On Monday, April 12, 2004, 2:16:23 PM, Pete McNeil wrote: >>However if *any* of the domains in a spam are on an SURBL list, the >>entire message will get tagged as spam (for mail servers using >>SURBL of course). The more spam domains the spammers add, >>including their spamming rivals, the better our chance of tagging >>the message as spam. >> >>Score one for the good guys if they try to take out their >>competitors this way.
> Well, actually, that's just what they hope. The point of this attack is > that the spam they send is meaningless and un-targeted - so only the rivals > get damaged. Their own targets are not present in the message. Got it. You're right. I was assuming they were adding their competitors along side their own. > There's no hazard in this for the white-hats except for more work. The > targeted spammers quickly select new domains and step up the rate at which > they generate and use those domains. This results in more spam and more > filtering work. A hint (and a helpful tactic) is that the IP targeted by > the domain tends to remain intact... so it is helpful to capture not only > the target domain/link but also the IP at the end of it... If you see the > IP again in a short period then the link attached is likely to also be a > spam indicator... This can be helpful in closing networks of rotating IPs > and domains. Yep! That's exactly what I'm implementing in my new data engine: watch for persistent IP blocks occurring in spam URIs and make the new incoming spam URI reports resolving into those blocks easier to add to the bad guy domain list through a lowered threshold. I think it's going to work very well. > When they mix in randomly trolled legitimate links it becomes a bit of a > challenge though... I've seen messages with up to 30 links all disguised as > something useful - with 30+ % actually being legitimate targets & potential > collateral damage. These messages tend to be modeled after eZine type > newsletters that tack on a large list of references to "in-depth" story > versions. Right. The savior for sc.surbl.org would be if the SpamCop users uncheck most of those. Not sure if SpamCop also internally whitelists. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
