You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2004/09/09 22:56:33 UTC
Start an IP list to block?
OK, this isn't the first time we've had this discussion, but Raymond and I
felt this should be made public again. He ran thru some tests of 1500+
domains and found the following data. Looks like they maybe send from
zombies, and never their hosts. IPs are similar across the board.
So is there a way to use the IP info in a good way? Could SA or SURBL do a
quick ping of the URL and match against a URL? This would allow us to simply
list 1 IP instead of all these domains.
(I'm well aware of virtual hosts! So only the filthiest of spammers would be
put on this IP list. Then their IP better boot them or anyone hosted on that
box would feel the rath of SURBL.)
--Chris
>
>See this list, most of them all use the same IP, pill spammers...
>
>abducted2550pirrs.com has address 219.254.32.111
>acdfiaj.info has address 219.254.32.69
>agronomy9603dryg.com has address 219.254.32.111
>arrowhead2272tads.com has address 219.254.32.111
>asdeczxa.com has address 219.254.32.97
>atonement9529pirrs.com has address 219.254.32.111
>auguring7087pirrs.com has address 219.254.32.111
>authorise5969rneds.us has address 219.254.32.111
>baby29.com has address 219.254.32.99
>baby30.com has address 219.254.32.99
>baby31.com has address 219.254.32.99
>baby32.com has address 219.254.32.99
>baby33.com has address 219.254.32.99
>baby34.com has address 219.254.32.99
>bankloanunitedtrust.com has address 219.254.32.115
>baroque9879biz.com has address 219.254.32.111
>baste7039tads.com has address 219.254.32.111
>befalling7627tads.com has address 219.254.32.111
>benzine6086dryg.com has address 219.254.32.111
>beyond735dryg.com has address 219.254.32.111
>boon3678rx.com has address 219.254.32.111
>boon3678rx.com has address 219.254.32.111
>brutally6279dryg.com has address 219.254.32.111
>bull2903pirrs.com has address 219.254.32.111
>bulrush5448nx.com has address 219.254.32.111
>burnie5422pinn.com has address 219.254.32.111
>buying4212pirrs.com has address 219.254.32.111
>cannery7310pinn.com has address 219.254.32.111
>chapter1224dryg.com has address 219.254.32.111
>childish7509tads.com has address 219.254.32.111
>cleat7228pirrs.com has address 219.254.32.111
>cobra133pirrs.com has address 219.254.32.111
>cocoa7878dryg.com has address 219.254.32.111
>collocutor9120dryg.com has address 219.254.32.111
>comparable6635tads.com has address 219.254.32.111
>crane4522dryg.com has address 219.254.32.111
>destitute6182drygs.com has address 219.254.32.111
>dhl7809tads.com has address 219.254.32.111
>diet33.com has address 219.254.32.99
>disbelief4546pinn.com has address 219.254.32.111
>disjoint5156drygs.com has address 219.254.32.111
>double182dryg.com has address 219.254.32.111
>dsmnfw.com has address 219.254.32.97
>duodenum1797nx.com has address 219.254.32.111
>earwax8995rneds.com has address 219.254.32.111
>edbhadj.info has address 219.254.32.69
>ejebemc.info has address 219.254.32.69
>embodiment6853rneds.com has address 219.254.32.111
>emerge2198dryg.com has address 219.254.32.111
>envumil.com has address 219.254.32.71
>euglena9723biz.us has address 219.254.32.111
>eventual5615tads.com has address 219.254.32.111
>fabled6151dryg.com has address 219.254.32.111
>faintly5417drygs.com has address 219.254.32.111
>faithless4562dryg.com has address 219.254.32.111
>fall3829nx.com has address 219.254.32.111
>fall3829nx.com has address 219.254.32.111
>gait1492pinn.com has address 219.254.32.111
>gjakwfal.com has address 219.254.32.77
>glassy5030nx.com has address 219.254.32.111
>grand2packz.com has address 219.254.32.121
>gui7176biz.com has address 219.254.32.111
>hayfield6948tads.com has address 219.254.32.111
>hayride5669nx.com has address 219.254.32.111
>healing7489biz.com has address 219.254.32.111
>higcijn.info has address 219.254.32.69
>highball9334tads.com has address 219.254.32.111
>home9724dryg.com has address 219.254.32.111
>humpback726pirrs.com has address 219.254.32.111
>imbed3506pinn.com has address 219.254.32.111
>indenting1562pill.com has address 219.254.32.111
>jetskiasl.com has address 219.254.32.77
>joliet5195biz.com has address 219.254.32.111
>kalmyk3865drygs.com has address 219.254.32.111
>kgajgieag.com has address 219.254.32.77
>laziness6976dryg.com has address 219.254.32.111
>lksdns.info has address 219.254.32.72
>luggage3300drygs.com has address 219.254.32.111
>mad1049biz.com has address 219.254.32.111
>madness1926tads.com has address 219.254.32.111
>med12now.com has address 219.254.32.111
>medic7.com has address 219.254.32.111
>medspro7.com has address 219.254.32.111
>mhjgcgd.info has address 219.254.32.69
>microchip9614biz.com has address 219.254.32.111
>milan1517biz.com has address 219.254.32.111
>monotone8601biz.com has address 219.254.32.111
>motto4080nx.com has address 219.254.32.111
>n4zyrtfast.com has address 219.254.32.121
>negater6398tads.com has address 219.254.32.111
>omni8306tads.com has address 219.254.32.111
>oneself5360pirrs.com has address 219.254.32.111
>optimize5129drug.com has address 219.254.32.111
>perigree4124biz.com has address 219.254.32.111
>phoneme6858biz.com has address 219.254.32.111
>pilz2004.com has address 219.254.32.111
>porno7775tads.com has address 219.254.32.111
>pottage6834pirrs.us has address 219.254.32.111
>prairie4725biz.com has address 219.254.32.111
>praise4m3ds.com has address 219.254.32.121
>pressman1177nx.com has address 219.254.32.111
>pretzel3736pills.com has address 219.254.32.111
>primness6560nx.us has address 219.254.32.111
>procuress4029pinn.com has address 219.254.32.111
>profligacy8404nx.com has address 219.254.32.111
>project2089biz.com has address 219.254.32.111
>prototypic6263nx.com has address 219.254.32.111
>qqqwertypoid.com has address 219.254.32.121
>quits8304drygs.com has address 219.254.32.111
>ram7888dryg.com has address 219.254.32.111
>rata2536tads.com has address 219.254.32.111
>recruited2055rneds.com has address 219.254.32.111
>replenish4787nx.com has address 219.254.32.111
>reset3166tads.com has address 219.254.32.111
>resist9528rneds.com has address 219.254.32.111
>rigor7247rneds.com has address 219.254.32.111
>rocked4915dryg.com has address 219.254.32.111
>rounded9866biz.com has address 219.254.32.111
>rustic9925rneds.com has address 219.254.32.111
>sable8898dryg.com has address 219.254.32.111
>safflower170dryg.com has address 219.254.32.111
>sahib5037biz.com has address 219.254.32.111
>saltine3407rneds.com has address 219.254.32.111
>sanguine882rneds.com has address 219.254.32.111
>sarah6314pirrs.com has address 219.254.32.111
>sash4453biz.com has address 219.254.32.111
>sealer6455biz.com has address 219.254.32.111
>sergeancy8489pinn.com has address 219.254.32.111
>sharper7539biz.com has address 219.254.32.111
>showplace1294pirrs.com has address 219.254.32.111
>shying1845biz.com has address 219.254.32.111
>sister31.com has address 219.254.32.99
>situp6764biz.com has address 219.254.32.111
>skunk9827drygs.com has address 219.254.32.111
>sky5490pirrs.com has address 219.254.32.111
>smnsdno.com has address 219.254.32.97
>soaker1916tads.com has address 219.254.32.111
>solaria8488nx.com has address 219.254.32.111
>soluble7830pinn.com has address 219.254.32.111
>speculate2541drygs.com has address 219.254.32.111
>spoilt7777rneds.com has address 219.254.32.111
>squares9697rx.com has address 219.254.32.111
>statutory1625pi11s.us has address 219.254.32.111
>stiffed5912tads.com has address 219.254.32.111
>stony4921rneds.com has address 219.254.32.111
>subjective1648biz.com has address 219.254.32.111
>sublunary1132nx.com has address 219.254.32.111
>sue3483pinn.com has address 219.254.32.111
>sufferable9011rneds.com has address 219.254.32.111
>summit4716drygs.com has address 219.254.32.111
>swaged5905biz.com has address 219.254.32.111
>techspyerase.biz has address 219.254.32.75
>tentative8691pinn.com has address 219.254.32.111
>terminable3646drygs.com has address 219.254.32.111
>them1275pinn.com has address 219.254.32.111
>tidiness6516drygs.com has address 219.254.32.111
>tiled2118rneds.com has address 219.254.32.111
>tingle3751drygs.com has address 219.254.32.111
>toaster7461drygs.com has address 219.254.32.111
>toothsome9441nx.com has address 219.254.32.111
>tragicomic8159drygs.com has address 219.254.32.111
>transient3126drygs.com has address 219.254.32.111
>trihedral2449rneds.com has address 219.254.32.111
>undefended7133pinn.com has address 219.254.32.111
>underload9603pirrs.com has address 219.254.32.111
>vcr1047pinn.com has address 219.254.32.111
>warriors221pinn.com has address 219.254.32.111
>wasserman5540pinn.com has address 219.254.32.111
>weaponless8185biz.com has address 219.254.32.111
>webgreencard.biz has address 219.254.32.75
>wetly3520pirrs.com has address 219.254.32.111
>winning7272tads.com has address 219.254.32.111
>yarmulke7279biz.com has address 219.254.32.111
>zulu5812pinn.com has address 219.254.32.111
>
>akianapikas.org has address 201.12.78.140
>akianapotkasi.org has address 201.12.78.140
>akianasayara.org has address 201.12.78.140
>akianasofikals.org has address 201.12.78.140
>bertikasenofakel.org has address 201.12.78.140
>bertikasfenium.org has address 201.12.78.140
>bertikasfrakles.org has address 201.12.78.140
>bertikaskitaros.org has address 201.12.78.140
>bertikasporchma.org has address 201.12.78.140
>bertikaspotkasi.org has address 201.12.78.140
>bertikassayara.org has address 201.12.78.140
>biscamasornamiolis.org has address 201.12.78.140
>blacomanikas.org has address 201.12.78.140
>bortsimisbortsimis.org has address 201.12.78.140
>bortsimisfenium.org has address 201.12.78.140
>bortsimisinacalo.org has address 201.12.78.140
>bortsimispazda.org has address 201.12.78.140
>bortsimispitovshe.org has address 201.12.78.140
>bortsimispritkeras.org has address 201.12.78.140
>bortsimissimptomps.org has address 201.12.78.140
>bortsimisvaldisimus.org has address 201.12.78.140
>coolorgfunky.org has address 201.12.78.140
>crosstonfalls.org has address 201.12.78.140
>directionasios.org has address 201.12.78.140
>enofakelfrakles.org has address 201.12.78.140
>enofakelinacalo.org has address 201.12.78.140
>enofakelporchma.org has address 201.12.78.140
>enofakelpotkasi.org has address 201.12.78.140
>enofakelsofikals.org has address 201.12.78.140
>enomybertikas.org has address 201.12.78.140
>enomybortsimis.org has address 201.12.78.140
>enomyenofakel.org has address 201.12.78.140
>enomyfenium.org has address 201.12.78.140
>enomynimphos.org has address 201.12.78.140
>enomyownaros.org has address 201.12.78.140
>enomypazda.org has address 201.12.78.140
>enomypoises.org has address 201.12.78.140
>enomyxesros.org has address 201.12.78.140
>fagonyakiana.org has address 201.12.78.140
>fagonyxesros.org has address 201.12.78.140
>fakilafapinatos.org has address 201.12.78.140
>falloutstudios.org has address 201.12.78.140
>fbgba3kglads.org has address 201.12.78.140
>feniuminacalo.org has address 201.12.78.140
>feniumpotkasi.org has address 201.12.78.140
>feniumpritkeras.org has address 201.12.78.140
>feniumsofikals.org has address 201.12.78.140
>feniumtronits.org has address 201.12.78.140
>feniumxesros.org has address 201.12.78.140
>fraklesneynano.org has address 201.12.78.140
>fraklespikas.org has address 201.12.78.140
>fraklestronits.org has address 201.12.78.140
>halepoley.org has address 201.12.78.140
>inacalobertikas.org has address 201.12.78.140
>inacaloenomy.org has address 201.12.78.140
>inacalokitaros.org has address 201.12.78.140
>inacalomipatarios.org has address 201.12.78.140
>inacalopoises.org has address 201.12.78.140
>inacalosayara.org has address 201.12.78.140
>inacalosofikals.org has address 201.12.78.140
>inacalovaldisimus.org has address 201.12.78.140
>indakitosbortsimis.org has address 201.12.78.140
>indakitosenofakel.org has address 201.12.78.140
>indakitosinacalo.org has address 201.12.78.140
>indakitospoises.org has address 201.12.78.140
>indakitosxesros.org has address 201.12.78.140
>katanataropikas.org has address 201.12.78.140
>kitarosfenium.org has address 201.12.78.140
>kitarosmipatarios.org has address 201.12.78.140
>kitarosvaldisimus.org has address 201.12.78.140
>lopikranius.org has address 201.12.78.140
>manicsenofakel.org has address 201.12.78.140
>manicssofikals.org has address 201.12.78.140
>manicsvaldisimus.org has address 201.12.78.140
>mipatariosakiana.org has address 201.12.78.140
>mipatariosbortsimis.org has address 201.12.78.140
>mipatariossimptomps.org has address 201.12.78.140
>mipatariostronits.org has address 201.12.78.140
>neynanopotkasi.org has address 201.12.78.140
>nimphosfrakles.org has address 201.12.78.140
>nimphosinacalo.org has address 201.12.78.140
>nimphosindakitos.org has address 201.12.78.140
>nimphospoises.org has address 201.12.78.140
>nimphosxesros.org has address 201.12.78.140
>noahomakila.org has address 201.12.78.140
>ownarosfrakles.org has address 201.12.78.140
>ownarosneynano.org has address 201.12.78.140
>ownarosownaros.org has address 201.12.78.140
>ownarosporchma.org has address 201.12.78.140
>ownarossofikals.org has address 201.12.78.140
>ownarosxesros.org has address 201.12.78.140
>pazdaenomy.org has address 201.12.78.140
>pazdafrakles.org has address 201.12.78.140
>pazdanimphos.org has address 201.12.78.140
>pazdaownaros.org has address 201.12.78.140
>pazdapikas.org has address 201.12.78.140
>pikasfagony.org has address 201.12.78.140
>pikaskitaros.org has address 201.12.78.140
>pikasownaros.org has address 201.12.78.140
>pikasporchma.org has address 201.12.78.140
>pikassofikals.org has address 201.12.78.140
>pikasxesros.org has address 201.12.78.140
>pitovshebortsimis.org has address 201.12.78.140
>poisesbortsimis.org has address 201.12.78.140
>poisesfenium.org has address 201.12.78.140
>poisesneynano.org has address 201.12.78.140
>poisesnimphos.org has address 201.12.78.140
>poisesownaros.org has address 201.12.78.140
>poisespazda.org has address 201.12.78.140
>poisespikas.org has address 201.12.78.140
>poisespotkasi.org has address 201.12.78.140
>poisespritkeras.org has address 201.12.78.140
>poisesvaldisimus.org has address 201.12.78.140
>polisheneynano.org has address 201.12.78.140
>polishepoises.org has address 201.12.78.140
>porchmafenium.org has address 201.12.78.140
>porchmainacalo.org has address 201.12.78.140
>porchmaindakitos.org has address 201.12.78.140
>porchmamanics.org has address 201.12.78.140
>porchmaownaros.org has address 201.12.78.140
>porchmapikas.org has address 201.12.78.140
>porchmaxesros.org has address 201.12.78.140
>postfallshotels.org has address 201.12.78.140
>potkasimipatarios.org has address 201.12.78.140
>potkasiownaros.org has address 201.12.78.140
>potkasipotkasi.org has address 201.12.78.140
>potkasipritkeras.org has address 201.12.78.140
>pritkerasenofakel.org has address 201.12.78.140
>pritkerasmipatarios.org has address 201.12.78.140
>pritkerasnimphos.org has address 201.12.78.140
>pritkeraspoises.org has address 201.12.78.140
>pritkerassofikals.org has address 201.12.78.140
>pritkerasxesros.org has address 201.12.78.140
>sayaraenofakel.org has address 201.12.78.140
>sayaramipatarios.org has address 201.12.78.140
>sayarapoises.org has address 201.12.78.140
>sayarasofikals.org has address 201.12.78.140
>simptompsakiana.org has address 201.12.78.140
>simptompsfenium.org has address 201.12.78.140
>simptompskitaros.org has address 201.12.78.140
>sofikalsfenium.org has address 201.12.78.140
>sofikalsindakitos.org has address 201.12.78.140
>sofikalsmanics.org has address 201.12.78.140
>sofikalsownaros.org has address 201.12.78.140
>sofikalspikas.org has address 201.12.78.140
>sofikalsvaldisimus.org has address 201.12.78.140
>sopinaskarantinas.org has address 201.12.78.140
>testneworg.org has address 201.12.78.140
>tronitsindakitos.org has address 201.12.78.140
>tronitspolishe.org has address 201.12.78.140
>tronitssayara.org has address 201.12.78.140
>tronitsxesros.org has address 201.12.78.140
>valdisimusbertikas.org has address 201.12.78.140
>valdisimusfenium.org has address 201.12.78.140
>valdisimuspazda.org has address 201.12.78.140
>valdisimuspitovshe.org has address 201.12.78.140
>valdisimusporchma.org has address 201.12.78.140
>valdisimussofikals.org has address 201.12.78.140
>xesrosfrakles.org has address 201.12.78.140
>xesrosnimphos.org has address 201.12.78.140
>xesrospitovshe.org has address 201.12.78.140
>xesrospoises.org has address 201.12.78.140
>xesrosporchma.org has address 201.12.78.140
>
>mypillsbrand.com has address 200.139.104.4
>mypillsvalue.com has address 200.139.104.4
>mypillsvalues.com has address 200.139.104.4
>mypillswebsite.com has address 200.139.104.4
>mythingscentral.com has address 200.139.104.4
>ourpillscomplete.com has address 200.139.104.4
>ourpillscompleted.com has address 200.139.104.4
>ourpillsdirect.com has address 200.139.104.4
>ourpillsforme.com has address 200.139.104.4
>ourpillshome.com has address 200.139.104.4
>ourpillsnet.com has address 200.139.104.4
>ourpillsweb.com has address 200.139.104.4
>ourpillswebsites.com has address 200.139.104.4
>thepillsforall.com has address 200.139.104.4
>thepillsspot.com has address 200.139.104.4
>thepillswebsites.com has address 200.139.104.4
>yourpills2k.com has address 200.139.104.4
>yourthings2k.com has address 200.139.104.4
>yourthingscentral.com has address 200.139.104.4
>
>49fmsas.com has address 221.143.42.199
>49fmsas.com has address 221.143.42.178
>95j63s.com has address 221.143.42.199
>95j63s.com has address 221.143.42.178
>fbb4all.info has address 221.143.42.87
>flhiot.com has address 221.143.42.178
>flhiot.com has address 221.143.42.199
>freeblackberry.info has address 221.143.42.87
>gbhew.com has address 221.143.42.199
>gbhew.com has address 221.143.42.178
>lendingflow.net has address 221.143.42.34
>lqeriod.com has address 221.143.42.199
>lqeriod.com has address 221.143.42.178
>mypills2k.com has address 221.143.42.246
>mypills4all.com has address 221.143.42.50
>mythings2004.com has address 221.143.42.246
>mythings2k.com has address 221.143.42.50
>ourpillsfarm.com has address 221.143.42.246
>ourpillslive.com has address 221.143.42.246
>ourpillsmall.com has address 221.143.42.50
>ourpillswebs.com has address 221.143.42.246
>realfreemobile.us has address 221.143.42.87
>reoigb.com has address 221.143.42.199
>reoigb.com has address 221.143.42.178
>thepillsabsolute.com has address 221.143.42.50
>thepillsforus.com has address 221.143.42.246
>thepillssupply.com has address 221.143.42.246
>thepillswebsitess.com has address 221.143.42.246
>thoweu.com has address 221.143.42.178
>thoweu.com has address 221.143.42.199
>tnjjrtw.com has address 221.143.42.199
>tnjjrtw.com has address 221.143.42.178
>tnoiero.com has address 221.143.42.199
>tnoiero.com has address 221.143.42.178
>yourpillsvalue.com has address 221.143.42.50
>yourpillswebs.com has address 221.143.42.246
>yourthingschoice.com has address 221.143.42.246
>yourthingscompleted.com has address 221.143.42.246
>yourthingsdepot.com has address 221.143.42.50
>yourthingsfarm.com has address 221.143.42.246
>yourthingsspot.com has address 221.143.42.246
>ytuow.com has address 221.143.42.199
>ytuow.com has address 221.143.42.178
>
>attractivebodysite.com has address 219.129.20.250
>beautyherbalimplement.com has address 219.129.20.208
>beautysupporters.com has address 219.129.20.208
>bestofhealthproducts.com has address 219.129.20.250
>bestproductclicks.com has address 219.129.20.250
>bodypamperingproducts.com has address 219.129.20.208
>doomedtobeauty.com has address 219.129.20.250
>everycan.com has address 219.129.20.247
>fitbodyinfo.com has address 219.129.20.250
>galamedicalherbs.com has address 219.129.20.208
>genialsolutionweb.com has address 219.129.20.250
>globalwellnessnews.com has address 219.129.20.250
>glossypharmaproducts.com has address 219.129.20.250
>greatfreeinfoblast.com has address 219.129.20.250
>greenleafshealth.com has address 219.129.20.208
>healthmegasuperstore.com has address 219.129.20.250
>healthorizon.com has address 219.129.20.208
>healthpluswellness.com has address 219.129.20.250
>healthproductslideshow.com has address 219.129.20.208
>healthydayitems.com has address 219.129.20.208
>healthydaymall.com has address 219.129.20.208
>healthydayneccesity.com has address 219.129.20.250
>idvitedtojoinherbsclub.com has address 219.129.20.208
>loudhealthmessage.com has address 219.129.20.250
>masshealthboom.com has address 219.129.20.250
>mosttrustedherbalsite.com has address 219.129.20.208
>newwealthline.com has address 219.129.20.208
>singletrustedsite.com has address 219.129.20.250
>superseductionproducts.com has address 219.129.20.208
>supporthealthproduct.com has address 219.129.20.208
>ultrasumpleproducts.com has address 219.129.20.208
>uniquelifechoice.com has address 219.129.20.250
>vitalhealthitems.com has address 219.129.20.208
>vividimportantitems.com has address 219.129.20.208
>waytoamazefriends.com has address 219.129.20.250
>worldunitedhealth.com has address 219.129.20.250
>yourwellnesscontainer.com has address 219.129.20.250
>
>Bye,
>Raymond.
>
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 3:22:39 PM, Scott Crosby wrote:
> On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <cs...@MerchantsOverseas.com> writes:
> How does this sound? Combine spamtraps with SURBL, using the IP as a
> hint to fully automatically add on the new domain. If a spamtrap email
> includes a URL that resolves to a server that has the same IP as
> another server already on the SURBL blacklist, automatically and
> immediately add the new domain to SURBL. One could also use shared DNS
> servers as a similar hint. If a new domain in a spamtrap shares a DNS
> server with an already listed domain, add it to SURBL automatically.
> We should be a bit more careful than this --- require that a new URL
> has to resolve to the same IP address as, say, at least 3 other SURBL
> entries before being automatically added on. Also, there should also
> be a list of IP's for which this automatic logic won't be
> triggered. This would be important for a poorly run but popular
> virtual server that's slow at kicking off spamvertized sites.
> This way you can catch spammers who create new domains on an existing
> IP address automatically and close to instanteanously. There's also
> little to no chance of accidently blacklisting a popular virtual
> server. Spammers can't get any completely innocent domain or IP onto
> SURBL automatically. It must have at least some prior listings.
> Scott
Yes, the nameserver part is a new idea, and we would not
explicitly fold trap data* in, but the IP part is in my designs
already for the next version:
http://www.surbl.org/faq.html#numbered
> However the next version of the sc.surbl.org data engine
> probably will be a hybrid name and number approach, where if a
> domain resolves into an IP address commonly used with
> spamvertised sites, then that domain will get added to
> sc.surbl.org probably with the first report. (Note that this
> still requires at least one report, but the threshold for
> inclusion will be radically lower for major spam operators who
> repeatedly use the same IP address for their hosting.) The next
> version of the data engine may also use the IP addresses in the
> sbl.spamhaus.org list to similarly short-circuit the process
> and include any newly reported domains resolving into those
> addresses immediately upon their first report. That should make
> for a more responsive list without much chance of increasing
> false positives.
>
> This hybrid approach will move sc.surbl.org much closer towards
> the behavior of a number-based approach, though domains will
> still need that initial report, whereas a numbered list would
> catch the whole server IP address.
>
> Of course a downside of using numbers is that they can false
> positive any legitimate domains that happen to be hosted on the
> same IP address as a spam site. That could be disasterous for a
> large web hosting company that had one bad apple. That's
> another major reason why we went with names and not numbers.
> Numbers can be overly broad, whereas names are highly specific
> to the advertised site. To us names are a finer tool: if 30% of
> the domains on a given IP address are used by spammers, we
> could list all of them and not affect the 70% non-spam domains
> that unfortunately happen to share the same IP address. That
> specificity is a strong benefit of using domain names.
I'd rather work on this than spending time defending the current
practices, which are already collectively pretty well thought out.
* spam trap data is already indirectly used in SURBLs.
Jeff C.
Re: Start an IP list to block?
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Jeff Chan" <je...@surbl.org>
> Would you care to share some of your strategies, perhaps off
> list?
Share his strategies, yes, but also check out his product. MessageSniffer,
it's a truly awesome spam-filtering product and runs very efficiently on
Linux/BSD platforms and plugs in nicely to SA (not as a standard 3.0
plug-in, but SA can track the Sniffer response codes and apply weights
accordingly).
They offer a "free" version of their basic pattern matching database (which
itself is quite effective), but even the subscription version (which I use)
is fairly inexpensive. I highly recommend it as a very good addition to
anyone's spam-fighting arsenal. See
(http://www.sortmonster.com/MessageSniffer/) for more info.
Bill
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 5:34:05 PM, Jeff Chan wrote:
> My first pass at cleaning the resolved IP data would be to take
> the to 70th percentile of IP addresses and only use those to
> check domain resolved IPs to. It's not perfect, but it should
> cut down on the uncertainty.
I should add that this mostly applies to data where we have a
constant feed of actual spam reports such as from SpamCop. It
does not apply as strongly to data sources where we only have a
unitary list of domains, for example where each domain appears
once over the whole list. Though even there, it applies weakly,
for example a dozen domains that all resolve to the same network
probably could be used to bias future domains appearing in the
same network towards list inclusion.
But when you have a stream of reports about the *same domain*,
then you can get better statistics about that domain or it's
resolved IP. There simply more data to work with in more
meaningful ways.
Jeff C.
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 4:22:18 PM, Pete McNeil wrote:
> On Thursday, September 9, 2004, 6:22:39 PM, Scott wrote:
SAC>> How does this sound? Combine spamtraps with SURBL, using the IP as a
SAC>> hint to fully automatically add on the new domain. If a spamtrap email
SAC>> includes a URL that resolves to a server that has the same IP as
SAC>> another server already on the SURBL blacklist, automatically and
SAC>> immediately add the new domain to SURBL. One could also use shared DNS
SAC>> servers as a similar hint. If a new domain in a spamtrap shares a DNS
SAC>> server with an already listed domain, add it to SURBL automatically.
> I saw this passing by. Please don't do this. We are using SURBL as a
> research tool and we see too many false positives for this approach.
> Any time an FP domain is targeting a virtual web server you will run
> the risk of expanding that problem to reference all other web sites on
> that server. Don't get me wrong, it's a good idea (we use a
> similar mechanism internally to recurse through our domain lists)
> however we have discovered that the data must be _extremely clean_
> before allowing ip reference domain recusion.
My first pass at cleaning the resolved IP data would be to take
the to 70th percentile of IP addresses and only use those to
check domain resolved IPs to. It's not perfect, but it should
cut down on the uncertainty.
SAC>> We should be a bit more careful than this --- require that a new URL
SAC>> has to resolve to the same IP address as, say, at least 3 other SURBL
SAC>> entries before being automatically added on. Also, there should also
SAC>> be a list of IP's for which this automatic logic won't be
SAC>> triggered. This would be important for a poorly run but popular
SAC>> virtual server that's slow at kicking off spamvertized sites.
> You've hit upon another hazard. Requiring 3 other SURBL domains is a
> good step - a better one is to require a certain age for a record...
> That is, if the record has been in place for long enough that a FP
> report would have easily knocked it out then you will probably be
> safe. The FPs that I'm catching in SURBL are usually reported very
> quickly - they don't go long without being noticed. If you wait 10
> days or so you will be about 75% safe (off the top of my head).
Age cuts both ways. If we wait 10 days, the utility of the
domain for some spammers may have gone away. I have statistics
that show spammers use domains for less than 3 days on average.
> I'm still tuning our AI so I can only tell you that you are on the
> right track and that you will want to watch the rates at which things
> are added and the FP rates and character - then tweak the rules you
> use to keep this process clean. When I started using this approach I
> thought I had an idea what would work - and I was more wrong than
> right until about the 3rd round of adjustments.
Would you care to share some of your strategies, perhaps off
list?
Jeff C.
Re[2]: Start an IP list to block?
Posted by Pete McNeil <ma...@microneil.com>.
On Thursday, September 9, 2004, 6:22:39 PM, Scott wrote:
SAC> On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre
SAC> <cs...@MerchantsOverseas.com> writes:
>> OK, this isn't the first time we've had this discussion, but Raymond
>> and I felt this should be made public again. He ran thru some tests
>> of 1500+ domains and found the following data. Looks like they maybe
>> send from zombies, and never their hosts. IPs are similar across the
>> board.
>>
>> So is there a way to use the IP info in a good way? Could SA or
>> SURBL do a quick ping of the URL and match against a URL? This would
>> allow us to simply list 1 IP instead of all these domains.
>>
>> (I'm well aware of virtual hosts! So only the filthiest of spammers
>> would be put on this IP list. Then their IP better boot them or
>> anyone hosted on that box would feel the rath of SURBL.)
SAC> How does this sound? Combine spamtraps with SURBL, using the IP as a
SAC> hint to fully automatically add on the new domain. If a spamtrap email
SAC> includes a URL that resolves to a server that has the same IP as
SAC> another server already on the SURBL blacklist, automatically and
SAC> immediately add the new domain to SURBL. One could also use shared DNS
SAC> servers as a similar hint. If a new domain in a spamtrap shares a DNS
SAC> server with an already listed domain, add it to SURBL automatically.
I saw this passing by. Please don't do this. We are using SURBL as a
research tool and we see too many false positives for this approach.
Any time an FP domain is targeting a virtual web server you will run
the risk of expanding that problem to reference all other web sites on
that server. Don't get me wrong, it's a good idea (we use a
similar mechanism internally to recurse through our domain lists)
however we have discovered that the data must be _extremely clean_
before allowing ip reference domain recusion.
SAC> We should be a bit more careful than this --- require that a new URL
SAC> has to resolve to the same IP address as, say, at least 3 other SURBL
SAC> entries before being automatically added on. Also, there should also
SAC> be a list of IP's for which this automatic logic won't be
SAC> triggered. This would be important for a poorly run but popular
SAC> virtual server that's slow at kicking off spamvertized sites.
You've hit upon another hazard. Requiring 3 other SURBL domains is a
good step - a better one is to require a certain age for a record...
That is, if the record has been in place for long enough that a FP
report would have easily knocked it out then you will probably be
safe. The FPs that I'm catching in SURBL are usually reported very
quickly - they don't go long without being noticed. If you wait 10
days or so you will be about 75% safe (off the top of my head).
I'm still tuning our AI so I can only tell you that you are on the
right track and that you will want to watch the rates at which things
are added and the FP rates and character - then tweak the rules you
use to keep this process clean. When I started using this approach I
thought I had an idea what would work - and I was more wrong than
right until about the 3rd round of adjustments.
My $0.02
_M
Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Re: Start an IP list to block?
Posted by Scott A Crosby <sc...@cs.rice.edu>.
On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <cs...@MerchantsOverseas.com> writes:
> OK, this isn't the first time we've had this discussion, but Raymond
> and I felt this should be made public again. He ran thru some tests
> of 1500+ domains and found the following data. Looks like they maybe
> send from zombies, and never their hosts. IPs are similar across the
> board.
>
> So is there a way to use the IP info in a good way? Could SA or
> SURBL do a quick ping of the URL and match against a URL? This would
> allow us to simply list 1 IP instead of all these domains.
>
> (I'm well aware of virtual hosts! So only the filthiest of spammers
> would be put on this IP list. Then their IP better boot them or
> anyone hosted on that box would feel the rath of SURBL.)
How does this sound? Combine spamtraps with SURBL, using the IP as a
hint to fully automatically add on the new domain. If a spamtrap email
includes a URL that resolves to a server that has the same IP as
another server already on the SURBL blacklist, automatically and
immediately add the new domain to SURBL. One could also use shared DNS
servers as a similar hint. If a new domain in a spamtrap shares a DNS
server with an already listed domain, add it to SURBL automatically.
We should be a bit more careful than this --- require that a new URL
has to resolve to the same IP address as, say, at least 3 other SURBL
entries before being automatically added on. Also, there should also
be a list of IP's for which this automatic logic won't be
triggered. This would be important for a poorly run but popular
virtual server that's slow at kicking off spamvertized sites.
This way you can catch spammers who create new domains on an existing
IP address automatically and close to instanteanously. There's also
little to no chance of accidently blacklisting a popular virtual
server. Spammers can't get any completely innocent domain or IP onto
SURBL automatically. It must have at least some prior listings.
Scott
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:49:39 PM, System Dan Mahoney wrote:
> On Thu, 9 Sep 2004, Jeff Chan wrote:
>> On Thursday, September 9, 2004, 2:28:07 PM, Ryan Thompson wrote:
>>> However, for all we know *so far*, 219.254.32.111 could be a HA cluster
>>> of a few dozen machines, and, while there may be 200 pill spammers on
>>> that cluster, there may be 20,000 other legit sites.
>>
>>> With our current data, we can't make either determination. But, using
>>> forward zone data, we can do forward lookups, and track them in a database.
>>> Then, do forward lookups on SURBL data to get the IPs of spammers, and
>>> (algorithmically!) find correlations.
>>
>>> The programming effort to implement this would not be trivial, not to
>>> mention processing power and bandwidth, to do the initial run. The
>>> datasets (.com!) are huge. After that, we just have to periodically
>>> sample for new, removed, and changed domains, at which point the
>>> processing will be reduced.
>>
>> .com is so large and rapidly changing as to be practically
>> unknowable. That's what I mean by "can't".
>>
>> By the time you have all of .com fully cataloged, it will have
>> changed significantly.
>>
>> Really the only ones who could collectively determine how spammy
>> a particular virtual host IP is are the domain registrars working
>> together and pooling all their registration data then resolving
>> every hostname and building a database of all the resolved IPs
>> mapped back into all of their domain names.
> That's not how DNS works.
> -Dan
Exactly my point. It is not reverse DNS.
It would be a separate, extremely large database of all DNS
information and all registration information. That would be the
only way to know all the domains that use a given IP address,
unless the hosting providers would give us all the information
about their virtual hosting accounts, which seems unlikely.
Jeff C.
Re: [SURBL-Discuss] Start an IP list to block?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 9 Sep 2004, Jeff Chan wrote:
> On Thursday, September 9, 2004, 2:28:07 PM, Ryan Thompson wrote:
>> However, for all we know *so far*, 219.254.32.111 could be a HA cluster
>> of a few dozen machines, and, while there may be 200 pill spammers on
>> that cluster, there may be 20,000 other legit sites.
>
>> With our current data, we can't make either determination. But, using
>> forward zone data, we can do forward lookups, and track them in a database.
>> Then, do forward lookups on SURBL data to get the IPs of spammers, and
>> (algorithmically!) find correlations.
>
>> The programming effort to implement this would not be trivial, not to
>> mention processing power and bandwidth, to do the initial run. The
>> datasets (.com!) are huge. After that, we just have to periodically
>> sample for new, removed, and changed domains, at which point the
>> processing will be reduced.
>
> .com is so large and rapidly changing as to be practically
> unknowable. That's what I mean by "can't".
>
> By the time you have all of .com fully cataloged, it will have
> changed significantly.
>
> Really the only ones who could collectively determine how spammy
> a particular virtual host IP is are the domain registrars working
> together and pooling all their registration data then resolving
> every hostname and building a database of all the resolved IPs
> mapped back into all of their domain names.
That's not how DNS works.
-Dan
>
> If you can't see all the good guy domains on a virtual hosting
> IP, then you can't see who else you would block.
>
> Jeff C.
>
--
"There were some sensible, rational, and intelligent things to say. It's
just that it was the last thing I expected to hear from the damn
kangaroo."
-Saravit, December 27, 1997
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Kai Schaetzl <ma...@conactive.com>.
Ryan Thompson wrote on Thu, 9 Sep 2004 15:56:19 -0600 (CST):
> IIRC, .com is up to about 25M domains, and it's way, way higher than the
> other gTLDs (and light years beyond ccTLDs).
It's not really light years. You will have to add at least the same amount
for all other TLDs. And how do you want to get all of these data? Not all
TLDs are available for zone transfers.
> As I mentioned, the base problem has already been solved by whois.sc,
And they also show the "base problem": they only list a fraction of what
is really on that IP. I checked it with some of ours.
> Oh, and, we can *also* use this data to safely determine domain age for
> newly registered domains. Since the most spammy domains are less than a
> week old, we'll start to have useful information for *that* within about
> a week. :-)
You can get this information at the time you need it, anyway. You don't
need to mine the rootservers for that.
> That's *exactly* what I'm suggesting, and the registrars already pool
> their data. They're called TLD zone files, and (almost) anyone can
> download them.
No, you have to pay for them.
> We *can*, Jeff. We can. That was the whole point of my message.
I think it's a massive effort and doesn't have much to do with spam
fighting. You only want to use it in the end for spam fighting. The
cost:benefit ratio of it is probably quite bad.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Ryan Thompson <ry...@sasknow.com>.
Jeff Chan wrote to SURBL Discussion list and Spamassassin-Talk (E-mail):
> .com is so large and rapidly changing as to be practically
> unknowable. That's what I mean by "can't".
IIRC, .com is up to about 25M domains, and it's way, way higher than the
other gTLDs (and light years beyond ccTLDs).
> By the time you have all of .com fully cataloged, it will have
> changed significantly.
25M queries isn't that hard, and it can be trivially distributed to make
for a more responsive system. Even 250M isn't out of reach.
As I mentioned, the base problem has already been solved by whois.sc,
and probably others. We just need to adapt it to be useful in fighting
spam.
Oh, and, we can *also* use this data to safely determine domain age for
newly registered domains. Since the most spammy domains are less than a
week old, we'll start to have useful information for *that* within about
a week. :-)
> Really the only ones who could collectively determine how spammy a
> particular virtual host IP is are the domain registrars working
> together and pooling all their registration data then resolving every
> hostname and building a database of all the resolved IPs mapped back
> into all of their domain names.
That's *exactly* what I'm suggesting, and the registrars already pool
their data. They're called TLD zone files, and (almost) anyone can
download them.
> If you can't see all the good guy domains on a virtual hosting
> IP, then you can't see who else you would block.
We *can*, Jeff. We can. That was the whole point of my message.
- Ryan
--
Ryan Thompson <ry...@sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:28:07 PM, Ryan Thompson wrote:
> However, for all we know *so far*, 219.254.32.111 could be a HA cluster
> of a few dozen machines, and, while there may be 200 pill spammers on
> that cluster, there may be 20,000 other legit sites.
> With our current data, we can't make either determination. But, using
> forward zone data, we can do forward lookups, and track them in a database.
> Then, do forward lookups on SURBL data to get the IPs of spammers, and
> (algorithmically!) find correlations.
> The programming effort to implement this would not be trivial, not to
> mention processing power and bandwidth, to do the initial run. The
> datasets (.com!) are huge. After that, we just have to periodically
> sample for new, removed, and changed domains, at which point the
> processing will be reduced.
.com is so large and rapidly changing as to be practically
unknowable. That's what I mean by "can't".
By the time you have all of .com fully cataloged, it will have
changed significantly.
Really the only ones who could collectively determine how spammy
a particular virtual host IP is are the domain registrars working
together and pooling all their registration data then resolving
every hostname and building a database of all the resolved IPs
mapped back into all of their domain names.
If you can't see all the good guy domains on a virtual hosting
IP, then you can't see who else you would block.
Jeff C.
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 3:11:44 PM, Jeff Chan wrote:
> On Thursday, September 9, 2004, 3:05:30 PM, Bill Landry wrote:
>> ----- Original Message -----
>> From: "Ryan Thompson" <ry...@sasknow.com>
>>> We need to find the correlation of IP addresses to hostnames. See
>>> http://whois.sc/ ; I can, with some help, duplicate what they're doing
>>> in a way that will help us fight spam.
>> Uh oh, whois.sc is listed in WS... :-o
>> Bill
> Sigh... WS folks care to explain?
> Jeff C.
BTW I'm not seeing it on SURBLs now....
Jeff C.
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 3:05:30 PM, Bill Landry wrote:
> ----- Original Message -----
> From: "Ryan Thompson" <ry...@sasknow.com>
>> We need to find the correlation of IP addresses to hostnames. See
>> http://whois.sc/ ; I can, with some help, duplicate what they're doing
>> in a way that will help us fight spam.
> Uh oh, whois.sc is listed in WS... :-o
> Bill
Sigh... WS folks care to explain?
Jeff C.
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Ryan Thompson" <ry...@sasknow.com>
> We need to find the correlation of IP addresses to hostnames. See
> http://whois.sc/ ; I can, with some help, duplicate what they're doing
> in a way that will help us fight spam.
Uh oh, whois.sc is listed in WS... :-o
Bill
Re: [SURBL-Discuss] Start an IP list to block?
Posted by Ryan Thompson <ry...@sasknow.com>.
Chris Santerre wrote to SURBL Discussion list (E-mail):
> OK, this isn't the first time we've had this discussion, but Raymond
> and I felt this should be made public again. He ran thru some tests of
> 1500+ domains and found the following data. Looks like they maybe send
> from zombies, and never their hosts. IPs are similar across the board.
>
> So is there a way to use the IP info in a good way? Could SA or SURBL
> do a quick ping of the URL and match against a URL? This would allow
> us to simply list 1 IP instead of all these domains.
>
> (I'm well aware of virtual hosts! So only the filthiest of spammers
> would be put on this IP list. Then their IP better boot them or anyone
> hosted on that box would feel the rath of SURBL.)
I talked to Raymond about this, too... and, basically, here are my
big thoughts:
We need to find the correlation of IP addresses to hostnames. See
http://whois.sc/ ; I can, with some help, duplicate what they're doing
in a way that will help us fight spam.
Then, for 219.254.32.111, we could see that there are, say, 200 sites
hosted at that IP, and, after some hand checking, identify that all of
them belong to spammers.
However, for all we know *so far*, 219.254.32.111 could be a HA cluster
of a few dozen machines, and, while there may be 200 pill spammers on
that cluster, there may be 20,000 other legit sites.
With our current data, we can't make either determination. But, using
forward zone data, we can do forward lookups, and track them in a database.
Then, do forward lookups on SURBL data to get the IPs of spammers, and
(algorithmically!) find correlations.
The programming effort to implement this would not be trivial, not to
mention processing power and bandwidth, to do the initial run. The
datasets (.com!) are huge. After that, we just have to periodically
sample for new, removed, and changed domains, at which point the
processing will be reduced.
Still, there's no way I have time or money to do this alone, given my
current commitments. I *wish* I could spend my whole day fighting spam.
I'd need a fair amount of real help. It'd be good to make happen,
though, considering we could then *proactively* list domains (or IPs)
with a high degree of confidence and little or no collateral damage.
(Because we can *measure* collateral damage if we know which other
domains are hosted on a particular IP). And there would be many many
other statistical benefits we could gain.
- Ryan
--
Ryan Thompson <ry...@sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
Re: Start an IP list to block?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> Chris, Raymond ,
>
> I went thru a random few of these and they're were listed at Spamhaus.
> Using spamhaus at SMTP level or SA doing RBL lookups would have caught and
> stopped them... Spamcop probably has quite a few of them listed as well
No, that wont work. The spams are sended in via trojans/proxys only the
websites are static. SOME are blocked with DSBL and so but most of the
time they start a spamrun with a fresh set it seems.
So yes, they are inside spamhaus, but only the websites, didnt see mails
sended out from there (yet).
Bye,
Raymond.
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:14:29 PM, Jeff Chan wrote:
> On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote:
>> Chris Santerre wrote:
>>> So is there a way to use the IP info in a good way? Could SA or SURBL do a
>>> quick ping of the URL and match against a URL? This would allow us to simply
>>> list 1 IP instead of all these domains.
>>>
>>> (I'm well aware of virtual hosts! So only the filthiest of spammers would be
>>> put on this IP list. Then their IP better boot them or anyone hosted on that
>>> box would feel the rath of SURBL.)
>> I went thru a random few of these and they're were listed at Spamhaus.
>> Using spamhaus at SMTP level or SA doing RBL lookups would have caught
>> and stopped them...
> Yes, that is a good answer. Use Spamhaus RBLs... :-)
I should clarify that I mean: use the Spamhaus data with programs
that resolve the URI domains into IP addresses, or check their
name server IPs, then check those IP address against Spamhaus.
uridnsbl in SpamAssassin 3.0 does the nameserver check against
SBL. Don't know if there are programs that check the web site
IPs against SBL, but probably there are. Does uridnsbl *only*
check name servers?
http://spamassassin.apache.org/full/3.0.x/dist/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm
Jeff C.
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote:
> Chris Santerre wrote:
>> OK, this isn't the first time we've had this discussion, but Raymond and I
>> felt this should be made public again. He ran thru some tests of 1500+
>> domains and found the following data. Looks like they maybe send from
>> zombies, and never their hosts. IPs are similar across the board.
>>
>> So is there a way to use the IP info in a good way? Could SA or SURBL do a
>> quick ping of the URL and match against a URL? This would allow us to simply
>> list 1 IP instead of all these domains.
>>
>> (I'm well aware of virtual hosts! So only the filthiest of spammers would be
>> put on this IP list. Then their IP better boot them or anyone hosted on that
>> box would feel the rath of SURBL.)
>>
>> --Chris
> Chris, Raymond ,
> I went thru a random few of these and they're were listed at Spamhaus.
> Using spamhaus at SMTP level or SA doing RBL lookups would have caught
> and stopped them...
Yes, that is a good answer. Use Spamhaus RBLs... :-)
Jeff C.
> Spamcop probably has quite a few of them listed as well
> ideas?
> Alex
Re: Start an IP list to block?
Posted by Alex Broens <sa...@alexb.ch>.
Chris Santerre wrote:
> OK, this isn't the first time we've had this discussion, but Raymond and I
> felt this should be made public again. He ran thru some tests of 1500+
> domains and found the following data. Looks like they maybe send from
> zombies, and never their hosts. IPs are similar across the board.
>
> So is there a way to use the IP info in a good way? Could SA or SURBL do a
> quick ping of the URL and match against a URL? This would allow us to simply
> list 1 IP instead of all these domains.
>
> (I'm well aware of virtual hosts! So only the filthiest of spammers would be
> put on this IP list. Then their IP better boot them or anyone hosted on that
> box would feel the rath of SURBL.)
>
> --Chris
Chris, Raymond ,
I went thru a random few of these and they're were listed at Spamhaus.
Using spamhaus at SMTP level or SA doing RBL lookups would have caught
and stopped them...
Spamcop probably has quite a few of them listed as well
ideas?
Alex
Re: Start an IP list to block?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> Did you actually have a look on the sata provided at the start of this
>> thread ? Sure, it COULD be different, but somehow, it isnt.
> Yes, I did. But I'm trying to think ahead of current practice, by what's
> considered a GOOD practice to keep a site up, and what's bad. I'm not saying
> they're all doing it now, but I've *seen* them have another server ready to
> go when I yank ether (invariably, they migrate the ip by hand, to prevent
> everything being yanked at onces).
But are you surprised if i tell you that the 4 or 5 sites (IPs) i listed
are responsible for 28% of our incomming spam volume, on a pretty large
site. Thats around 400.000 spams of those guys alone. If we can get them
out, anyhow, thats a big win. Those crap domains are really everywhere, so
i cant imagine anyone is not seeing those on spamchecks... :)
Bye,
Raymond.
Re: Start an IP list to block?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 9 Sep 2004, Raymond Dijkxhoorn wrote:
> Hi!
>
>> 1) Spammers can set up multiple ip addresses to an A record. Whatever
>> does the reporting should check all A records, from the top down. i.e.
>> query each NS multiple times to make sure it's not being round-robined or
>> reported differently from multiple DNS servers.
>>
>> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
>> thwart this, if we're doing nslookups.
>>
>> 3) It's a common case that spammers use disposable landing sites, such as
>> the forwarding services offered by tinyurl, zoneedit, and the like, or
>> will put an HTTP redirect on a hotmail or geocities page. Should those be
>> exempt from this, since they have a fair number of legitimate domains as
>> well?
>
> Did you actually have a look on the sata provided at the start of this thread
> ? Sure, it COULD be different, but somehow, it isnt.
Yes, I did. But I'm trying to think ahead of current practice, by what's
considered a GOOD practice to keep a site up, and what's bad. I'm not
saying they're all doing it now, but I've *seen* them have another server
ready to go when I yank ether (invariably, they migrate the ip by hand, to
prevent everything being yanked at onces).
-Dan
>
> Thats why we posted the data in the first place, a lot of spam is boosted
> inside via the exact same way. We can ignore that, and say they will
> migitate, but if we never react they will never migitate either.
>
> Bye,
> Raymond.
>
--
"Man, this is such a trip"
-Dan Mahoney, October 25, 1997
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: Start an IP list to block?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> 1) Spammers can set up multiple ip addresses to an A record. Whatever does
> the reporting should check all A records, from the top down. i.e. query each
> NS multiple times to make sure it's not being round-robined or reported
> differently from multiple DNS servers.
>
> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
> thwart this, if we're doing nslookups.
>
> 3) It's a common case that spammers use disposable landing sites, such as the
> forwarding services offered by tinyurl, zoneedit, and the like, or will put
> an HTTP redirect on a hotmail or geocities page. Should those be exempt from
> this, since they have a fair number of legitimate domains as well?
Did you actually have a look on the sata provided at the start of this
thread ? Sure, it COULD be different, but somehow, it isnt.
Thats why we posted the data in the first place, a lot of spam is boosted
inside via the exact same way. We can ignore that, and say they will
migitate, but if we never react they will never migitate either.
Bye,
Raymond.
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:48:51 PM, System Dan Mahoney wrote:
> On Thu, 9 Sep 2004, Matt Kettler wrote:
> If it's blacklisting based on resolved ip, it should probably be noted
> that there are a couple of caveats:
> 1) Spammers can set up multiple ip addresses to an A record. Whatever
> does the reporting should check all A records, from the top down. i.e.
> query each NS multiple times to make sure it's not being round-robined or
> reported differently from multiple DNS servers.
Good point.
> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
> thwart this, if we're doing nslookups.
Code using SURBLs attempts reduce domains to the base (registrar)
domains before comparing to SURBLs. In other words we ignore the
subdomains, host portion, etc.
http://www.surbl.org/faq.html#random
> 3) It's a common case that spammers use disposable landing sites, such as
> the forwarding services offered by tinyurl, zoneedit, and the like, or
> will put an HTTP redirect on a hotmail or geocities page. Should those be
> exempt from this, since they have a fair number of legitimate domains as
> well?
Please see:
http://www.surbl.org/faq.html#redirect
and the rest of the FAQ. :-)
Jeff C.
Re: Start an IP list to block?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 9 Sep 2004, Matt Kettler wrote:
If it's blacklisting based on resolved ip, it should probably be noted
that there are a couple of caveats:
1) Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e.
query each NS multiple times to make sure it's not being round-robined or
reported differently from multiple DNS servers.
2) I can easily forsee spammers doing a wildcard subdomain as an effort to
thwart this, if we're doing nslookups.
3) It's a common case that spammers use disposable landing sites, such as
the forwarding services offered by tinyurl, zoneedit, and the like, or
will put an HTTP redirect on a hotmail or geocities page. Should those be
exempt from this, since they have a fair number of legitimate domains as
well?
-Dan
> At 04:56 PM 9/9/2004, Chris Santerre wrote:
>> So is there a way to use the IP info in a good way? Could SA or SURBL do a
>> quick ping of the URL and match against a URL? This would allow us to
>> simply
>> list 1 IP instead of all these domains.
>
> Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs
> based on resolved IP. (as well as surbl-style based on domain name). So
> theoretically, SURBL could open up a separate list based on IP's (i.e.:
> multi.dnsbl.surbl.org)
>
>
> Take a look at the example where it checks the resolved IP of a URL against
> the SBL (an IP based list):
>
> uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
> header URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
> describe URIBL_SBL Contains a URL listed in the SBL
> blocklist
> tflags URIBL_SBL net
>
>
> and from URIDNSBL.pm:
>
> This works by analysing message text and HTML for URLs, extracting
> the
> domain names from those, querying their NS records in DNS, resolving
> the hostnames used therein, and querying various DNS blocklists for
> those IP addresses. This is quite effective.
>
> SYNOPSIS
>
> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
> uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
>
>
--
"I hate Windows"
-Tigerwolf, Anthrocon 2004
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: Start an IP list to block?
Posted by Matt Kettler <mk...@evi-inc.com>.
At 04:56 PM 9/9/2004, Chris Santerre wrote:
>So is there a way to use the IP info in a good way? Could SA or SURBL do a
>quick ping of the URL and match against a URL? This would allow us to simply
>list 1 IP instead of all these domains.
Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs
based on resolved IP. (as well as surbl-style based on domain name). So
theoretically, SURBL could open up a separate list based on IP's (i.e.:
multi.dnsbl.surbl.org)
Take a look at the example where it checks the resolved IP of a URL against
the SBL (an IP based list):
uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
header URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
describe URIBL_SBL Contains a URL listed in the SBL
blocklist
tflags URIBL_SBL net
and from URIDNSBL.pm:
This works by analysing message text and HTML for URLs, extracting the
domain names from those, querying their NS records in DNS, resolving
the hostnames used therein, and querying various DNS blocklists for
those IP addresses. This is quite effective.
SYNOPSIS
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
Re: Start an IP list to block?
Posted by Ryan Thompson <ry...@sasknow.com>.
Jeff Chan wrote to Ryan Thompson:
> On Thursday, September 9, 2004, 2:34:00 PM, Ryan Thompson wrote:
>> "Can't" is a curse word to a scientist. "Can't *yet*", on the other
>> hand, is usually a good motivator!
>>
>> - Ryan
>
> A good scientist has at least a working understanding of the
> theoretical limits of knowledge.
Hahaha!
Ye cracketh me up, Jeff. If you ever find yourself in Saskatchewan,
you can drink my beer and we can talk scientific philosophy. :-)
Now, I'm going to get back on topic before somebody starts shooting.
- Ryan
--
Ryan Thompson <ry...@sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:34:00 PM, Ryan Thompson wrote:
> "Can't" is a curse word to a scientist. "Can't *yet*", on the other
> hand, is usually a good motivator!
> - Ryan
A good scientist has at least a working understanding of the
theoretical limits of knowledge.
Jeff C.
Re: Start an IP list to block?
Posted by Ryan Thompson <ry...@sasknow.com>.
Jeff Chan wrote to Chris Santerre:
> It is a question about the limits of knowledge. In our universe we
> can't see the potential collateral damage from listing a shared host,
> so we should not do it. From our point of view it's not knowable.
> Sure the hosting company knows whether that's the case, but we can't.
Ahh... but we *can*! See my follow-up.
> I'd encourage people with questions like this to read up or take some
> classes on epistemology or the theory of knowledge. Or just
> contemplate the possibilities harder... ;-)
Umm, or just help me with zone data. :-)
"Can't" is a curse word to a scientist. "Can't *yet*", on the other
hand, is usually a good motivator!
- Ryan
--
Ryan Thompson <ry...@sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 1:56:33 PM, Chris Santerre wrote:
> OK, this isn't the first time we've had this discussion, but Raymond and I
> felt this should be made public again. He ran thru some tests of 1500+
> domains and found the following data. Looks like they maybe send from
> zombies, and never their hosts. IPs are similar across the board.
> So is there a way to use the IP info in a good way? Could SA or SURBL do a
> quick ping of the URL and match against a URL? This would allow us to simply
> list 1 IP instead of all these domains.
> (I'm well aware of virtual hosts! So only the filthiest of spammers would be
> put on this IP list. Then their IP better boot them or anyone hosted on that
> box would feel the rath of SURBL.)
Yes, we've already discussed reasons why we're using only the
data actually found in spam URIs. The potential for collateral
damage in looking at resolved IPs is too high.
It would be very easy for a large hosting provider to have 1
bad guy sharing a web server with 100 or 1000 non-spammers.
Given that we can't see those other 100 or 1000, it would be
very easy for us to add that 1 IP address and block the
other 100 or 1000 *without even knowing it*.
It is a question about the limits of knowledge. In our
universe we can't see the potential collateral damage from
listing a shared host, so we should not do it. From our
point of view it's not knowable. Sure the hosting company
knows whether that's the case, but we can't.
I'd encourage people with questions like this to read up or
take some classes on epistemology or the theory of knowledge.
Or just contemplate the possibilities harder... ;-)
Jeff C.
Re: [SURBL-Discuss] Re: Start an IP list to block?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> OK by auto include them I guess you were referring to domains,
> not IPs. If so, that's what I'm proposing for the SC data.
Yes, we need to list the domains.
> Very good idea. Ask Larry privately if you can feed SBL.
Lets see if he responds to my other mail first. He's rather busy lately i
noticed.
>>> I will be modifying the SC data engine, if I can ever free up some
>>> cycles, to look at the resolved IP addresses of incoming domains
>>> and list them much sooner (like immediately) if they resolve to
>>> commonly used IP addresses.
>
>> Sounds cool!
Bye
Raymond.
Re: [SURBL-Discuss] Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:36:25 PM, Raymond Dijkxhoorn wrote:
>> Please do not include broad IPs in SURBLs. That goes against
>> the way we have designed them. If I find this happening, I will
>> take action to stop them. PLEASE DO NOT DO IT!!
> That was not my intention...
OK by auto include them I guess you were referring to domains,
not IPs. If so, that's what I'm proposing for the SC data.
> If we can submit them for listing inside the SBL, fine, any submission
> method available there ? ;)
Very good idea. Ask Larry privately if you can feed SBL.
>> I will be modifying the SC data engine, if I can ever free up some
>> cycles, to look at the resolved IP addresses of incoming domains
>> and list them much sooner (like immediately) if they resolve to
>> commonly used IP addresses.
> Sounds cool!
> Bye,
> Raymond.
:-)
Jeff C.
Re: [SURBL-Discuss] Re: Start an IP list to block?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> Please do not include broad IPs in SURBLs. That goes against
> the way we have designed them. If I find this happening, I will
> take action to stop them. PLEASE DO NOT DO IT!!
That was not my intention...
If we can submit them for listing inside the SBL, fine, any submission
method available there ? ;)
> I will be modifying the SC data engine, if I can ever free up some
> cycles, to look at the resolved IP addresses of incoming domains
> and list them much sooner (like immediately) if they resolve to
> commonly used IP addresses.
Sounds cool!
Bye,
Raymond.
Re: [SURBL-Discuss] Re: Start an IP list to block?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, September 9, 2004, 2:00:25 PM, Raymond Dijkxhoorn wrote:
>> OK, this isn't the first time we've had this discussion, but Raymond and I
>> felt this should be made public again. He ran thru some tests of 1500+
>> domains and found the following data. Looks like they maybe send from
>> zombies, and never their hosts. IPs are similar across the board.
>>> 219.254.32.111
>>> 201.12.78.140
>>> 200.139.104.4
>>> 221.143.42.199
>>> 219.129.20.250
> I can let it run over a somehow bigger collection, but these are the ones
> that keep adding domains daily, and i am sick and tired of adding those
> daily over and over. They keep comming up with new domains.
> Bill also promosed to have a look, so we can at least auto include them
> inside SURBL, but any other way would be cool either.
Please do not include broad IPs in SURBLs. That goes against
the way we have designed them. If I find this happening, I will
take action to stop them. PLEASE DO NOT DO IT!!
I will be modifying the SC data engine, if I can ever free up some
cycles, to look at the resolved IP addresses of incoming domains
and list them much sooner (like immediately) if they resolve to
commonly used IP addresses.
Jeff C.
Re: Start an IP list to block?
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> OK, this isn't the first time we've had this discussion, but Raymond and I
> felt this should be made public again. He ran thru some tests of 1500+
> domains and found the following data. Looks like they maybe send from
> zombies, and never their hosts. IPs are similar across the board.
>> 219.254.32.111
>> 201.12.78.140
>> 200.139.104.4
>> 221.143.42.199
>> 219.129.20.250
I can let it run over a somehow bigger collection, but these are the ones
that keep adding domains daily, and i am sick and tired of adding those
daily over and over. They keep comming up with new domains.
Bill also promosed to have a look, so we can at least auto include them
inside SURBL, but any other way would be cool either.
Suggestions ?
Bye,
Raymond.