-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
List Mail User writes: > >Theo Van Dinter writes: > >> On Mon, May 23, 2005 at 06:45:12PM -0500, [EMAIL PROTECTED] wrote: > >> > Here's the algorithm: > >> > > >> > 1 Decode any URL-encoding in the message > >> > 2 Un-MIME the message > >> > >> Wrong order? > >> > >> > 3 Scan all parts of the message for URLs and email addresses (this > >> > can be > >> > links, IMG tags, mailto:'s, or even just something that looks like a web > >> > address or email address). Do NOT scan the headers. > >> > >> get_uri_list(). > >> > >> > 4 For each address, resolve the hostname to an IP and then look up > >> > that IP > >> > in your favorite DNS RBL - I use "sbl-xbl.spamhaus.org" as it caches the > >> > most, > >> > but you can also add bl.spamcop.net and relays.ordb.net > >> > >> SURBL? > > > >A bit more like URIBL_SBL, although in URIBL_SBL, we use the NS of the > >domains (because they're harder to switch to new servers in the spammer > >shell-game style). > > > >We did actually have an "A of domain name" test during 3.0.0 development, > >I think, but dropped it for various reasons: > > > >- - if a spammer were to use a hostname like > > "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to > > verify that I was (a) using SpamAssassin to filter to my mail, and (b) > > that that address is valid. So blindly resolving the full hostname was > > judged as unsafe. However, replacing hostname portions with another > > token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com" > > will have the same A as "spamdomain.com" or "www.spamdomain.com" is > > naive and easily evaded. > > > >- - more importantly, the results weren't very good. ;) Not as good as > > URIBL_SBL and the SURBL rules, at least. iirc, the hits mapped very > > closely to URIBL_SBL, esp since Spamhaus explicitly list nameservers of > > spammed domains. > > > >The details should be on bugzilla somewhere. > >Thanks anyway though! > > > >- --j. > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.2.5 (GNU/Linux) > >Comment: Exmh CVS > > > >iD8DBQFCkm5RMJF5cimLx9ARAgdbAJ9ji51PEG0MDlZc3XkG04JepiP6tQCdHhq6 > >xzicut+LZT7YmjyaZmQmCdg>=U4oZ > >-----END PGP SIGNATURE----- > > > > > > A similar idea, without the "back-channel" flaw is to test the > domain for either 'CNAME' or 'A' record `wildcards' (as in the command > "dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname"). > This is an excellent spam sign (the host portion of the name is often > mapped back into a database to determine the actual recipient). Legitimate > domains will use wildcards for 'NS', 'MX' and even occasionally for some > more obscure records, but an 'A' or 'CNAME' record is nearly always a > spammer. > > Check this out with any spam you've gotten with a hostname other > than "www" (about 70% of what I see). ooh, interesting trick, thanks Paul! have you got any idea of how much spam hits this? a great way to make life harder for spammers ;) - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCknqJMJF5cimLx9ARAjP/AJ9MI1R577iNtzrs1nWWuT4IgX05yQCfROq/ qMMm1iD9xxIP6g4rEV9/mxw= =JOJg -----END PGP SIGNATURE-----
