[SURBL-Discuss] Redirects and obfuscated urls
Jeff Chan
jeffc at surbl.org
Sun Oct 31 14:11:27 CET 2004
On Tuesday, April 13, 2004, 2:07:58 AM, John Fawcett wrote:
> I saw a post on NANAE over the weekend about surbl
> and it looks like one of the best ideas I've seen.
:blush: Thanks, as I recently mentioned off list we
can hope it's one of those ideas that's obvious
afterwards. Actually many people wanted to do
something like this. It's been a thrill to actually
do it and see it work pretty well so far. The support
from everyone has been fantastic too.
> Almost every spam mail I get contains a spamvertized
> domain, so with good data this method has the potential to
> block nearly 100% of spam.
> Spamvertized domains are an essential resource for
> spammers and are usually longer lived then the
> abused servers used to send out spam runs.
Indeed. sc.surbl.org hit rates are running about 60%.
We hope to increase that significantly in the next
version of the data engine. The general strategy is
mentioned in the thread:
http://lists.surbl.org/pipermail/discuss/2004-April/000002.html
> I've set up SpamAssassin and SpamCopURI.
> I've checked the emails which are not being picked
> up by surbl and there is a recurring pattern:
> 1) Redirects
> 2) Obfuscated urls
> For example, this was not picked up.
> <a
> href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s
> hopinternetbuy.biz/%75n%73ub.html target=_blank>
> shopinternetbuy.biz is in sc.surbl.org.
> The logic of the parsing engine needs to be
> enhanced to deal with these cases. This is
> probably only the start, because spammers
> will find other ways to get around surbl
> once it starts being used widely.
Yes, we had been making similar noises on the
spamassassin-developers list and we have opened a bugzilla about
a redirect handling feature for SpamAssassin 3.0 URIBL at:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3261
Jeff C.
More information about the Discuss
mailing list