[SURBL-Discuss] use of surbl to check non-body content?

Steven Champeon schampeo at hesketh.com
Wed Oct 12 05:54:26 CEST 2005


on Tue, Oct 11, 2005 at 04:55:30PM -0700, Jeff Chan wrote:
> On Tuesday, October 11, 2005, 10:42:28 AM, Steven Champeon wrote:
> 
> > I've noticed that SURBL (and URIBL, who I will contact later) lists
> > several domains that have appeared in spam header contents as well as in
> > body contents. I'd like to use SURBL (probably multi) as an optional
> > domains BL check against headers known to contain domains, such as
> > the Message-ID, From, and Reply-To headers, a la
> 
> > Message-Id: <200510020442.j924gBkv021479 at expoactive.net>
> > From: ExpoActive <advertising at expoactive.net>
> > Reply-To: advertising at expoactive.net
> 
> Are these spams being sent from zombies?  If not, then we
> possibly should not be listing them.  If they're sending from
> their own mailservers then it's vastly more efficient to just
> block their IPs at a low level, i.e., regular (local or global)
> RBL. 

You misunderstand me, I think. I'm not deliberately listing any domains
in SURBLs, I'm proposing using the SURBLs DNS zone (e.g. "multi") to
check domains that may be embedded in headers such as From, Reply-To,
and Message-Id, where they are often used to direct bounces and replies
back to the domain owners, while evading the meager blocks on sender
host/domain and/or SMTP Rcpt To, or used as tracking devices. 

> Regarding using SURBLs on headers, I guess I'd view that as
> mission creep and somewhat away from our original focus of URI
> domains.

I'm not asking for SURBLs to list domains found in headers, I'm
suggesting that domains found in SURBLs because of their use in the
bodies of spam may also be found on occasion in less-inspected message
headers of spam that may also find them in the body.

I'm just trying to reduce my spam inspection workload here by using
reliable sources of known spammy domains to allow rejection of the
message without body inspection (which in SA and procmail, et al
requires that the message be accepted and inspection undertaken prior to
delivery). I estimate that some 30% or more of spam we'd accepted and
delivered or quarantined could have been rejected during the SMTP
conversation, using SURBLs.
 
> Do any spam gangs put the URI domain on their headers when they
> use zombies?  Seems to me they tend to forge everything except
> the URI.

I don't know. But I do know that spammer domains - listed in SURBL and
URIBL already - do tend to be found in headers likely to direct replies
back to the spammer, and which may contain tracking devices also useful
to the spammer (when inserted by compliant clients as References: or
In-Reply-To: in the reply). I'm advocating rejecting these known spammy
messages, which would otherwise be caught/tagged by SURBLs after
delivery (and delivered or quarantined, after which it's in the hands of
users to know whether or not to reply to ask to be removed), during
the SMTP conversation, not after.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/


More information about the Discuss mailing list