[SURBL-Discuss] Spammer Anti-SURBL tactic

Chris Santerre csanterre at MerchantsOverseas.com
Tue Mar 8 15:49:07 CET 2005



>-----Original Message-----
>From: Jeff Chan [mailto:jeffc at surbl.org]
>Sent: Tuesday, March 08, 2005 2:22 AM
>To: SURBL Discussion list
>Subject: Re: [SURBL-Discuss] Spammer Anti-SURBL tactic
>
>
>On Monday, March 7, 2005, 9:07:37 PM, Steven Champeon wrote:
>
>> Speaking of anti-SURBL tactics, I got this turdlet today (snippet
>> of HTML email below):
>
>> <DIV>We are giving out Free Import / Export / Wholesales/ 
>Distributers /
>> Retailers&nbsp; Contact Database</DIV>
>> <DIV>&nbsp;</DIV>
>> <DIV>If You interested Pls get at Following URL</DIV>
>> <DIV>&nbsp;</DIV>
>> <DIV><A 
>onmouseover="window.status='http://www.impexp-data.com';return true;"
>> onmouseout="window.status=' ';return true;"
>> href="http://indigisys.com/chawla1/open.htm" target=_blank>Business =
>> Database</A> </DIV>
>> <DIV>&nbsp;</DIV>
>> <DIV>Free Business / Marketing Tools&nbsp;( Free SMS to All 
>over world Unl=
>> imited )&nbsp;</DIV>
>> <DIV><A
>> 
>onmouseover="window.status='http://www.impexp-data.com/sms';ret
>urn true;"
>> onmouseout="window.status=' ';return true;"
>> href="http://indigisys.com/chawla1/open.htm" 
>target=_blank>FREE SMS = Tools
>> </A></DIV>
>
>> It *looks* like whoever owns indigisys.com wants to hide the fact
>> that they're actually indigisys.com by pretending to be 
>impexp-data.com,
>> which doesn't exist. Does SURBL's lookup code catch this? 
>
>SpamAssassin 2.64 running SpamCopURI seems to check both domains:
>
>debug: checking url: http://indigisys.com/chawla1/open.htm
>debug: returning cached data :  indigisys.com.multi.surbl.org 
>-> ARRAY(0x9351f4c)
>debug: Receieved match prefix: 127.0.0
>debug: Receieved mask: 32
>debug: no match
>
>debug: checking url: http://www.impexp-data.com';return
>debug: returning cached data :  
>impexp-data.com.multi.surbl.org -> ARRAY(0x9386f58)
>debug: Receieved match prefix: 127.0.0
>debug: Receieved mask: 32
>
>As does SpamAssassin 3.0.1:
>
>debug: URIDNSBL: query for indigisys.com took 0 seconds to 
>look up (multi.surbl.org.:indigisys.com)
>debug: URIDNSBL: query for impexp-data.com took 0 seconds to 
>look up (multi.surbl.org.:impexp-data.com)
>
>
>Those are the only SURBL applications I have easy access to, so I
>don't know how others may handle them.  SpamAssassin does the
>right thing.  :-)
>

Not only that, but the SARE rules look for this trick as well. Everytime
they try to get around something, spammers end up painting themselves in a
corner. 

--Chris 


More information about the Discuss mailing list