[SURBL-Discuss] Spammer Anti-SURBL tactic

Jeff Chan jeffc at surbl.org
Tue Mar 8 08:22:21 CET 2005

On Monday, March 7, 2005, 9:07:37 PM, Steven Champeon wrote:

> Speaking of anti-SURBL tactics, I got this turdlet today (snippet
> of HTML email below):

> <DIV>We are giving out Free Import / Export / Wholesales/ Distributers /
> Retailers&nbsp; Contact Database</DIV>
> <DIV>&nbsp;</DIV>
> <DIV>If You interested Pls get at Following URL</DIV>
> <DIV>&nbsp;</DIV>
> <DIV><A onmouseover="window.status='http://www.impexp-data.com';return true;"
> onmouseout="window.status=' ';return true;"
> href="http://indigisys.com/chawla1/open.htm" target=_blank>Business =
> Database</A> </DIV>
> <DIV>&nbsp;</DIV>
> <DIV>Free Business / Marketing Tools&nbsp;( Free SMS to All over world Unl=
> imited )&nbsp;</DIV>
> <DIV><A
> onmouseover="window.status='http://www.impexp-data.com/sms';return true;"
> onmouseout="window.status=' ';return true;"
> href="http://indigisys.com/chawla1/open.htm" target=_blank>FREE SMS = Tools
> </A></DIV>

> It *looks* like whoever owns indigisys.com wants to hide the fact
> that they're actually indigisys.com by pretending to be impexp-data.com,
> which doesn't exist. Does SURBL's lookup code catch this? 

SpamAssassin 2.64 running SpamCopURI seems to check both domains:

debug: checking url: http://indigisys.com/chawla1/open.htm
debug: returning cached data :  indigisys.com.multi.surbl.org -> ARRAY(0x9351f4c)
debug: Receieved match prefix: 127.0.0
debug: Receieved mask: 32
debug: no match

debug: checking url: http://www.impexp-data.com';return
debug: returning cached data :  impexp-data.com.multi.surbl.org -> ARRAY(0x9386f58)
debug: Receieved match prefix: 127.0.0
debug: Receieved mask: 32

As does SpamAssassin 3.0.1:

debug: URIDNSBL: query for indigisys.com took 0 seconds to look up (multi.surbl.org.:indigisys.com)
debug: URIDNSBL: query for impexp-data.com took 0 seconds to look up (multi.surbl.org.:impexp-data.com)

Those are the only SURBL applications I have easy access to, so I
don't know how others may handle them.  SpamAssassin does the
right thing.  :-)

Jeff C.
"If it appears in hams, then don't list it."

More information about the Discuss mailing list