Re: Starting a URIBL - Howto? [OT]

[Clayton Keller <in...@ruraltel.net>]

Dallas Engelken wrote:
> Rob McEwen wrote:
>> (on-list follow-up)
>>
>> By "proactive listings", I discovered in my off-list conversation with 
>> Dallas that this refers to URIBL-Gold listings... where items are 
>> listed in "uribl-gold" in advance of seeing them in actual spams. But 
>> this uribl-gold list isn't available to the public and is not even 
>> prescribed as a list to use for fighting spam.
> 
> We do ask anyone with access to it to use it.  Since its  basically 
> uribl black for domains that we believe will show up in future spam 
> campaigns, there is no reason not to.  I'm sure there are some on this 
> list that can comment further in regards to its effectiveness.
> 
>> I'm really disappointed that Dallas would have presented that kind of 
>> comparison to ivmURI. This is like comparing some kid's best 
>> basketball game on an X-Box to Michael Jordan's best basketball game 
>> on the court. I'm glad that URIBL-Gold is helping URIBL black get 
>> better... but until the listing actually makes it into URIBL-Black... 
>> and is then actually *usable* for blocking spam...
> 
>  From a RBL  perspective,  the purpose of the data in there is to catch 
> the front end of spam runs.  Assuming it takes ~5 minutes to list, 
> rebuild, and redistribute new zone data  in reactive mode, we could miss 
> 50% of a 10 minute campaign.  Obviously the longer the campaign draws 
> out, the better the miss rate looks.   But those using gold+black have 
> 100% hitrates on alot of these campaigns,  which is something that is 
> difficult if not impossible to achieve on a reactive blacklist based 
> soley on trap data or user feed back.
> 
> As you can see at http://www.uribl.com/gold.shtml, over 20% (14k of 57k) 
> of the domains that have been listed in gold for hours, days, even 
> weeks, have since moved to black.    So,  assume each of those 14k 
> domains returned NXDOMAIN on black.uribl.com for the first ~5 minutes of 
> each of their campaigns, how much spam do you think we missed?  Quite a 
> lot I'd say.   That short window is what we are targetting here.   It 
> doesnt result in a huge hitrate because it only hits in gold during the 
> rebuild and redistribute window, but it does serve its purpose quite well.
> 
> Aside from client side spam filtering,  I could see 
> registries/registrars, web hosts, ip space owners and the like 
> benefiting from this data as well.  Knowing there is potential for abuse 
> prior to the abuse actually occurs could be quite a powerful tool.    
> For example, I can tell you that ns1.tuhaerge.com is the next NS that 
> will be spewing up VPXL crapmail 
> (http://www.spamtrackers.hk/wiki/index.php?title=VPXL)..    That NS and 
> every domain registred against that NS should be instantly nuked, but 
> getting those Chinese registrars to action anything like this, even with 
> proper evidence, is nearly impossible... just think if you asked them to 
> kill it before the abuse started.  ;)

Hi, I just wanted to comment that only a few hours after Dallas sent his 
last email we did see that NS spewing junk.

I know it's a little late in response, but I thought I'd pass this info 
along to everyone involved in the thread just so you know your work does 
appear to be paying off.