John Fawcett wrote:
From: "Marc Kool"
Hi,
Using quaraintained spam and FN's I found out that the various SURBL lists
lag behind the spammers.
I consider it "normal" but also like to improve it.
I only receive 20-50 spams per day and did an analysis and found out that
the
URLs of the spam messages are about domains using the same IP address.
I found for example:
211.158.6.88 2giKe4V5C.simptompsakiana.org
211.158.6.88 5tYTNHYH.polishesofikals.org
211.158.6.88 7Z05PeUBKz.9H8UozoNv.pazdanimphos.org
211.158.6.88 9L88lRG.poisesneynano.org
211.158.6.88 9XA.1eX.fraklesneynano.org
211.158.6.88 BL4CLL.fraklesneynano.org
211.158.6.88 BlnXPOc7d.LURaH.bortsimisbortsimis.org
211.158.6.88 Cdj.2NJq2BanB.bortsimisbortsimis.org
211.158.6.88 DC.pikasxesros.org
(and lots more)
So I wonder if we could extend the SURBL module in SA to also verify the
IP address of the URI
in a (new?) surbl list.
Marc
Marc
The SURBL work only on urls found within spam. They do not resolve these to
IPs.
Resolving them to IPs and checking against a dnsbl would require a different
processing logic (and more processing time).
true.
If that processing logic were implemented, then you would be identifying all
domains that were hosted on an ip where there is/was a spammer domain as
spammers.
That will potentially increase FPs, the rule would not be so useful and its
score would have to be decreased.
I cannot see any way to automatically tell whether 211.158.6.88 has ONLY
spammer domains and therefore should be added to such a list of ips.
Also true but somewhat theoretical if a more than X spam domains are served
from the same IP address (where X >= 3 ?)
Have you tried using ob.surbl.org? I think it catches most of the domains
you
mentioned.
The surbl lists catch the mentioned domains _now_. But this spammer
generates
new ones regularly and it takes a while before the new domains are known
and included in the surbl lists. I cannot estimate how many spams
can get through in "a while" but I have noticed on my system that
mails that were originally flagged non-spam were flagged spam a few hours
later because the URIs were then included in an updated surbl list.
To stop this process where the new domain can be included in URI's and is
not (yet) included in surbl lists, the IP address could be included in
the surbl list and hence this spammer has no time window any more where
his spam gets undetected by surbl lookups.
-Marc
John
