You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jeff Chan <je...@surbl.org> on 2005/03/13 16:39:01 UTC

Re: [SURBL-Discuss] Re: Was: List of spamvertised sites sent via zombies, open proxies, etc.?

On Sunday, March 13, 2005, 7:31:01 AM, Raymond Dijkxhoorn wrote:
>> I'm not asking for trap data.  I'm asking to look for XBL hits,
>> then take the URIs from messages that hit XBL.  In other words
>> I want to get the sites that are being advertised through
>> exploited hosts.
>>
>> Nothing to do with traps or SBL.  ;-)

> If you can get a feed, why limit this to hosts found inside XBL?

This is not for a spam feed specifically.  It's to get data about
what sites are spam advertised through compromised hosts.  XBL
happens to be a good, reliable list of compromised hosts.  Other
lists like list.dsbl.org may be ok too, but those are the only
two RBLs I have a lot of confidence in.  The goal would not be to
get all data but to get all reliable data.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Was: List of spamvertised sites sent via zombies, open proxies, etc.?

Posted by Jeff Chan <je...@surbl.org>.

It would probably help if I explained that I brought up two
different but related ides in quick succession:

1.  Asking for URI domains of messages sent through zombies, open
relays, open proxies, etc. detected by XBL that mentioned SURBL URIs.

2.  Asking for URI domains of messages sent through zombies, open
relays, open proxies, etc. detected by XBL regardless of whether
those domains were already listed in SURBLs or not.

The latter may actually be more useful since it's broader and
more inclusive.  We could easily intersect them against SURBLs
ourselves if it were useful for other applications.

I believe this could be a valuable new data source.  It's true
that Spamhaus and others probably already have this data
internally but we don't.  ;-)  It's also possibly true that
existing trap based lists like ob.surbl.org and jp.surbl.org
may already have similar data in them.  As Paul notes there
is probably a lot of overlap between the various datasets
being used or proposed.

I'd probably ask for messages sent through XBL and list.dsbl.org
listed hosts since both lists are pretty reliable.  Completeness
of compromised host detection is probably non-essential for this
application.  The resulting dataset would be so large that missing
some fraction of zombies probably would not affect the end result
very much.  The sites of the biggest spammers would tend to
bubble to the top of a volume-ranked list.

Jeff C.
--
"If it appears in hams, then don't list it."