Dallas Engelken wrote:
Rob McEwen wrote:
(on-list follow-up)
By "proactive listings", I discovered in my off-list conversation with
Dallas that this refers to URIBL-Gold listings... where items are
listed in "uribl-gold" in advance of seeing them in actual spams. But
this uribl-gold list isn't available to the public and is not even
prescribed as a list to use for fighting spam.
We do ask anyone with access to it to use it. Since its basically
uribl black for domains that we believe will show up in future spam
campaigns, there is no reason not to. I'm sure there are some on this
list that can comment further in regards to its effectiveness.
I'm really disappointed that Dallas would have presented that kind of
comparison to ivmURI. This is like comparing some kid's best
basketball game on an X-Box to Michael Jordan's best basketball game
on the court. I'm glad that URIBL-Gold is helping URIBL black get
better... but until the listing actually makes it into URIBL-Black...
and is then actually *usable* for blocking spam...
From a RBL perspective, the purpose of the data in there is to catch
the front end of spam runs. Assuming it takes ~5 minutes to list,
rebuild, and redistribute new zone data in reactive mode, we could miss
50% of a 10 minute campaign. Obviously the longer the campaign draws
out, the better the miss rate looks. But those using gold+black have
100% hitrates on alot of these campaigns, which is something that is
difficult if not impossible to achieve on a reactive blacklist based
soley on trap data or user feed back.
As you can see at http://www.uribl.com/gold.shtml, over 20% (14k of 57k)
of the domains that have been listed in gold for hours, days, even
weeks, have since moved to black. So, assume each of those 14k
domains returned NXDOMAIN on black.uribl.com for the first ~5 minutes of
each of their campaigns, how much spam do you think we missed? Quite a
lot I'd say. That short window is what we are targetting here. It
doesnt result in a huge hitrate because it only hits in gold during the
rebuild and redistribute window, but it does serve its purpose quite well.
Aside from client side spam filtering, I could see
registries/registrars, web hosts, ip space owners and the like
benefiting from this data as well. Knowing there is potential for abuse
prior to the abuse actually occurs could be quite a powerful tool.
For example, I can tell you that ns1.tuhaerge.com is the next NS that
will be spewing up VPXL crapmail
(http://www.spamtrackers.hk/wiki/index.php?title=VPXL).. That NS and
every domain registred against that NS should be instantly nuked, but
getting those Chinese registrars to action anything like this, even with
proper evidence, is nearly impossible... just think if you asked them to
kill it before the abuse started. ;)
Hi, I just wanted to comment that only a few hours after Dallas sent his
last email we did see that NS spewing junk.
I know it's a little late in response, but I thought I'd pass this info
along to everyone involved in the thread just so you know your work does
appear to be paying off.
