On Mon, 29 Dec 2003, Chris Santerre wrote: > Anywho, I have been checking lots of these against RBLs and many show up in > sorbes and such. Spam didn't come from these places, only images hosted > there. I was wondering if possibly in the future, SA could check the URI > links against RBLs? They all seem to be using the same servers to host now > after they are blacklisted. This way they still get use out of the hosted > boxes. Just a thought.
Most RBLs are focused on the sources of SMTP traffic, not so much on the HTTP side. One spammer trick is to use a DNS server for a web site that has a short Time-To-Live that rotates thru a whole battery of addresses of trojaned PCs to relay out their HTTP garbage. Thus the actual IP address of a spammer URL may not tell you much. It would probably be more effective to check the "whois" registration info for a host/domain name to see who owns the name. There are a modest number (200) of people/organizations that are responsible for 80%~90% of all spam. (See: http://www.spamhaus.org/rokso/ Registry of known spammers) See: http://spamlinks.net/research.htm for more info on identifying spammer spoor. (spamlinks.net is a good general spam info resource) DNS info can often be used to get clues, A host with a very short TTL (less than 200 seconds) is usually a strong spam flag. Spammers who buy bulk blocks of host names will often register them thru the same hosting service thus the NS records will point to the same provider. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
