...
On Sun, 13 Mar 2005 05:29:04 -0800, Jeff Chan wrote:
>On Sunday, March 13, 2005, 5:12:30 AM, Jeff Chan wrote:
>> On Friday, March 11, 2005, 11:27:52 PM, Jeff Chan wrote:
>>> Does anyone have or know about a list of spam-advertised URIs
>>> where the spam they appeared in was sent through open relays,
>>> zombies, open proxies, etc. In other words does anyone know
>>> of a list of spamvertised web sites or their domains that's
>>> been cross referenced to exploited hosts?
>
>>> We could use that information as a valuable tool for getting
>>> more records into SURBLs.
>
>> One fairly easy for anyone running a large SpamAssassin
>> installation to help us get this data would be to simply grep
>> for "XBL" and "SURBL" rules hitting the same message and report
>> out the URI domains from those messages.
>
>> Perhaps some kind person could write a reporting function in
>> SpamAssassin for this?
>
>Hmm, perhaps if we could extract *all* URI domains from messages
>sent through XBLed senders then prioritize those say by frequency
>of appearance, we could create a new SURBL list of spamvertised
>domains sent through exploited hosts. That would pretty directly
>address the use of zombies, etc. and put a penalty on using them
>to advertise sites through them. Even with volume weighting such
>a list of sites could be attacked by major joe job unless we took
>additional countermeasures, but does anyone else think this might
>be a useful type of data source for SURBLs?
>
>Jeff C.
>--
>"If it appears in hams, then don't list it."
>
>
Jeff,
I think it would be useful, *but* Spamhaus is very good at adding
IPs of sites that exploit the XBL - So you would see a significant overlap.
That said, the SURBL policy of attempting for zero FPs means that a SURBL
would probably have a higher score than the SBL gets (I think for 3.0.2 the
rule RCVD_IN_SBL is scored as "0 1.050 0 0.107" and the rule URIBL_SBL is
scored as "0 0.629 0 0.996"), so you could probably add a "safer" two points
or even more. And, SURBLs are RHS lists, so you will catch IP jumping that
the SBL often misses (for a little while).
I don't believe that you will find `spamvertised' domains using
exploited machines one day, and valid mailers later - Just a `new' exploited
machine that hasn't made its way onto the lists yet (like IP jumping, being
a RHS list is an advantage here too). The best current example I know of
is f2m.idv.tw-munged (who unlike most spammers, has a multi-year period on
their registration, doesn't change domain names, does IP jump and does use
exploited machines). Today, there are on all five SURBLs and in the SBL
(and on my servers, they also get another 1.5 points for rfci.whois and
rfci.abuse URI rules).
Also, it wouldn't take a "major" joe job (or whatever the name for
chafe that isn't personally directed would be - remember "joe job" refers
to a specific spammer who was pissed at being thrown off joe.com). You
would just have to maintain a whitelist like you do now for people like
w3c.org who are always being abused (or the phishing spam target companies,
whose own pictures and logos usually appear, or newspapers and magazines
who end up in 419s).
Sound good,
Paul Shupak
[EMAIL PROTECTED]
