New to list.... URIBL currency?

[Charles Gregory <cg...@hwcn.org>]

Greetings!

It will take a few days for me to get the 'flow' of this list, and the 
sense of any threads already in progress. So I apologize if my query
has been recently discussed/resolved. Do we have a searchable archive
somewhere on the web?

First the good news: I got rid of my horrible old servers, and in December 
upgraded to the latest and greatest spamassassin. And all my users were 
VERY happy. Spam dropped off to almost nothing. My greatest thanks to the 
authors of this marvelous system. :)

The only spam that I saw any significant level of were some overseas 
lottery spams, and I was able to construct some custom rules to weigh them 
down. :)

But within the last two weeks I have seen an increase of spams of the 
'classic' drug and inheritance variety, most of them sparse on wording,
so that they do not score too high on their content, and many of them 
interestingly enough, listing geo-cities web sites. It makes me wonder if 
something has gone 'wrong' or 'slowed' with respect to the URIBL tests?
Or do those tests 'skip' public hosting sites like geo-cities?

Or is this a 'tip of the iceberg' thing, with spamassassin still catching 
the usual percentage, but the overall volume spiking?

- Charles, HWCN

Re: New to list.... URIBL currency?

[Karsten Bräckelmann <gu...@rudersport.de>]

On Thu, 2009-04-16 at 13:58 -0400, Charles Gregory wrote:
> 
> It will take a few days for me to get the 'flow' of this list, and the 
> sense of any threads already in progress. So I apologize if my query
> has been recently discussed/resolved. Do we have a searchable archive
> somewhere on the web?

Sure. Listed right there where you went to subscribe...
  http://wiki.apache.org/spamassassin/MailingLists


> But within the last two weeks I have seen an increase of spams of the 
> 'classic' drug and inheritance variety, most of them sparse on wording,
> so that they do not score too high on their content, and many of them 
> interestingly enough, listing geo-cities web sites. It makes me wonder if 
> something has gone 'wrong' or 'slowed' with respect to the URIBL tests?

The URI BLs list domains -- the recent geocities spam uses a directory
on the server. Neither a dedicated domain nor second level domain.

> Or do those tests 'skip' public hosting sites like geo-cities?

Generally, yes. geocities.com is highly unlikely to be ever listed in
any URI BL. However...

Yes, there just has to be a "but". ;)  Most freehosters are using sub-
domains, like abused.blogspot.com. Unlike blogspot.com, the sub-domain
does get listed, at least by URIBL. SA 3.2.x got a feature to add those
"second level domain" style hosting and thus do the BL lookup against
the full 2tld form, rather than the mother-ship...


> Or is this a 'tip of the iceberg' thing, with spamassassin still catching 
> the usual percentage, but the overall volume spiking?

I guess it's the usual turnaround. Spammers use what they can abuse and
break the captcha. We've seen geocities abuse before.

If you're users are unlikely to ever get such URIs in legit mail, feel
free to slightly punish them on sight locally with a custom uri rule.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}