On Mon, 17 Oct 2011, Jenny Lee wrote: [snip..] > What baffles me is why it takes so long for RBLs to catch up on the URL. He > was spamming me (i have different domains) for a good one month before his > URL got dropped into an RBL, another one was never in an RBL. Perhaps I am > misunderstanding RBL concept. Or perhaps he is already working with one of > hte RBLs and has access to the honeypot emails. > > Jenny > > > Date: Sun, 16 Oct 2011 16:01:48 +0200 > From: Ckoe <kalvscompu...@yahoo.com> > To: michael_ott...@ymail.com > Subject: pznvm > > baniouq ljqtzfghf. > tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv > kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju. > > <i am trimming the rest of the mail in order not to get another undeliverable>
Jenny, Most URI-RBLs work on just the hostname part of the URL. IE with a spamvertized ULR of http://ha.blah.com/snort_ya/index.html, they only look at the 'blah.com' part. For your example, http://h1.ripway.com/..., the hostname part is 'ripway.com' which is a generic web-hosting provider, thus not a good candidate for blacklisting (IE it would FP all over the place). Most reputable URI-RBLs want to avoid FPs at almost any cost, so will not list such names, even if they're frequently used in spam. Another example of the same phenomenon is URL-shortener (EG bit.ly). regularly abused in spam but you'll almost never see them listed in URI-RBLs. Most good web-hosting providers & URL-shortener will take down the offending spam site/link if you report it to them. (sigh, I know, a wack-a-mole task but that's the game). -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
