

> The spam is then sent to the spamarrest address (in this
> example From: drussel_tb at xyzzy To: anneliese at spamarrest)

> Spamarrrest doesn't know drussel_tb at xyzzy and therefore it
> sends a challenge to this address (= me).  Because I'm not
> planning to sort Anneliese's spam I report this challenge
> via SC.

>> that should be reported back to spamarrest as abuse.

> Exactly, that's what I do (using SC, several manual complaints
> had no effect at all).

>> Or is spamarrest *originating* these messages purely
>> themselves?

> No, that's very unlikely.

OK That's pretty much how I was reading things.  I don't
think we should list spamarrest because there could be
legitimate users of it and we don't want messages that
happen to mention spamarrest as that could easily lead
to false positives.  Remember that our standards of
inclusion need to be higher than for personal use,
regular sender domain or IP RBLs, etc. because the
effects of URI blocking are a lot more widespread than
the effects of blocking one zombied PC somewhere.

The quick answer is that spamarrest should authenticate
it's senders, perhaps in the same way as they authenticate
their recipients.   If they're not doing something like
that, then their design is broken, but having a broken
design is not enough reason to list them.

Jeff C.


Jeff C.