[SURBL-Discuss] Re: Spam Honeypot identification through SURBL

Jeff Chan jeffc at surbl.org
Fri Mar 11 02:08:09 CET 2005


On Thursday, March 10, 2005, 9:01:07 AM, Matthew Wilson wrote:
> Jeff (and list),

> I'm worried that spammers can use SURBL to identify honeypot email
> servers by using unique subdomains.  A spammer must merely send a unique
> subdomain URL to every address on their list, and if that unique
> subdomain is blacklisted in SURBL, they have identified a potential
> honeypot and will no longer send spam to that address/server.  

> It is therefore my humble opinion that only the second-to-top domain
> name should be listed in SURBL, and not any of the subdomains.

Yes, we discard subdomains:

  http://www.surbl.org/faq.html#random

> How are randomized URI subdomains or host names handled?
> The randomized subdomain problem is solved by extracting the
> base domain on both the SURBL data and message-checking client
> sides then comparing those base domains. In this way any random
> stuff added to the base domain is ignored. (The base domain is
> what would be registered with a name registrar.) 
> 
> We've seen quite a few randomized or customized (to a username
> for example) host names in some of the top pharmaspam sites.
> There are different possible reasons for the randomization: to
> add chaos to the names to throw off message body checkers, or
> perhaps to "key" spam site web visits to specific mailings in
> order to build a confirmed mailing list. (Such confirmed
> mailing lists themselves are probably a valuable commodity to
> sell to other spammers.) Randomization doesn't throw us off
> though; we catch them from the base domain part, which can't
> change. 


Jeff C.
--
"If it appears in hams, then don't list it."



More information about the Discuss mailing list