[SURBL-Discuss] general questions.....

Rob McEwen (PowerView Systems) rob at powerviewsystems.com
Thu Nov 18 20:44:56 CET 2004


> Have any of you seen fewer spams? I don't see many these days. 

Chris,

Overall, I'm getting less and less spam. I think that SURBL is getting better, some graymarketers are cleaning up their acts, and my rules-based filering is also improving.

However, a few days ago, I started getting slammed with mortgage spam using the following domains:

dalehaym.biz
dalehay.biz
daleqhay.biz
damphenm.biz
darbherm.biz
darbhero.biz
darbkher.biz
rbkher.biz
(& others)

An example spam is found here:

http://www.pvsys.com/recentspamsample.txt

In this example, the domain is:

darbherm.biz

...but darbherm.biz doesn't resolve to anything. However, usa.darbherm.biz DOES resolve. (Of course, you have to go to the actual URL to get to a substantive page... see actual e-mail). 

(1) Could the fact that the baseline domain doesn't resolve have tricked us into thinking that these were no longer active?

(2) Also, in a not-quite-applicable but related thought, should we rethink the policies for removing "dead" domains out of SURBL if they STILL appear in spams. For example, suppose a virus sends out the same spam for a now defunct domain over and over again... shouldn't such a domain STILL be listed in SURBL?

Finally, maybe these particular domains I listed at the top of this message are not in SURBL because of having legit uses?

But I must say that this particular "series" of spam came all of a sudden and ferociously frequent. For example, a couple of my clients would be getting at least a couple of dozen of these SAME e-mails **per day** if I hadn't adjusted my rules based filter to screen these out. Clearly, this kind of behavior where the spam is sent repeatedly each day is NOT playing by the rules.

Rob McEwen



More information about the Discuss mailing list