[SPAM-TAG] [SURBL-Discuss] URIBL and PTR records

Jeff Chan jeffc at surbl.org
Fri May 13 00:31:06 CEST 2005


On Thursday, May 12, 2005, 2:20:02 PM, wolfgang wolfgang wrote:
> when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to 
> enter a spamtrap address I just noticed that quite a few of the pages look 
> extremely similar, DNS lookups show:

> $ host www.signoffcorp.biz
> www.signoffcorp.biz has address 217.107.217.8
> $ host www.bestcds.biz
> www.bestcds.biz has address 217.107.217.8
> $ host www.wonder-pills.com
> www.wonder-pills.com has address 217.107.217.8
> $ host www.multimed.ws
> www.multimed.ws has address 217.107.217.8

> $ host 217.107.217.8
> 8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa.
> 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru.
> $ host webrider.ru
> webrider.ru has address 217.107.216.26

> so i wonder if it is possible (or already done) to also list (and save) the 
> IPs of URIBL listed domains and check newly queried, yet unlisted domains 
> against those IPs.

> any comments?

Yes, spammers often use the same IP addresses or networks for
their hosting infrastructure.  It's one of the reasons the
sbl.spamhaus.org IP RBLs work well for detecting spam, for
example with uridnsbl in SpamAssassin 3.

  http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html

SURBLs will remain lists of mostly domains because IP lists of
web hosting in particular can easily lead to false positives.
If one domain on a shared web hosting server gets used for spam,
and the IP of that server were listed and checked, then all other
web sites on that server (on the same IP) could get identified as
spammy, even if they're not.   That's too much collateral damage
(harming innocent bystanders) for us.  Instead we list domains
which specifically appear in spam.  That way only the spam sites
get listed.

That said, we will be using resolved IP addresses to bias
inclusion on sc.surbl.org in future.  In other words we will
detect the spammers' infrastructure and include new domains
much sooner if they are found to be in that infrastructure.

This is addressed in the FAQ as:

  http://www.surbl.org/faq.html#numbered

Cheers,

Jeff C.
--
Don't harm innocent bystanders.



More information about the Discuss mailing list