A lot of web sites have been infected by criminal spammers in the past
couple of years. More recently, massive amounts of legitimate web sites
run by non-spammers which used older versions of WordPress (in
particular)... have had their web sites hacked into by criminal
spammers. The WordPress exploit is epidemic. Since most of these sites
are legitimate, they are difficult to blacklist because blacklisting
them does cause some amount of collateral damage (though usually a very
acceptable and targeted amount of collateral damage--given the
circumstances). The problem here is that the SAME algorithms which help
the better domain-based anti-spam blacklists to NOT have false
positives--OFTEN--also prevent THESE sites from getting
blacklisted--even when the infection is active. Those are arguably False
Negatives, especially in the more extreme cases when much spam is
spewing, with relatively little legit mail containing these domains!
Plus, feeling sorry for the site owner's "collateral damage" is like
thinking that it is unfair that someone with a highly contagious
disease, who got it from irresponsible behavior (dirty needle, etc),
wasn't allowed allowed to walk in a crowded public area. When a web site
is hosting such malicious content, the web site owner SHOULD lose some
privileges until such time that they've cleaned up their mess.
Because of this situation, some changes were made to the invaluementURI
domain blacklist (ivmURI) about 1 or 2 years ago... to enable it to
better surgically target THESE types of exploited domains, yet with a
reasonable balance that (hopefully) wouldn't trigger too many FPs. So
far, that has been highly successful and I see evidence that other such
lists (surbl, uribl, and SpamHaus's DBL list) have made some
improvements in this area too.
For example, ivmURI had THIS particular domain blacklisted for over a
week now (with nobody else listing it!)... and I seem to recall two such
messages slipping through just weeks ago ago where the domain in one was
only on SpamHaus' DBL list, and the other was only listed on ivmURI. (or
was that the SA list where I saw those 2 messages?)
even as I type this, ivmURI seems to be the only blacklist which has
"globalreagents DOT com" blacklisted, fwiw
--
Rob McEwen
