You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clayton Keller <in...@ruraltel.net> on 2008/05/04 06:17:00 UTC
Re: Starting a URIBL - Howto? [OT]
Dallas Engelken wrote:
> Rob McEwen wrote:
>> (on-list follow-up)
>>
>> By "proactive listings", I discovered in my off-list conversation with
>> Dallas that this refers to URIBL-Gold listings... where items are
>> listed in "uribl-gold" in advance of seeing them in actual spams. But
>> this uribl-gold list isn't available to the public and is not even
>> prescribed as a list to use for fighting spam.
>
> We do ask anyone with access to it to use it. Since its basically
> uribl black for domains that we believe will show up in future spam
> campaigns, there is no reason not to. I'm sure there are some on this
> list that can comment further in regards to its effectiveness.
>
>> I'm really disappointed that Dallas would have presented that kind of
>> comparison to ivmURI. This is like comparing some kid's best
>> basketball game on an X-Box to Michael Jordan's best basketball game
>> on the court. I'm glad that URIBL-Gold is helping URIBL black get
>> better... but until the listing actually makes it into URIBL-Black...
>> and is then actually *usable* for blocking spam...
>
> From a RBL perspective, the purpose of the data in there is to catch
> the front end of spam runs. Assuming it takes ~5 minutes to list,
> rebuild, and redistribute new zone data in reactive mode, we could miss
> 50% of a 10 minute campaign. Obviously the longer the campaign draws
> out, the better the miss rate looks. But those using gold+black have
> 100% hitrates on alot of these campaigns, which is something that is
> difficult if not impossible to achieve on a reactive blacklist based
> soley on trap data or user feed back.
>
> As you can see at http://www.uribl.com/gold.shtml, over 20% (14k of 57k)
> of the domains that have been listed in gold for hours, days, even
> weeks, have since moved to black. So, assume each of those 14k
> domains returned NXDOMAIN on black.uribl.com for the first ~5 minutes of
> each of their campaigns, how much spam do you think we missed? Quite a
> lot I'd say. That short window is what we are targetting here. It
> doesnt result in a huge hitrate because it only hits in gold during the
> rebuild and redistribute window, but it does serve its purpose quite well.
>
> Aside from client side spam filtering, I could see
> registries/registrars, web hosts, ip space owners and the like
> benefiting from this data as well. Knowing there is potential for abuse
> prior to the abuse actually occurs could be quite a powerful tool.
> For example, I can tell you that ns1.tuhaerge.com is the next NS that
> will be spewing up VPXL crapmail
> (http://www.spamtrackers.hk/wiki/index.php?title=VPXL).. That NS and
> every domain registred against that NS should be instantly nuked, but
> getting those Chinese registrars to action anything like this, even with
> proper evidence, is nearly impossible... just think if you asked them to
> kill it before the abuse started. ;)
Hi, I just wanted to comment that only a few hours after Dallas sent his
last email we did see that NS spewing junk.
I know it's a little late in response, but I thought I'd pass this info
along to everyone involved in the thread just so you know your work does
appear to be paying off.