You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2005/05/24 01:59:14 UTC

Re: Additional SPAM recognition method

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Theo Van Dinter writes:
> On Mon, May 23, 2005 at 06:45:12PM -0500, evan@coolrunningconcepts.com wrote:
> > Here's the algorithm:
> > 
> >   1  Decode any URL-encoding in the message
> >   2  Un-MIME the message
> 
> Wrong order?
> 
> >   3  Scan all parts of the message for URLs and email addresses (this can be
> > links, IMG tags, mailto:'s, or even just something that looks like a web
> > address or email address).  Do NOT scan the headers.
> 
> get_uri_list().
> 
> >   4  For each address, resolve the hostname to an IP and then look up that IP
> > in your favorite DNS RBL - I use "sbl-xbl.spamhaus.org" as it caches the most,
> > but you can also add bl.spamcop.net and relays.ordb.net
> 
> SURBL?

A bit more like URIBL_SBL, although in URIBL_SBL, we use the NS of the
domains (because they're harder to switch to new servers in the spammer
shell-game style).

We did actually have an "A of domain name" test during 3.0.0 development,
I think, but dropped it for various reasons:

- - if a spammer were to use a hostname like
  "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to
  verify that I was (a) using SpamAssassin to filter to my mail, and (b)
  that that address is valid.  So blindly resolving the full hostname was
  judged as unsafe.   However, replacing hostname portions with another
  token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com"
  will have the same A as "spamdomain.com" or "www.spamdomain.com" is
  naive and easily evaded.

- - more importantly, the results weren't very good. ;)   Not as good as
  URIBL_SBL and the SURBL rules, at least.  iirc, the hits mapped very
  closely to URIBL_SBL, esp since Spamhaus explicitly list nameservers of
  spammed domains.

The details should be on bugzilla somewhere.
Thanks anyway though!

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCkm5RMJF5cimLx9ARAgdbAJ9ji51PEG0MDlZc3XkG04JepiP6tQCdHhq6
xzicut+LZT7YmjyaZmQmCdg=
=U4oZ
-----END PGP SIGNATURE-----

Re: Additional SPAM recognition method

Posted by Jeff Chan <je...@surbl.org>.

On Monday, May 23, 2005, 4:59:14 PM, Justin Mason wrote:
> We did actually have an "A of domain name" test during 3.0.0 development,
> I think, but dropped it for various reasons:

> - - if a spammer were to use a hostname like
>   "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to
>   verify that I was (a) using SpamAssassin to filter to my mail, and (b)
>   that that address is valid.  So blindly resolving the full hostname was
>   judged as unsafe.   However, replacing hostname portions with another
>   token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com"
>   will have the same A as "spamdomain.com" or "www.spamdomain.com" is
>   naive and easily evaded.

Yes, this is a reason we list mostly domain names in SURBLs
also.  Please see:

  http://www.surbl.org/faq.html#numbered

  "Are there plans to offer an RBL list with the domain names
   resolved into IP addresses?"

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Additional SPAM recognition method

Posted by Jeff Chan <je...@surbl.org>.

On Monday, May 23, 2005, 4:59:14 PM, Justin Mason wrote:
> We did actually have an "A of domain name" test during 3.0.0 development,
> I think, but dropped it for various reasons:

> - - if a spammer were to use a hostname like
>   "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to
>   verify that I was (a) using SpamAssassin to filter to my mail, and (b)
>   that that address is valid.  So blindly resolving the full hostname was
>   judged as unsafe.   However, replacing hostname portions with another
>   token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com"
>   will have the same A as "spamdomain.com" or "www.spamdomain.com" is
>   naive and easily evaded.

Yes, this is a reason we list mostly domain names in SURBLs
also.  Please see:

  http://www.surbl.org/faq.html#numbered

  "Are there plans to offer an RBL list with the domain names
   resolved into IP addresses?"

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Additional SPAM recognition method

Posted by ev...@coolrunningconcepts.com.

Quoting Justin Mason <jm...@jmason.org>:


> - - if a spammer were to use a hostname like
>   "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to
>   verify that I was (a) using SpamAssassin to filter to my mail, and (b)
>   that that address is valid.  So blindly resolving the full hostname was
>   judged as unsafe.   However, replacing hostname portions with another
>   token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com"
>   will have the same A as "spamdomain.com" or "www.spamdomain.com" is
>   naive and easily evaded.

This is a good point, but honestly, they also know that you aren't 
likely to be
one of the users that clicks on spam and they won't be making much money from
you.   The method has shown to be effective enough that I don't care if my
email address is added to as many lists as they want to add it since I won't
see their spam anyway.

> - - more importantly, the results weren't very good. ;)   Not as good as
>   URIBL_SBL and the SURBL rules, at least.  iirc, the hits mapped very
>   closely to URIBL_SBL, esp since Spamhaus explicitly list nameservers of
>   spammed domains.

The results weren't good?   I actually had a discussion with Steve Linford at
spamhaus and they came up with a similar method themselves.  Their tests were
as good as mine - nearly 100% effective.

> The details should be on bugzilla somewhere.
> Thanks anyway though!

Are these the results from a few years ago?  The only spam I get these 
days that
makes it through spamassassin is mail that would have been caught by the above
method.

I think its worth looking into again.

-- Evan Langlois

Re: Additional SPAM recognition method

Posted by jdow <jd...@earthlink.net>.

From: "Justin Mason" <jm...@jmason.org>

> - - if a spammer were to use a hostname like
>   "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to
>   verify that I was (a) using SpamAssassin to filter to my mail, and (b)
>   that that address is valid.  So blindly resolving the full hostname was
>   judged as unsafe.   However, replacing hostname portions with another
>   token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com"
>   will have the same A as "spamdomain.com" or "www.spamdomain.com" is
>   naive and easily evaded.

Seems many already do with base64 (or other) encoded gibberish in front
of the spamdomain.com.

{o.o}