[SURBL-Discuss] Probable new data source: DNS queries hittingspamhaus lists

Rob McEwen rob at powerviewsystems.com
Wed Nov 10 14:25:43 CET 2004


>>we've started to check a sampling
>>of SURBL name server queries against
>>sbl and xbl.spamhaus.org.

Jeff,

For months now, I've been converting domains within messages to IP address
and checking these (along with raw IP addresses) against
"sbl-xbl.spamhaus.org". This was a final stage of filtering where almost all
spam had already been caught. This way, I could audit these and not have a
mountain of spam messages to audit.

>From all of the "hands on" analysis that I've done, I have some suggestions.

1st, if you are converting domains to IPs and then checking these IPs
against spamhaus, you may have to make sure your system can whitelist the
domains **before** conversion to IP since the IPs can change without notice.

2nd, SpamHaus keeps listing the following:
msn.click-url.com, (& variations)
(These show up FREQUENTLY in hams, so I'd Whitelist these up front. They
seem to go in an out of SpamHaus intermittently.)
FOR EXAMPLE:
msn.click-url.com = 216.39.69.75
http://www.spamhaus.org/query/bl?ip=216.39.69.75
...points to...
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20705

3rd, in fact, SpamHaus is going to list a lot of greymarketers that
shouldn't be listed in SURBL (flowgo, euniverse, etc)

4th, most of the FPs I find in SpamHaus are XBL listings where the data
source for that particular FP was http://cbl.abuseat.org/

CBL catches a LOT of spam... but it also periodically will list the
mailserver for respected IPS where that ISP had one user who send out a
bunch of spam and then CBL listed the IP address of that server.
Unfortunately, this creates a lot of collateral damage. Recently, I
experienced this with one of my clients's customer's BellSouth E-mail
services. (I don't know the ratio of XBL stuff via CBL versus XBL stuff from
other sources. I'd be curious to know this.)

Jeff, very likely, (I have a feeling) I've misunderstood your original
intended use of SpamHaus? But maybe this information will be helpful anyway?
I would definitely recommend NOT using the strategy I've described as an
**automatic** way to get listed in SURBL. This would defeat MOST of the hard
work we've done to minimize FPs. But, on the other hand, there are many
great possibilities here for using this as a tool for evaluating URIs or as
a honeypot for queuing URIs for evaluation where the URI wasn't already in
SURBL.

Rob McEwen





More information about the Discuss mailing list