What spamassassin rules is this related to? On 01/07, Rob McEwen wrote: > ANNOUNCEMENT: update to ivmURI regarding surge in rarely-blacklisted domains > spammers use from legit site that are "compromised" > > There has been a surge during the past couple of days in rarely-blacklisted > domains (as in, you see few of these blacklisted on SURBL/URIBL/DBL) ...where > the spammers used "compromised" sites which are normally legit sites. (maybe > the FTP password was cracked? or some other security hole exploited?) > Likewise, ivmURI was missing many of these because our > FP-prevention-filters... which normally prevent "decoy" domains or innocent > domains from getting blacklisted... were also causing many of these to be > overlooked. (I suspect that the same was happening with the other URI > blacklists, since [it seems?] even fewer of these were getting blacklisted on > those other URI/domain blacklists?) > > This isn't new. For months, it has been on my mind to make some adjustments > to "surgically target" listing these types of domains... where our > FP-prevention-filters would then "back off" just a tad... yet in a very > "surgically targeted" way... so that these would start blacklisting, yet > without those changes to the filters suddenly causing many FPs, and where > these domains would also expire off of ivmURI faster--with the idea that the > site owners would probably find and fix their problem somewhat quickly. (we > don't want these to remain blacklisted weeks after the spam has ceased and > the security problem fixed) > > Yes, this WILL cause a tiny bit of "collateral damage"... but my estimation > is that the ratio is off-the-chart GOOD! These are relatively minor sites. > This could potentially cause hundreds of thousands of spams blocked for every > one legit mail blocked. And if someone STILL has a problem with that ratio... > then my message to them is... the site owner should be somewhat held > accountable for their poor security--which is partly at fault for so much > elusive spam making it into inboxes! (and, again, these listings will expire > MUCH faster than regular ivmURI listings) > > Many of these spams are especially elusive because the spammers then combine > the use of a somewhat legit domain... with sending from "freemail" servers, > or other legit mail servers which would cause far too much collateral damage > if blocked by IP. At best, this puts a HUGE burden on content filters. At > worst, many of these are slipping past many spam filters. > > This major milestone improvement for ivmURI was implemented mere hours ago. > Here are some results... where these were added to the ivmURI list today: > > http://dnsbl.invaluement.com/uri_surge.txt > > NOTE: These are all domains impacted by this change. Unfortunately, many in > that list would been blacklisted on ivmURI anyways, without the changes... > but many domains in that list required this change to get listed on ivmURI. > Also, across the board, you'll also find very few in that list which are on > ANY other URI blacklists! > > Questions/Feedback are welcome! > > -- > Rob McEwen > http://dnsbl.invaluement.com/ > r...@invaluement.com > +1 (478) 475-9032 >
-- "And I got these stunning rushes of pure timeless joy, when my consciousness seemed to expand outwards from the limits of my skin to fill the universe and I could no longer tell whether I was playing the music or the music was playing me." - http://www.catb.org/esr/writings/dancing.html http://www.ChaosReigns.com
