A New Type Of Realtime Blocklist: The SURBL

Glamdrlng writes "The SURBL, or "Spam URI Realtime Blocklist", represents a nexus of RBL's and content filtering that may bring us one step closer to a spam magic bullet. While traditional RBL's perform a DNS lookup on the connecting mail server, SURBL's take this a step further by parsing the text of the email looking for URI's and doing a lookup on those web servers. They also prevent "joe jobs" by maintaining a whitelist of legitimate web servers whose domain names may show up in spam messages, e.g. EBay, Paypal, Microsoft, etc. The only requirement to implement the SURBL is a plugin on your MTA such as spamassassin that can parse the body of each email. While there is no MTA that directly supports SURBL's without a plugin, the author hints at one being in development."

Is this really a GOOD idea?

[beh]

Blocking URLs is an "ACTIVE" measure - and one that opens very bad
possibilities for abuse. While the While-List would protect against
this it will protect the BIG players on the market - it can still
wreak havoc on small/medium enterprises - e.g. a competitor of a
(pretty much) 'niche' firm could get a spam out advertising the
COMPETITOR in order to get HIM blocked...

Or - the other way around - a company gets itself a whitelisting
(via a "fake" joe-job on itself) and then continues spamming...

Please stick to PASSIVE measures! They can't be abused...

Re:Is this really a GOOD idea?

[beh]

(one minor thing I missed before:

The advent of bayesian spamming brought spams that included whole paragraphs of random words - just so that your list would get more and more bloated...

How long do you think it will take spammers to add dozens of valid - but in the context of the spam nonsensical - URLs just to fill up the black-list and make it useless?

Re:Is this really a GOOD idea?

[acariquara]

What ever happened to Bayesian Noise Reduction/Dobly algorythms? I was hoping for these to get more known and widespread...

snip snip from their page

Feb 24: We broke 99.984% today and caught up with CRM114 =). DSPAM is now around ten times more accurate than a human. According to a study by Bill Yerazunis (CRM114), a correspondence secretary is approximately 99.84% accurate at filtering spam. As of today, DSPAM has classified 3140 spams and 3457 nonspams in my mailbox with only 1 false accept and 1 false reject. The false accept was caused by a bug in the BNR code which was fixed, so depending on how you count it, I am getting either 99.968% or 99.984% accuracy. These are from real mailbox statistics, and not based on some 'test corpus' mail sent in. As spammers continue to try and evade filters, statistical filters such as DSPAM continue to adapt easily maintaining their high levels of accuracy.

And no, I am not posting an URL. If you want to get to the page, google for "Dobly" (yes, that is the actual spelling) and go to the first page.

Re:Is this really a GOOD idea?

[xski]

These are from real mailbox statistics, and not based on some 'test corpus' mail sent in


yeah, but how old is the address for that mailbox? Lemme now how it works on an email address thats 12+ years old (and therefore on practically every spam maillist in existence).

Re:Is this really a GOOD idea?

[MenTaLguY]

The advent of bayesian spamming brought spams that included whole paragraphs of random words - just so that your list would get more and more bloated...

It doesn't appear to have impacted baynesian scanners too adversely, however. I've been using a Baynesian scanner for ... I guess about a year now, and it's still working great (and the token list is big, but not unmanagable).

Re:Is this really a GOOD idea?

[DocSnyder]

Blocking URLs is an "ACTIVE" measure - and one that opens very bad possibilities for abuse.

The SURBL is not blocking URLs but IPs where spamvertised URLs are hosted at. I've been doing this for about half a year, too - it's really effective in filtering spam as most spammers choose "bulletproof" ISPs whose netblocks are listed on SPEWS and SBL for that reason. Take Chinanet, for example - an email which is including a link hosted at Chinanet is almost always spam.

I'd recommend not a single SURBL list but several ones, ranging from an in-progress DNSBL to a SPEWS-/SBL-like blacklist with the latter fed manually.

If SURBL gains acceptance, spammers could choose bulletproof ISPs and have most of their spam emails filtered due to SURBL listings, or choose white-hat ISPs and don't get filtered but kicked.

Re:Is this really a GOOD idea?

[WolfWithoutAClause]

Unless you expect mail from these sites (and for me atleast, the vast majority do not send me mail); so who cares?

Marking the odd legitimate mail as *not* spam should clue the filter in to those sites, and you only have to do this once per legitimate site.

Re:Is this really a GOOD idea?

[sleepingsquirrel]

Dobly DSPAM

Re:Is this really a GOOD idea?

[Zeinfeld]

Blocking URLs is an "ACTIVE" measure - and one that opens very bad possibilities for abuse.

Absolutely, but that does not mean that a very restricted blacklist might not have a place.

One of the frustrating things about the spam world is that every good idea gets grabbed by zealots who start to make a bigger nuisance of themselves than the spammers.

It would be really good to have some mechanism that could used to protect people against phishing frauds. If some web site is pretending to be citybank or paypal then they simply have no business doing that. It is not a first ammendment or censorship issue, its a public safety issue. People have no business carrying box cutters on airplanes and setting up phishing sites is the same thing.

But I really would like to see some better controls in place. I would like to have a transparent process for listing and unlisting the phishing sites. I would like to see efforts being made to notify the site admins (almost all phishing sites are on hijacked machines of some sort) about the listing.

Even with such a limited blacklist you need serious controls in place to stop abuse. Otherwise you will have people setting up phishing sites as a way to get a provider shut down. I think there are ways to make the scheme workable though.

Re:Is this really a GOOD idea?

[jelle]

Emails with paragraphs of random words are not very easy to distinguish from emails with paragraphs of actual language in nonspam emails. But emails with dozens of random links are better distinguishable from nonspam emails, so if the spammers start doing this, then you can filter out their spam even without having to check the SURBL by simply adding some points to the score of emails with a lot of links

And if you use the auto-whitelist feature, then it won't increase the false-positive count, except for people who receive a lot of emails with lots of random links from lots of different people.

Plus, the spam detection software may very well be capable of distinguishing between the decoys and the real spam-links by analyzing the context of the URI. At least that will be a lot easier than analyzing the grammar in an email and detecting the nonsensical paragraphs and the nonsensical/typo-ed words in spam.

Sure, it's not the final battle, but it looks like a very promising improvement in the fight against spam.

Re:Is this really a GOOD idea?

[smittyoneeach]

It's just another stage in the evolution of the economy.
Pretty soon, the rich will employ servants to read their email, thus countering the whole offshoring thing.
See now, it's all about finding that thread of silver in the crapheap...

Re:Is this really a GOOD idea?

[int2str]

I had very high hopes for DSPAM. The installation was very easy, the CGI based web interface works pretty much out of the box and is very handy for the users.

However, I had to abandon my DSPAM testing after a few weeks. The filter was *way* to slow to learn and in the process generated an incredible amount of false positives. With about 400 spams learned I still got around 29 false positives. And filtering accuracy according to its own built-in stats was less than 60%...

Considereing that I get about 2500+ spams a day on my server, my users were very quick rebel. Weeks into the trial with thousands of spams+hams learned it was time to abort the project.

Very dissapointing.

Re:Is this really a GOOD idea?

[dgatwood]

Random words are -easy- to distinguish heuristically from actual text. It just takes a good bit of time.... Start with these simple rules:

1. Alll sentences must contain at least one verb.
2. All singular nouns other than proper nouns are almost always preceded by an article or a possessive noun/pronoun. There may be words in-between, but these will generally be adjectives (or adverbs modifying the adjectives).
3. Prepositions are almost always followed by a noun within a handful of words, all of which are generally adjectives (or occasionally adverbs modifying those adjectives)
4. Sentences are rarely more than about twenty words long.
5. Sentences are rarely less than about five words long.
6. Words that can be more than one part of speech are used fairly infrequently. Ten in a row is a pretty good giveaway.

The English language, if you include slang, jargon, etc. is 3 million words or more. However, the core of the language (removing slang and specialized terminology) only contains about 600k word forms (616,500 from OED2), mostly by adding trivial endings to a core of about 300k words. Of those, only about 200k words are actually in common use anywhere in the world. The average educated person knows about 20k. The average educated person uses only about 2k in any given week. So start with a core of about 20k words, including all articles and pronouns. That should be enough to do a fairly accurate job of determining the legitimacy of a string of text.

For unknown words, assign it a probability of being a noun, verb, adjective, or adverb based on its ending and its position within the sentence. Give it only a 95% probability of being valid so that several in a row will dramatically lower the probability of a sentence being legitimate.

From this, you should be able to easily come up with a heuristic that determines with a high degree of confidence whether a string of text obeys each of the above rules. All sentences should obey most of those rules. Most sentences should obey all of those rules. Three sentences in a row that break more than one rule (even with vocabulary limitations) and it is probably either random noise, Ayn Rand, or unreadable gibberish that you won't understand it anyway. Some would argue that all three are an equivalence class, but this is somewhat subjective.

If random text generators get good enough to beat those rules, they will no longer be truly random and will run a high risk of being intelligible sentences---and potentially offensive ones at that---substantially reducing the likelihood of spammers using such generators.

Re:Is this really a GOOD idea?

[Wolfier]

I believe you can configure a Bayesian filter to only look at the first chunk of words. So if a spammer inserts random texts at the beginning, the commercial messages will be badly hampered.

Similarly, if a spammer inserts a whole bunch of random URLs in the message, then the real URL will be diluted. (provided that the real URL is not standing out in any way, or if it does, the filter can identify it)

Re:Is this really a GOOD idea?

[lucifuge31337]

If random text generators get good enough to beat those rules, they will no longer be truly random and will run a high risk of being intelligible sentences---and potentially offensive ones at that---substantially reducing the likelihood of spammers using such generators.

That's the most clearly presented stupid and nosensical response I've seen on /. all week. Oh..it's only Monday.

All of those rules can just as easily be applied to the code generating the spam, minus the words that would likely make an "offensive" sentence as you say. Yet another idea that sounds great, until you actually THINK about it.

Re:Is this really a GOOD idea?

[delstar+dotstar]

Words that can be more than one part of speech are used fairly infrequently. Ten in a row is a pretty good giveaway.

• that:
  1. adj (Not this one, that one)
  2. dem. pron. (Look at that )
  3. rel. pron. (birds that sing)
• can:
  1. noun (a can of whoopass)
  2. verb (The boss is gonna can your ass)
  3. modal (I can swim)
• one
  1. adj ( one fine morning)
  2. pron (the one that got away)
• part
  1. noun ( part of speech)
  2. verb ( part the Red Sea)
  3. adj ( part man, part machine)
• used:
  1. verb (I used a hammer on the kitten)
  2. adj (a used car)
• ten
  1. adj ( ten fingers)
  2. pron ( ten in a row)
• row
  1. noun (ten in a row )
  2. verb ( row your boat)
• pretty
  1. adj (a pretty girl)
  2. adv (a pretty good giveaway)

OK, that was a little snarky. Anyhoo, spammers can just extend the stream-of-random-words technique and create "sentences" that are syntactically kosher but semantically empty: Colorless green dreams sleep furiously. Hell, they don't even need to create sentences -- they can just pinch real, human-generated text from any old web site.

Re:Is this really a GOOD idea?

[eyeye]

A year and you still don't know how to spell it?

Re:Is this really a GOOD idea?

[zero_offset]

I'm not normally one to defend misspellings (I finally had to admit I'm a card-carrying Grammar Nazi), but one might interpret his inability to spell it after a year of use as a sure sign that it really does "just work" as advertised: silently and automatically, unnoticed in the background... He never sees it, so he doesn't learn to spell it.

Re:Is this really a GOOD idea?

[Yottabyte84]

This would rely on people being to spell correctly.

Re:Is this really a GOOD idea?

[Piquan]

It's not hard to write a random sentence generator that can deal with those rules. In fact, it's pretty much part of any Prolog class. And you can still make them semantically meaningless with a high probability.

Besides, who said this stuff had to be generated? A lot of what I saw when these random sentences first started hitting the spam was extracted from public domain texts. Politicians aside, not many people are likely to find a sentence from "Alice in Wonderland" offensive.

Re:Is this really a GOOD idea?

[stickyc]

I dont think that's as effective anymore. I'm getting a lot of spam these days with text that's been copied from (I'm assuming) public domain works. As a story, it makes little sense, but they're all in perfect grammatical form.

Re:Is this really a GOOD idea?

[Rhys]

So split the stream and train DSPAM in parallel to whatever spam tools you use now. When it's accuracy gets high enough to be worthwhile, swap over.

Not rocket science.

Re:Is this really a GOOD idea?

I think you mean: "2. pr0n (the one that got away)"

Re:Is this really a GOOD idea?

[LC+Gundo]

From definate WMDs to possible "programmes".WHY WAR?

Uh, just how long have you been spelling the word "definite" the way you do?

Time to dig out this old post.

This article advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Time to dig out this old post.

[Frisky070802]

Looks like a blacklist, not a whitelist. Bzzz! Next contestant?

Re:Time to dig out this old post.

Actually, it's both.

Re:Time to dig out this old post.

[tds67]

I think the preceding post:

( ) Was funny.
( ) Was informative.
( ) Was interesting.
( ) Was informative and funny.
( ) Was interestingly informative.
(x) Was funny in an informative sort of way.
( ) Was rehash.
( ) Is itself spam.
( ) Is overrated.
( ) Gave me gas.

Re:Time to dig out this old post.

[interiot]

• (x) Users of email will not put up with it

We'll see.

• (x) Eternal arms race involved in all filtering approaches

One of the few constants is that there will be way for money to get from the target back to the original spammer or seller. (well, it's possible something more complex is going on and that's not the real goal of spam, but at the least, it's something that's remained constant for years, which is notable in the world of spam). So "following the money" is really based on an acceptance of the above criticism, and a realization that the arms race can never get around the money stream.

Filters may be lead to arms races, but does anyone NOT use them right now? There are few alternatives, namely things like making email non-anonymous / PKI, enacting large legal penalties along with huge international support, rejecting email from anyone you don't know, ....

• (x) Whitelists suck

Actually, it's a blacklist. Blacklists may suck, but it's possible they suck less than spam, and the proliferation of RBLs kind of implies that.

Sure, there might be a way to stop spam once and for all and then blacklists would be hated, but the very presence of a antispam-rejection-template implies that there won't be a magic bullet for a long time to come.

• (x) Sorry dude, but I don't think it would work.

The only way it CAN'T work is if money isn't the real goal of spammers, or if they make it hard enough to "follow the money" that other methods are easier/nicer.

Re:Time to dig out this old post.

[ajs]

Not only is it both, but the suck factor seems to be heavily in the whitelist camp.

Take for example the spammer who wants to get his spam through to me. He peppers his document with HREFs to Yahoo!, Hotmail, CNN.com, NASA.gov and a dozen or so other sites that are likely in the whitelist.

Now I look at it and he manages to squeek by the initial origin lookup (e.g. he would have passed through traditional RBLs) and body check finds that *most* of the entires in the body are good sites, and only one of them is suspicious.

Why maintain a whitelist at all if you're going to have to turn the gain down to the point that 20 good entires are drowned out by one bad?

Re:Time to dig out this old post.

[DJ-Dodger]

All it takes is one black-listed URL in the body of the message to get it tagged as spam. White-listed domains are simply ignored.

Re:Time to dig out this old post.

[xscarecrowx]

( ) CowboyNeal

Re:Time to dig out this old post.

[Carnildo]

Additional problem:

(x) The whitelist feature can be abused

As anyone who's spent any amount of time reading Slashdot comments should know, there are open redirect URLs on a number of sites that would be whitelisted under this proposal. On Slashdot, they were used to hide references to goatse. In spam, they can be used to whitelist spam URLs.

Re:Time to dig out this old post.

(x) Is a rehash that never stops being funny.

Re:Time to dig out this old post.

[Frisky070802]

Why maintain a whitelist at all...

Indeed, that's why I thought it was pure blacklist. I don't care how many white URLs there are if any are to known spammer/virus sites!

Re:Time to dig out this old post.

Forgot
(x) Anyone could anonymously destroy anyone else's career or business

It all depends on how easy it is to get into the whitelist (and how often it's updated)

Re:Time to dig out this old post.

[mgbastard]

(x) This plan costs the spammers money to keep spamming. That's New. Good Work!
(x) It fails to account for the number of domains they'll flood us with, they'll just need about 4000 of them each. Better luck next time.
(x) Spammer will pay off a offshore registrar to do mass bulk registrations, and ICANN will do nothing about it.

That being said, I'm going to enable it on a test basis tomorrow first thing on one of the sendmail boxes.

Re:Time to dig out this old post.

[ajs]

Having thought about this for a bit, I change my mind.

Both is good.

The result table looks like this

whitelist
yes no

b
l y
a e spam spam
c s
k
l n
i o not spam unknown
s
t

Having the whitelist does get you one extra bit of info, so it's useful insofar as it goes. In a system like SpamAssassin, you score high for "spam" results, a small negative for "not spam" results and zero for "unknown".

The whitelist will always be limited

There are millions of legitimate sites, and most of them aren't major sites like ebay, yahoo, etc. If I want to do a joe-job on an enemy small site, I can cause them a lot of pain by including their link. They'll have a dificult time someone wasn't spamming on their behalf.

Re:The whitelist will always be limited

[Tony+Hoyle]

Indeed... it creates a new kind of joe-job. One that not only inconveniences you for a couple of hours deleting the bounces, but possibly for weeks because your perfectly legitimate site is now on a blacklist.

This is a non-solution, really.

Re:The whitelist will always be limited

[Chester+K]

If I want to do a joe-job on an enemy small site, I can cause them a lot of pain by including their link.

Why? It doesn't hit the site, it does a lookup on it. And if the "enemy small site" isn't spamming themselves, why do they care if their URLs are being blocked from email?

Re:The whitelist will always be limited

Alot of people use their URL in their sig on all their emails... Insensitive Clod seems apropriate here.

We adjust the frequency of the shields,

[winkydink]

The adjust the frequency of the phasers.

I don't see this as the be-all, end-all for spam, but I do find it a very interesting and potentially very effective arrow for my spam-killer quiver.

Re:We adjust the frequency of the shields,

[gregmac]

I don't see this as the be-all, end-all for spam

Either do I. In fact, the first thing that comes to mind is that the domains that start actually showing up in email will become random. This introduces a bit of additional cost to the spammer, but if that's the only way to survive, they'll do it.

They could also use IPs, but this would become even more of a pain for them since it's harder to get IPs. If you start doing blocking for the random domain names by resolving the IP, and banning based on that, you're going to get into pretty much the same situation as the RBL's get in now: blocking legitimate sites, that happen to be on the same subnet/server as a spammers site (think co-location and ISP hosting).

Another way to defeat this method would be to hack web servers, and put on files that redirect to the desired site. This has a lot of implications - legal and technical - but again gets into the same situation as before where blacklisting the site in the email would blacklist legitimate sites.

Interesting idea, but definately not the silver bullet.

Re:We adjust the frequency of the shields,

[chris_mahan]

Naw, all they got to do is get link results off google for random words for each email they send out, that way, each email is a little different, and nearly all the links are valid.

Re:We adjust the frequency of the shields,

[Carnildo]

Another way to defeat this method would be to hack web servers, and put on files that redirect to the desired site. This has a lot of implications - legal and technical - but again gets into the same situation as before where blacklisting the site in the email would blacklist legitimate sites.

You don't need to hack into them. I know that Yahoo has an open redirect URL -- it was used to disguise a link to goatse a while back -- and I suspect that most other major web sites have similar URLs.

And the target of the next spate of virus will be?

[pair-a-noyd]

three guesses and the first two don't count...

SURBL?

[Mateito]

I mean, really, who comes up with the names for these things?

Show me one self-respecting spammer who's going to quake in their boots at the threat of being hit with a "SURBL".

("Oh no.. please.. not the SURBL. Don't SURBL me.. Its too much... no.. No.. NOOOOOO!)

Why not just call it a "NERF" and be done with it?

I propose we come up with Spam deterrents with names like "Knuckle Duster", "Jagged Bottle", "Bloodied Crowbar" and "Bubba the Love Truncheon".

Re:SURBL?

I propose we come up with Spam deterrents with names

Personally, I like BASTARD:

Bad Ass Spam Threat And Reduction Deterrant

Re:SURBL?

Yeah I can see it now... Enlarge your Love Truncheon by up to 50%! Doctor approved, 100% natural!!!! etc etc

Re:SURBL?

[skippy_twin]

Have you been rummaging through my hope chest filled with sex toys again?

It's a great idea

[Rapid+Home+Offer]

Combine it with spamassassin, and you can whitelist emails from companies that you want to recieve email from. Heck, with spamassassin you can give it a very small weight, and adjust the results manually. Every bit of extra information helps, and just ignoring it because it is compiled by somebody else doesn't make sense to me.

Re:It's a great idea

[beh]

...unless I would send out a spam with TONS of valid links on various sites that haven't got anything to do with the rest of the spam...

Boy - that list will be f***ed up pretty soon...

Re:It's a great idea

No it wouldn't because your email will smell like spam from ten miles away with so many different links in it, and hence my spam filter wouldn't let me touch it with a ten foot^H^H^H^Hmile pole...

Re:It's a great idea

[GreyFish]

That happened to my site yesterday, and it got reported to spamcop, so now i have to persuade them i've not a spammer.

Sigh.

Re:It's a great idea

[extremely]

The spammers already have wordlists, and are using them to assemble random titles and text. How much harder is it to assemble %commonword%.$rndext$ into a url? Hint: they are already doing it. This DB is useless before it starts, unless a human picks out the real "bad address" every time one gets recorded.

Re:It's a great idea

[Fubar420]

I think /. is kinda missing the boat. The point is to black list known bads.

So if I get an email w/ 1000 links to MS, but 1 to makemy(cock/boobs/sexdrive/credit card bills/wallet)bigger.com, its spam

Something legit, isnt going to link to makemy....com

Sure you have to make sure the list isnt coated, but a quick screen/checklist of URLs/domains can popup on new emails w/ new URI's when the message is auto-declared as spam...

Eh, not saying its perfect, but the whitelist isn't necessarily the killer, its the blacklist that has to be right.

A plugin?

[Pranjal]

The only requirement to implement the SURBL is a plugin on your MTA such as spamassassin that can parse the body of each email.
Anything which requires extra software on the MTA or client side is not a simple requirement as it cannotn be implemented universally. This is doomed to fail.

Re:A plugin?

Just like SpamAssassin failed...

Yeaaahhh....

Re:A plugin?

[Mateito]

> extra software on the ... client side.. not a simple requirement as
> it cannot be implemented universally

Bollocks. Send it to random users as an encrypted zip file with the key in an attached jpeg and a title like "returned mail" from a user called "hg477d762@hotmail.com", and enough people will install it to make it effective.

Never underestimate the stupidity of end users.

Re:A plugin?

[interiot]

So that explains why RBLs are so unpopular, right?

ANY technical solution is going to require extra work on the client side, so rejecting this outright is kind of rediculous unless you're advocating a purely legal, market-based, or vigilante solution.

Spam is getting to be such a problem that techies are setting up things like SpamAssassin for themselves and friends, and major ISPs are using RBLs. So this isn't really a problem.

Re:A plugin?

[MrChuck]

You don't want MTAs to stop being MTAs. They really SHOULDN'T be looking at message bodies. And then making complex decisions (is http://1593985/ a decimal version of a member of the list?) or doing regexs.

If you want bloat and dysfunction like this, look at Exchange or Notes or Gropewise. It's a GUI, it's a calendar, it's a database, it's an MTA! well, it doesn't scale and it tastes like floorwax.

This is why sendmail developed the MILTER interface. Firewall-1 had a proprietary scanning interface (easy to develop clients with their kit, but a bitch to find out the SERVER's protocol and use that). "the future" (in 1999) promised a vendor free spec. Which still isn't there.

MILTER allows sendmail to speak to an external process that can do things to the headers/envelope or bodies. External can mean to another box (or group of boxes) or just another program.

This also lets you make decisions before the SMTP session closes.

I just with other MTAs had this available.

Re:A plugin?

[Tony+Hoyle]

I just with other MTAs had this available.

Pretty much every MTA has this.

Except MS Exchange, but, well... enough said.

Re:A plugin?

[ragnar]

Why does it have to be implemented universally? If just 10,000 people use it and I do too, maybe I'll have less spam.

Re:A plugin?

[dodobh]

Exim and Postfix do. There must be a patch for qmail out there.

Re:A plugin?

[sjames]

It doesn't have to be a problem, but I wouldn't say that it isn't a problem.

There's a very good reason that SpamAsassin generally requires more than membership on one or more RBLs to conclude that a message is spam.

Ideally, an RBL lists spammers, mail servers that knowingly provide service to spammers, or mail servers that are sufficiently negligent that they might as well be spammers. In fact, they often unfairly (IMHO) sweep other sites into their net for various reasons.

I have seen RBLs unfairly include other domains that happen to be in the same class C (but have nothing to do with the spammer), Class Cs that were used by a spammer briefly before their ISP terminated them, entire ISPs netblocks because of one spam incident ('We had to destroy the village in order to save it'?), victims of spam hacks, hosting providers that forward their users mail to a designated external account (and the user happens to recieve spam), etc. In all of those cases, this seems to be done without even giving notice that there is a problem. Apparently, they presume that all ISPS should have a small army of admins reading the outgoing mail and that users should not be allowed to opt out of that 'service' when they want the mail forwarded to an external account.

That's fine to support that as long as you don't also complain when your ISP installs a carnivore like device so their admins can read all of your outgoing mail and when they block your ability to connect to port 25 of anything but their mail server, and refuses to allow you to forward the mail elsewhere but those measures certainly don't seem very popular around here.

Then there's the dummys who sign up to a double opt in mailing list and then report an on-topic mail from the list as spam. Sometimes from sheer forgetfullness, sometimes because they couldn't be bothered to follow the unsubscribe instructions posted at the bottom of every single mail. Another related case is when they explicitly ask for account summaries or invoices by email, then report them as spam. RBLs that don't bother to investigate reports before they block allow one such moron to burn thousands of legitimate users of email at a time. Naturally, those same RBLs will claim that every report is investigated, and that their list is accurate.

Then there's the much more incideous blocks that appear in some RBLs such as competing providers of RBLs, sites who's political views don't align with those of the RBL provider, sites and people the RBL provider has had a disagreement with, etc. Some RBLs are little more than an extortion racket where you get listed for mysterious reasons, but for $5000 their 'consultants' can fix the problem and get you off of the list (all without even logging in to your mail server no less).

I'd say the operation was a success but the patient died.

I'm using SpamAsassin, and have no more spam problems. I've gone form hundreds of spams a day (yes, hundreds) to one or two a week. Unlike RBLs, I control my own policy on what constitutes spam, and I don't enable a whole class of nasty new ways to damage others through false reportes and joe jobs.

Re:A plugin?

Thats an interesting idea.. If it worked, it would essentially innoculate the most vulnerable users (the ones who open it) from spam.

Would that not reduce the spammer's targetbase?

Whitelist maintenance?

[tepples]

From the article:

This is a democratic effect, improved by manual de-selection of legitimate domains by SpamCop users when they submit their reports. More reports means more votes that a given site is indeed spam.

Though the article's author feels that "most SC users probably make an effort to uncheck legitimate domains to prevent false reporting," I have read reports that some mail server admins claim that SpamCop's users are rather likely to mistakenly report ham as spam. So the domain whitelist becomes important, but what practices have the SURBL administrators put in place to prevent corruption with respect to sites reported to whitelist at surbl dot org?

Re:Whitelist maintenance?

They should also inform the original sender of the alleged spam, so that they know they have been blacklisted. Many companies probably don't know that such lists exists, and those that do will probably not check the lists often enough (after all, who suspects they will be falsly accused?)

Present problem.

[FreeLinux]

Presently the only problem with this is that there are no plug-ins for the MTAs themselves yet. The plug-in is for spamassassin. That means that the message has to be transfered and passed onto Spamassassin before it can be dropped or tagged whereas, the other RBLs allow you to drop the connection before the message is transfered. This problem will be solved once there are plug-ins for the MTAs themselves.

But, I have to ask, why aren't existing RBLs like Spamhaus effective. They should be far more effective than the ~40% that I am experiencing.

Re:Present problem.

[hidden]

>That means that the message has to be transfered
>and passed onto Spamassassin before it can be
>dropped or tagged whereas, the other RBLs allow you
>to drop the connection before the message is transfered.

if the RBL in question is based on parsing the text of the message, then I'm pretty sure you have to let the message be transfered anyway... So, not really a problem in this case.

Re:Present problem.

[httptech]

But, I have to ask, why aren't existing RBLs like Spamhaus effective. They should be far more effective than the ~40% that I am experiencing.

The answer is simple - many spammers are now querying the RBLs themselves and using the results to pick which proxies to send their spam through.

If you run an RBL, I think that with some analysis you could determine when a spammer is querying your RBL by their traffic pattern - for instance, if a given source is consistently the first to query for a given IP address shortly before a flurry of queries from different sources. Once you can detect the spammers' RBL queries, you could invert the results for the spammers - report all blacklisted hosts as unblacklisted and vice-versa - effectively blocking 100% of their mail at RBL-using sites.

Re:Present problem.

[42forty-two42]

the other RBLs allow you to drop the connection before the message is transfered.

How can URIs in the body of the message be checked before the message is transmitted? It's still going to use up bandwith, either way.

Re:Present problem.

We're talking about analysis of a connectionless protocol (UDP) right?

Such a system would end up being abused and less reliable. There's a reason people almost always set their blacklist usage to pass mail if resolution fails.

Re:Present problem.

[Phroggy]

Presently the only problem with this is that there are no plug-ins for the MTAs themselves yet. The plug-in is for spamassassin. That means that the message has to be transfered and passed onto Spamassassin before it can be dropped or tagged whereas, the other RBLs allow you to drop the connection before the message is transfered. This problem will be solved once there are plug-ins for the MTAs themselves.

Sorry, but that's not because it's a SpamAssassin plugin vs an MTA plugin. That's because the SMTP protocol doesn't allow for what you describe.

Let's say I'm an MTA. When you connect to me, the first thing you do is introduce yourself, then tell me the envelope sender and envelope recipient of the message you're about to send, then give me the full message including headers and body. My options for blocking the message are:

1. Before you even connect, your IP could be blocked at the firewall level, so I'd never see you.
   
2. After you connect, before you introduce yourself, I have your IP address, and can check it against a blacklist and/or whitelist, and give you an error and disconnect if I don't like what I find. I can also do reverse and forward DNS queries on your IP to make sure they agree.
   
3. After you introduce yourself, I can compare your greeting against your reverse DNS, since that's how you should be introducing yourself. I can give you an error if I don't like it.
   
4. After you give me the envelope recipient, I can make sure that domain exists, etc. (Side note: Verisign wants to break this; ICANN is currently not letting them.)
   
5. After you give me the envelope recipient, I can make sure that e-mail address is OK - if it's my domain name and the username is somebody I know I'll accept it, or if it's a valid domain name somewhere else and your IP is on my LAN I'll relay it. Otherwise I can give you an error.
   
6. If we've gotten this far, I must now accept the entire message, including headers and body. If there's something in the headers I don't like, too bad! If there's something in the body I don't like, too bad! I have to let you send the whole message.
   
7. After I've accepted the message, if there's a problem, I can generate a bounce message to send back to you, assuming the e-mail address you gave me actually works. If that fails, I'll send an e-mail to my postmaster explaining what happened. Or if that's too annoying, I could just delete your message and not tell anyone.
   

Existing RBLs work at step 2. Filtering based on message content can't happen until step 7. You could build it into the MTA, but MTAs are complex enough as it is; using something else (SpamAssassin, Procmail, whatever) is a better idea.

Re:Present problem.

But, I have to ask, why aren't existing RBLs like Spamhaus effective. They should be far more effective than the ~40% that I am experiencing.

Because the Spamhaus SBL targets a sub-set of spamming IPs, the more static "spamhausen" as they call them.

A few months back they started offering the XBL, this list targets the "exploited" machines out there that spammers send most of their spam though, it combined with the SBL get about 85% of my spam. The rest gets the Bayesian treatment. Limits me to one or two a day.

Re:Present problem.

You imply that a negative response to the DATA command in step #6 is not possible and your only recourse is to later attempt to bounce the message in #7. I don't think this is true. The message is not accepted until success is acknowledged after the client sends the final period.

Then what happens when ....

Spammers could then post their web sites as search URL's on Google, MSN, etc.. If you block those URL's then lots of people would complain that they can't send Google entries. Even if you solved that, then what happens with sites like tinyurl.com? If you block them then you have liability and legal issues to think about. No doubt the spammers will script up a number of ways to cloak the marketeers site urls.

Re:Then what happens when ....

what happens with sites like tinyurl.com? If you block them then you have liability and legal issues to think about.

Why?

Re:Then what happens when ....

[jeeryg_flashaccess]

Which begs the question...Gmail is going to be an open email system...searchable...vulnerable. How is Google going to prevent spam?

Greg

Works for me

[Frisky070802]

I am continually adding certain domain names to my spam filter, if found in text. I'd love it for this tool to do it for me, as long as I can trust the low false positive rate.

Re:Works for me

[Craig+Davison]

I do that. I started with *.biz - the trailer park of domains.

Re:Works for me

[Frisky070802]

I started with *.biz - the trailer park of domains

Very funny, but so true! I thought about wildcarding .biz but was afraid I'd catch something legit. So far, so bad, so I think I'll do the same now, with a whitelist should I ever find something legit.

Viva procmail!

DOSes and things outside of ones control

[Corvar]

This type of system is very abusable.

I know I have gotten spam reports from places like spam cop because people have included the URL of my website in their spam. My site had nothing to do with the spam other than the spammer was using an article on the site to back up his point of view.

This type of system could very easily be abused to blackhole many mailing lists.

Re:DOSes and things outside of ones control

I have gotten spam reports from places like spam cop..

Places like, or spamcop itsself?

Re:DOSes and things outside of ones control

[Corvar]

SpamCop and others

Spam is unavoidable

[Klatoo55]

We can't ever have a workable spam filter because of the adaptability of spam. However much you try, the spammers will come up with a way to circumvent your block. How long do you think that it would take for the spammers to figure out how to send emails that the whitelist software would mistake for legit? Nothing short of a trained monkey going through your inbox will sort this out effectively.

Re:Spam is unavoidable

[rw2]

We can't ever have a workable spam filter because of the adaptability of spam.

This is because the solutions of the day focus on content instead of anonymity.

I've said it before, I'll probably say it again, get rid of unauthenticated email and the spam problem becomes a thousand times easier to fight. SPF and various RMX solutions exist in design today. If people want the spam problem to go away, that can be done today. Unfortunately people would rather piss and moan and call for legislation or perfect solutions than deal with these good ones today.

In the case of spam the perfect is the enemy of the good enough. We should stop spam today.

sendmail internal RBL

[mabu]

A good way to start if you're running your own mailserver is to use an internal IP-based blacklist such as the one found here. It's incomplete due to Geocities limitations but send e-mail to that account and the guy running it will send you the whole file. It's a list that he's been compiling now for more than a year of IP blocks, mostly class Bs, that have virtually no useful SMTP traffic and should be completely cut off. This generally consists of the vast majority of Chinese, Korean and Brazillian DULs.

We've been able to effectively stop about 50% of the spam using these lists and save resources and bandwidth. What's left is to start RBL'ing the domestic DUL IP space (Comcast, SWBell, Bellsouth, etc.) on a class B-level until the ISPs start cracking down on their rogue users.

Re:sendmail internal RBL

[dbullock]

I've already started doing that and it's HUGELY successful.

Rather than go through and buildup a big list of subnets, I've written a few dozen regular expressions that match up to the reverse name lookups.

For example /ipt\.aol\.com/ matches any AOL dialup (There's no legitimate reason for us to allow an SMTP connection from an AOL dialup)

I use Postfix in front of our Exchange server to do this. Anyone interested in a more complete list is free to email me - slashdot-spamfiltering@bullnet.com

so-called "remove me" links

[imroy]

I've been playing with a honeypot email account for the last couple of months. Those "remove me from your list" links sure are a good way to get more spam (Spammers are lying scum). I hope this SURBL suggestion doesn't get implemented at the ISP level. Then I wouldn't be able to go the spammers site (carefully editing the URL as needed, and with Mozilla) and sign up my honeypot account for more penis enlargement spam!

Re:so-called "remove me" links

[Phroggy]

Why don't you post your honeypot address here? Mine is honeypot@bl.phroggy.com. I'll add yours to the list of hidden links on my home page, if you'd like.

Attn: Potential Slashdot Comedians

Look at the mod history of the parent, and remember you don't get Karma for Funny mods. Lesson: never make a joke when logged in.

My proposed solution to spam

[GillBates0]

I don't know if anybody has tried this yet....and if not, why not:

My suggestion is to present the user with those images containing a word (like the one used by Yahoo! etc during registration) everytime the user needs to send a mail (before clicking Send). This is a reasonably difficult Turing-type tests which could weed out a majority of automated scripts/spambots.

An immediate problem with this scheme that I see is that for the words to be sufficiently random and crack-proof, they would have to be served in real-time to the mail program, and could need tweaks in current mail programs. A static list coded into the program might be too easy to break. This isn't too impractical, since an Internet connection is assumed during most email transactions.

Another problem, ofcourse is that it will not work with text-based mailers like PINE, but as long as it weeds out all the spam sent from all the freebie mail accounts we could see an improvement.

Comments/Suggestions?

Re:My proposed solution to spam

Hmm. Lots of stories on /. about spam lately.

Another problem, ofcourse is that it will not work with text-based mailers like PINE, but as long as it weeds out all the spam sent from all the freebie mail accounts we could see an improvement.

Not a lot of spam actually comes from those freebie accounts, as far as I can tell. (I see a lot of /var/log/maillog on an average day, believe me.)

Re:My proposed solution to spam

[lupine]

This article advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(x) Mailing lists and other legitimate email uses would be affected
(x) Users of email will not put up with it

Specifically, your plan fails to account for

(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

Re:My proposed solution to spam

[mabu]

This scheme doesn't work because:

1. Spam isn't primarily coming from legitimate SMTP relays like Yahoo or Hotmail

2. Ultimately to make such a system work, the mail would end up having to be flagged as "approved" by completing the process you suggest, which basically turns the scheme into a trusted-computing system (aka "whitelist"), and if you're going to go that route, you might as well call a spade a spade.

And since we're calling spades a spades, the way to do it is to require all SMTP servers to have a "license". Create a regulatory body in the same manner the TLDs are done (but with some competence) and endorse a sanctioned SMTP whitelist. Then when you get e-mail, you can choose to accept only mail from licensed SMTP servers.

Mark my words: This WILL happen. It's just a matter of time. It's the only way to stop spam. All the challenge-response systems; all the content-based filters eventually work because of NOT what they block, but because of the rules they use to determine what is legitimate.

Re:My proposed solution to spam

[Baumi]

My suggestion is to present the user with those images containing a word [...] everytime the user needs to send a mail (before clicking Send).
[...]
as long as it weeds out all the spam sent from all the freebie mail accounts we could see an improvement

That wouldn't help one bit. Spammers may forge a freemailer's address, but in reality they use either open relays which are run by admins way too lazy to implement ANY contermeasures against spam or (as it's more and more common) they're using worms to infect tons of PCs, turning them into SMTP servers without the knowledge of the owners. As for sending those mails, they donn't standard mail applications, but rather specialized bulk mail programs.

Where would your image idea fit in?

Using it in a freemailer's web interface is useless, since spammers don't hijack those interfaces. The lazy SMTP server admin won't implement it, and even those who aren't lazy wouldn't, since it would break compatibility with every single legitimate mail user. Lastly, the likelyhood of anti-spam measures popping up in hijacked computers or bulk mailing programs is extremely slim, as well.

So, sorry, but that one simply doesn't work.

Baumi

Re:My proposed solution to spam

[scrytch]

You are advocating a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(x) Users of email will not put up with it

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

(I'm feeling nice today)

Re:My proposed solution to spam

[taustin]

A) It's stupid.
B) It's already been broken, by offering free porn to those who break the code
C) It's stupid.
D) What about spammers that run their own mail servers? Which is to say, nearly all spammers.
E) It's stupid.
F) It will break every mailing list in existence, or mailing lists will be set up by spammers.
G) It's stupid.

Did I mention, it's stupid?

Re:My proposed solution to spam

My suggestion is to present the user with those images containing a word [...] everytime the user needs to send a mail This is not interesting but plain nonsense.

Spammers don't use "freebie mail accounts", they don't need to. Even if the mails seem to origin from such accounts, they most probably didn't send it from there:

If you know an open relay server, you just need to connect to it, and you can send any mail you wish, with any "From:"-Header you would like the receiver to see. Maybe hundreds or thousands of mails in a second.

If you programmed one of those virii, we see every day, you may use the lusers mail-adress and send mails from his account, again with fake or his address. And of course there are many other ways to send spam...>p> What you are maybe really asking for, is a change of the protocol, but that would not look like "words in images" at all, but some kind of cryptographic extension authenticated machines and programs could do. Anything else you asked for would just hurt the normal user, but no spammer.

Re:My proposed solution to spam

[hacker]

1. Spam isn't primarily coming from legitimate SMTP relays like Yahoo or Hotmail

You're kidding, right?

At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.

Look at today's list of brute-force attacks so far.. (as of Mon Apr 12 17:55:53 EDT 2004)

Every single one of these lists gets collected and reported, per day, per provider, and to date, not a single one of them has done anything to stop the abuse. In fact, it keeps increasing every day. The more we block, the faster they come at us.

Re:My proposed solution to spam

What about someone who is visually impaired? Yes they do use the internet and they do send emails. Personally my aunt and uncle are both totally blind but that doesn't stop them from using email regularly. In fact it's the most common form of communication I have with them. I'm sure the whole scale implimentation of something like this would have disability groups up in arms and rightfully so.

Not to mention like people said it really wouldn't do anything to solve the spam problems. As long as anyone who wants can setup an smtp server and start sending out emails with out any way of validating where that email is coming from solutions like this will not do anything more than annoy legitimate users or completely lock them out.

Re:My proposed solution to spam

[geminidomino]

At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.

You just hit the problem on the head. Those aren't Hosts, they are companies or providers. A host is a single machine or "hostname"(multi-homed hosts and multi-ip load balancing notwithstanding). mail.example.com is a host. Most of your spam is probably coming from, based on the providers you listed, people running windows boxen that have been owned and are being used as spam proxies.
There are several Dial-up lists that can be used for blocklisting.If someone is running a "legitimate" mailserver on a dynamic IP, they are few and far between enough, especially considering the worm and spam traffic from regular idiot end users. If they get blocked, they can either request whitelisting, or actually shell out for a frigging static IP.

One of these days, I'm going to get around to building an openBSD firewall. I want to test PFs OS detecting ability and see how well it works. If it works well, It might be doable to deny connection to ANY winbox trying to connect to port 25. Exchange servers should be behind a firewall anyway, and end users should be using their ISPs own mailserver (if that ISP's mailserver is an exchange box connected direct to the internet, I don't want mail from them anyway. There is a point when incompetence becomes dangerous.)

Re:My proposed solution to spam

[Elyas]

omr-blah is actually AOL's e-mail bouncing complex. That is why all the messages show up as having a null return path. No real spam filtering on those, as the messages aren't considered to have really been "sent" by AOL, someone else hit AOL with mail from fake addresses, to addresses they knew didn't exist.

SURBL

[maxdamage]

Sounds like a soft drink name...

Bayesian spamming

How long do you think it will take spammers to add dozens of valid - but in the context of the spam nonsensical - URLs just to fill up the black-list and make it useless?

Good point, but I think it will take very little time for developers to enhance spamassasin to mark anything as spam if it has more than, say, 5, URIs in it that don't point to the same domain. (If this feature isn't in spamassassin already.)

Re:Bayesian spamming

[Yottabyte84]

I'd expect that to have a rather high false positive rate....

Re:Bayesian spamming

I think it will take very little time for developers to enhance spamassasin to mark anything as spam if it has more than, say, 5, URIs in it that don't point to the same domain.

And if it were a true Joe Job, targetting some notable anti-spammer, it could have a single URI for http://www.antispamworld.com (for example). Now the newsletter for AntiSpamWorld starts getting blocked because of the evil spammer.

Re:Bayesian spamming

Why would you expect a high false positive rate? I can't think of a single legitimate email I've received that: a.) came from somebody who wasn't be on my whitelist.
b.) has several URIs that don't point to the same domain.

Bulk emails for which I've opted-in might contain several URIs, but they'll usually point to only 1 or 2 domains.

I'm more worried about the joe-jobs targeting anti-spam sites, but there would be a whitelist for URLs, so that a spammer including links to http://cauce.org, for example, wouldn't trigger blacklisting of CAUCE.

Re:Bayesian spamming

[Yottabyte84]

Well, at work, we've had legin mail go back and forth that say... Here's some information about foo, tell me what you think, and some URLs (4 to 6 or so)

Doesn't stack up

[sleepnmojo]

It would be interesting seeing how effective this would be. I can see some problems with it though. Most of the spam I get uses a msn or yahoo address which just redirects you. My impression, is that this would become valid now. I also see problems with things like tiny url. Which is just an alias for another url, supposedly much larger. This would mean banning the use of all these types of urls.

Re:Doesn't stack up

[jcuervo]

This would mean banning the use of all these types of urls.

Good.

Too much work!!!

Ok, so you want me to sort through (validate???) tens of thousands or millions of IP addresses to create my own blacklist? That's way too much work!!! If I'm going to implement my own IP blacklist, I'm going to cut down the administrative overhead and just use this entry:

0.0.0.0/0 REJECT

Seriously, an RBL is an IP blacklist but, the list is maintained in an automated fashion by thousands of systems that report back to the RBL. RBLs are really a much better solution that your own personal list.

Re:Too much work!!!

[mabu]

I agree with you, but there are some cases, such as APNIC networks which, unless you have reason to communicate with China or Korea, it's much easier to simply put a 218.* reject in your sendmail access file and avoid all the overhead to call the RBLs.

One problem we're seeing now is that some of the RBLs like Spamcop, automatically expire a blacklisted entry after X days. The spammers take advantage of this by playing around in huge Asian-Pacific blocks of IP space that give them plenty of addresses from which to rotate their spamming. One way around this is to blacklist the entire rogue regions, and then let the legitimate operations in those spaces contact you for permission.

For example, if Bellsouth is operating in the 68.* domain, and the lion's share of their IP space are DULs which shouldn't be sending port 25 traffic, it's a lot easier to BL the entire block and then redirect users to a form where they can submit legitimate SMTP relays and have them whitelisted.

The problem I have with RBLs (even though I love them) is that they're singly-IP-based, when there are some areas that just need to be wholesale blocked, and I've yet to figure out how to configure Bind to easily resolve IP lookups on blocks of addresses.

Re:Too much work!!!

For example, if Bellsouth is operating in the 68.* domain, and the lion's share of their IP space are DULs which shouldn't be sending port 25 traffic, it's a lot easier to BL the entire block and then redirect users to a form where they can submit legitimate SMTP relays and have them whitelisted.

Assuming you setup and honor a whitelist form, maybe. I regularly setup legitimate businesses on DSL connections from BellSouth. These are busiiness accounts with static IPs but, certain organizations like RoadRunner and AOL have decided that ALL BellSouth IPs should be blacklisted and they aren't interested in making exceptions. This became such a problem that my company has setup an SMTP relay on another ISP for our customers to be able to send mail. That's something we never wanted to do and would love to stop but...

Re:Too much work!!!

[DarkOx]

Amen, this is why BLs are evil. They people running and using them are allowing the spamers to win. They basicly ensure that the only people who can run MTAs are very large organizations that can be sure they are on everyones whitelist and will never be black listed and the dertermined spammers who can change it up enough and remain a moving target. The only thing BLs accomplish is screwing the little guy.

Re:Too much work!!!

[swb]

Do you have a *good* reliable geographicIP delegation table? I can never find one, and if I do, it's old, or grossly inadequate.

I'd love to have one; I wouldn't necessarily *blacklist* APNIC, but I would definitely rate-limit the entire APNIC to 28.8kbps into my network. I'm not sure it would "end" anything, but it would slow down spammers and/or cause them to give up on us.

Re:Too much work!!!

[qualico]

AMEN!!!

And I am one of those little guys!

Trying to communicate an email to my family about complications with my unborn son.
BLOCKED

Thanks BLers! :-

And they won't even whitelist me after repeated pleas to do so!

Blacklisters that block legit email should be brought down like SCO. They are worse than spammers!

Further, why should I have to pay for a static IP when I have the knowledge to save a buck and run my server on a dynamic?

Slashdot rejected my article outlining this very problem. AND its a big problem!
Regardless, I want more light shed on this topic.
It needs a fixin'!

Re:Too much work!!!

[don.g]

You may not know it, but the 'P' in APNIC stands for "Pacific". I live in APNIC space - but I'm not from China or Korea. Of course, I probably have no reason to talk to equipment on your network, but you'd better hope you're not hosting a website that people in New Zealand or Australia want to access at any sort of reasonable speed...

I'd like to know

[heldlikesound]

WTFATAM

Yet Another Stupid Spam Idea (YASSI)

[mabu]

Let's coin a new term: YASSI for yet another stupid spam-related idea.

This boneheaded scheme falls into the same category as all content-based filtering systems: It doesn't address the most henous crime on the part of spammers, which is the consumption of bandwidth and network resources. And like other client-side/content-based filtering systems, the system will work about 12 minutes before the spammers figure out a way around it and then your system doesn't work. And of course, you'll have to constantly update it in order to make in effective, which means you have yet another piece of software that requires routine updating, slows down the mail service, your computer and everything in between. And after all that, you'll still get spam.

The main reason spam is prevalent is because SPAMMERS STEAL BANDWIDTH WITHOUT PAYING FOR IT. When you force them to operate from a single location, then they have to act ethically and then they have to pay premium money to spam, and then they go out of business because it's only economical when they steal resources.

You don't have content-based filtering on other primary methods of communication. It's a federal crime to go through mail; (at least before Patriot) you needed a court order to tap phones. E-mail should be an equally sacred communication medium that shouldn't be subject to "strip searches" before it hits your inbox. And this whole boneheaded scheme will NEVER stop spam in the first place, so let's stop pursuing these efforts.

RBLs are most effective right now. The worm invasion is evidence of that, as spammers are finding less IP space to operate from so they're engaging in more aggressive tactics to take over peoples' machines, which, hopefully sooner-or-later, will land these sleazebags in jail.

Re:Yet Another Stupid Spam Idea (YASSI)

>you needed a court order to tap phones.

But do you need one to screen your own calls? I think not. What we're talking about here isn't about some nefarious "they" blocking messages at the source, it's a voluntary technique that you can apply or not, as it suits you.

Re:Yet Another Stupid Spam Idea (YASSI)

[ChaosDiscord]

You don't have content-based filtering on other primary methods of communication. It's a federal crime to go through mail; (at least before Patriot) you needed a court order to tap phones. E-mail should be an equally sacred communication medium that shouldn't be subject to "strip searches" before it hits your inbox.

Ummmm, the hell? It's perfectly legal to go through mail. My own mail, naturally. And it's legal to tell someone else (say, a secretary) to go through your and filter it. Ditto phone calls. I agree, I wouldn't want the government or any other random person or organization rummaging through my email. But I'm more than happy to run a program to do it myself. I appreciate ISPs that offer me the service. (I'm less keen on ISPs that make the service mandatory, but that's another issue.)

And this whole boneheaded scheme will NEVER stop spam in the first place, so let's stop pursuing these efforts.

Attacking the source varies from extremely difficult to impossible. Spam filtering systems (especially multiple technique systems like SpamAssassin) are a good stopgap measure. Sure, the spammer is still wasting my bandwidth, that sucks, but having it disappear into my IN.spam folder reduces my irritation. Ultimately even legal measures have limitations as spammers move overseas. Too suggest that we should just give up and drown in spam (I'm at a 2:1 spam:ham ratio these days) until we get a full solution is foolish. Much like medicine, sometimes a cure isn't a real option; all you can do is treat the symptoms. I hope a real cure is on the horizon, we should certainly look for one, but in the mean time I'll treat my own symptoms.

Re:Yet Another Stupid Spam Idea (YASSI)

You sound like a spammer. You are wrong: Content-based filtering does work very well thank you. goodbye now.

Re:Yet Another Stupid Spam Idea (YASSI)

The main reason spam is prevalent is because SPAMMERS STEAL BANDWIDTH WITHOUT PAYING FOR IT. When you force them to operate from a single location, then they have to act ethically and then they have to pay premium money to spam, and then they go out of business because it's only economical when they steal resources.

I did some work for a day trading outfit to setup a spam server for them. Of course, they didn't call it a spam server, but basically it was a mail server setup to deliver several hundred thousand emails a day to email addresses they purchased in bulk. This is a legitamate company, and they lease a legitimate T1 line from AT&T and are thinking of getting a fractional T3 (6mbs) further on down the road.

They pay another company for a list of people "interested in receiving these types of offers", and they pay for their bandwidth. The business they do get from this IS economical for them, and they don't have to steal anyone's bandwidth. And yes, their spam will probably end up in your inbox at some point because yes, "you are interested in receiving these types of offers from our partners."

As for me? I don't feel guilty about setting them up because I'm already beseiged with spam. However, with spamassasin running, my filters set to 3 points, I can let my trash.spam folder fill up, and I check the headers once in a while, see no false positives, and hit the purge trash link. Me and my users still receive some spam, but it's probably just under a 1:1 ratio. Around 3-4 slip through late at night, and another 3-4 in the morning, and sometimes another 3-4 around 5pm. However, my spam folder has received around 80 during that time.

So yes, spammers to pay for bandwidth, and yes, filters do work. Attacking the source is useless.. new spammers crop up everyday, many of which are paying for premium address space.

Re:Yet Another Stupid Spam Idea (YASSI)

[Glamdrlng]

I did some work for a day trading outfit to setup a spam server for them. Of course, they didn't call it a spam server, but basically it was a mail server setup to deliver several hundred thousand emails a day to email addresses they purchased in bulk. This is a legitamate company, and they lease a legitimate T1 line from AT&T and are thinking of getting a fractional T3 (6mbs) further on down the road.

A few years ago I would've expressed my best wishes hoping that you die a wretched death from a nasty VD you got from having bad sex with an ugly woman. Work's hard to come by these days though, so I don't really hold that against you personally. Besides, if they abuse their paid-for bandwidth by not honoring removal requests then their ISP will drop them, problem solved.

Re:Yet Another Stupid Spam Idea (YASSI)

[Glamdrlng]

The main reason spam is prevalent is because SPAMMERS STEAL BANDWIDTH WITHOUT PAYING FOR IT. When you force them to operate from a single location, then they have to act ethically and then they have to pay premium money to spam, and then they go out of business because it's only economical when they steal resources

So the RBL's keep them running from IP to IP, or serving spam off of compromised machines (Gotta love the spamhaus XBL). Personally, I view this as a progression of RBL's: make it so that, not only do they have to hop mail servers, with this they also have to hop web servers.

Re:Yet Another Stupid Spam Idea (YASSI)

[mycroftxxxx]

... the system will work about 12 minutes...

Hmm. It's been 4 days and this is what I've caught with it. SPAMCOP_URI_RBL pushed 765 spam over the top and going strong....

Unless you try it, don't presume to suppose what it can/won't do.

Trap Count
SpamAssassin 1,722
...BAYES_99 1,662
...HTML_MESSAGE 1,472
...RCVD_IN_BL_SPAMCOP_NET 1,227
...PYZOR_CHECK 990
...RCVD_IN_SORBS 970
...MIME_HTML_ONLY 940
...DCC_CHECK 917
...SPAMCOP_URI_RBL 765
...RCVD_IN_DSBL 729
...RCVD_IN_SBL 533
Country Count
United States 1,234
Unknown 162
Canada 52
China 51
Brazil 31
Korea, Republic of 25
Spain 21
Australia 20
France 20
United Kingdom 19

Here's an example of how it adds a 3.0 score (last entry) to an already spammy msg:

autolearn=spam
5.40 BAYES_99 Bayesian spam probability is 99 to 100%
0.10 BIZ_TLD Contains a URL in the BIZ top-level domain
2.91 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.50 FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found
0.10 HTML_70_80 Message is 70% to 80% HTML
1.23 HTML_IMAGE_ONLY_02 HTML: images with 0-200 bytes of words
0.10 HTML_MESSAGE HTML included in message
0.56 MIME_HTML_NO_CHARSET Message text in HTML without charset
0.32 MIME_HTML_ONLY Message only has text/html MIME parts
1.10 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
3.51 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.60 RCVD_IN_DYNABLOCK Sent directly from dynamic IP address
0.10 RCVD_IN_NJABL Received via a relay in dnsbl.njabl.org
3.54 RCVD_IN_NJABL_DIALUP NJABL: dialup sender did non-local SMTP
0.10 RCVD_IN_RFCI Sent via a relay in ipwhois.rfc-ignorant.org
0.10 RCVD_IN_SORBS SORBS: sender is listed in SORBS
3.00 SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org

If anything like this every went live...

... it would only be a matter of seconds before http://www.sco.com/ was added to the block list.

Let's be realistic

Spam is not going to stop until every single user is postively identified on the internet. And it will happen. Get used to the idea.

No system that uses the content of an email...

[exp(pi*sqrt(163))]

...to detect spam can be effective for long. Ultimately the mere fact that it's a system means that intelligent spammers can use the characteristics of the system to engineer a description of mail that isn't identified as spam and hence craft their own spam to fail to fit that description. There's probably some variant of Gödel's Theorem that makes this formal.

There is already a cure for spam - give everyone unlimited email addresses, give out different addresses to different recipients, and delete any email that receives spam (along with possibly sending an email of complaint to whoever you originally have that particular address to). The whole thing could easily be built into mail clients and supported by mail providers. It works fine for me. It costs me $35 to buy my own domain and a one off payment of about $30 to zoneedit to set up the mail forwarding. It works so well, and has worked for the least 3 or 4 years, that I almost suspect that there is some kind of conspiracy to overlook this method in order to promote other dubious methods.

Re:No system that uses the content of an email...

[interiot]

The unlimited-email-addresses basically comes down to requiring a password before someone can send you email (eg. if everyone accepted *@their.domain.com, spammers would just pick some random characters for the left side. So you have to have some sort of checksum or hash built into the characters, but if everyone uses the same algorithm, spammers would be able to generate their own random list again. So the only way to make it work universally is to salt the hash with something like a private key).

If people have to get passwords from you before they can contact you, then... what do you do if you're an open source author... or if an ex from college wants to hook up again and googles you, and finds your website, but STILL can't contact you... or you want to sign up for match.com so that random women can email you.

Re:No system that uses the content of an email...

[interiot]

But if there are invariants associated with spam, then systems will be at least partially effective.

Currently, spammers can create new spam relays only so fast.

Currently, spammers want to receive money via credit card over the internet.

Currently, it's hard enough to effectively spam that there aren't tens of thousands who are actively doing it, so blacklisting certain credit card vendor IDs could work.

Currently, spammers want to make it harder to "follow the money" so they use crazy javascript stuff on the front page of their websites, and the crazy javascript is one clue that the trail you're following is spammy. (add it to all the other clues you find, and you have a score that you can use to make a yes/no determination)

Re:No system that uses the content of an email...

[Electrum]

It costs me $35 to buy my own domain and a one off payment of about $30 to zoneedit to set up the mail forwarding.

Use a registrar like directNIC that has $15 domains and free email forwarding.

But note that you don't have to have your own domain to use that method. MTAs like qmail offer extension addresses (user-*@example.com). Also check out spamgourmet for a more advanced approach.

Re:No system that uses the content of an email...

[exp(pi*sqrt(163))]

Good questions.

• what do you do if you're an open source author... I am and don't get spam this way. If I did I'd merely change the email address associated with the project. In the worst case scenario that someone needs to track me down from an ancient piece of code with an old email address they can use the method below...
• or if an ex from college wants to hook up again and googles you, and finds your website, but STILL can't contact you... I have an email address on my website. It's in a form that can't easily be harvested so people would have to enter it manually into a spam mailing list. It's rare that spam comes in this way but if it does I change the address on there. Hell, I challenged someone on a /.-like web site to email me recently even though I posted there anonymously. They succeeded without too much hassle.
• or you want to sign up for match.com so that random women can email you. Currently I'd deal with this by registering with the email address match@mydomain.com. As soon as spam starts on that email address I'd change to match01@mydomain.com and so on.

Note that a little work is required on my part. In the worst case scenario I need to do one bit of work for each bit of spam I receive. I receive so little spam that this isn't really a burden.

If 'AI' eventually gets good enough to harvest email addresses written in human- but not machine-readable from from web pages then my method is doomed. I can also think of attacks that don't need AIs but they're a bit preposterous - like setting up a porn web site and accepting a strange form of payment for pictures: you tell people they can look at the porn if they type in the email address shown in the picture that comes up before the porn and flash up a picture of a web site from which you want to harvest. I didn't explain that too well - maybe you se what I mean.

Re:No system that uses the content of an email...

[peeping_Thomist]

People want their old email addresses to continue to work, the way a physical address does.

Re:No system that uses the content of an email...

[exp(pi*sqrt(163))]

And some people want to return to the horse and cart. That's their problem!

Re:No system that uses the content of an email...

[interiot]

Could work I guess. There ARE a lot of disposable email address services out there, and they seem to be all the rage lately.

It does put some burden on the sender as well though. These are the options I see:

• The sender manages to keep your address confidential (meaning no catching outlook viruses, no cc'ing you along with 20 of their friends, no using it to send you stupid postcards). Not bloody likely for very many people.
• All spams are responded to with a URL that users can use to get a new address from a warped GIF. Unfortunately the ISP has to pay doubly for spam.
• The server simply drops spams (or puts them in a separate box that you never check since its S/N ratio is SOOOOO bad, curiously because this method is so effective). If that was the last contact info of you they had, they have to google you and find the above URL. For the masses, this would involve one or more email registries that people would have to remember to keep updated, including some of their personal info to differentiate David H. Newcum in illinois from David L. Newcum in Missouri. Unfortunately this means you have to give up a little extra private info, and it means you have to remember to keep the site updated in case your email address or domain changes (it would generate new disposable addresses periodically, so it wouldn't be THAT tedious). But this option also makes it slightly more likely that people will lose contact with you because googling isn't always easy.

Re:No system that uses the content of an email...

[interiot]

Ahh, this guy states the problem succinctly:

• My "disposable" addresses aren't very disposable. ... When retiring an address has undesired effects, it's no longer disposable.

Re:No system that uses the content of an email...

[exp(pi*sqrt(163))]

No, it does work. But it might not work forever I suppose. Your first point is the one I worry about most but I'm pretty sure I don't get spam via that route yet.

I'm also lucky in another way. My surname is almost unique. 95% of searches on my surname find me, 5% find my brother. I'm easy to google. I've always thought that people's names should be unique :-)

I don't have a spam problem

are there lots of people that have spam problems or is it just a small group of people that make a lot of noise?

All in all the only place I get spam is on an old hotmail account.

Re:I don't have a spam problem

In the last five minutes:

87.3% blocked, 12.7% delivered, 1883 total

That's not counting things SpamAssassin is considering spam.

Re:Song of the piracy apologist

I like how this troll starts out non-trollish, and becomes gradualy more blatent as it goes on. Counting on mods not reading the whole post.... supurb....

Unfortunately

[jeffster10304]

Unfortunately I really don't see anything new or original in this idea. Until they start prosecuting these morons, we're not going to have a viable solution. By morons I mean the people that are BUYING this crap, rather than sending it ;)

Re:Unfortunately

[/dev/trash]

How do you define crap?

Re:Unfortunately

[jeffster10304]

I mean the crap that they sell. Viagra that may or may not actually make it to your doorstep, penis enlargement devices, pyramid schemes.... You know, crap.

Interesting idea, but...

What about encoded URLs? And I'm not just talking HTTP escaped, I mean base64-encoded crap.

Are you going to spend the CPU power on decoding, parsing, and checking each incoming message? On a high-traffic mailserver, that's a lot of CPU.

Uh... No.

[FreeLinux]

Sounds like a great idea especially for home users or some such but, as soon as you look at the bigger picture things start to break down. First of all, what about legitimate mailinglists? Some of them have hundreds of thousands of addresses. You want the administrator to have to go through and click a web page for each and every address on the list? Never gonna happen.

What about corporate use? Many legitimate emails go to a dozen recipients almost like a mailinglist. Think of the lost productivity with the senders clicking webpages for each reply and forward. Think of the dreaded Everyone group. Well, that would be an advantage but, you start to see what I mean.

Your idea is very similar in concept to a few others in that it requires a cost, someone reading a picture and clicking a button for the message to transfer. This scheme is better implemented by the various proposals that invoke a computational cost for each message transferred, like those from AOL Yahoo and Microsoft but, even these proposals all have major drawbacks and no one is rushing to implement them.

"Everytime the user needs to send a mail"

[markv242]

See the above list? Your post fits into:

(x) Requires immediate total cooperation from everybody at once

Also, accessibility, custom SMTP clients, yadda yadda yadda... but you've already realized your mistake so I'll stop now.

the chicken-egg-spam dept

Sounds like the start of a good omlette if you ask me.

Limited implementation

[GillBates0]

I would suggest that this solution be implemented mainly by freebie "webmail" accounts rather than in the Corporate or other "trusted" environments. Most mailing lists would be sent out using academic or corporate accounts anyway - definitely not freebie accounts - atleast that's my assumption, though it's not too outstretched.

Re:Limited implementation

[Carnildo]

Most mailing lists would be sent out using academic or corporate accounts anyway - definitely not freebie accounts - atleast that's my assumption, though it's not too outstretched.

These days, most spam isn't sent by freebie accounts, either. Most spam is sent from computers that have been hijacked using the latest batch of e-mail viruses.

Where is the OE6 version?

[acariquara]

I want a XP version so I can install on my windoze box -- Joe 12 pack

Seriously, anything that has to be on the MTA has to be implemented by the ISP in general -duh!- and is technically impraticable for the even experienced user. And most of the humongous ISPs won't listen to a bunch of nerds (sarcasm) trying to get the latest gimmicks installed on their servers.

I've seen different and creative things like Cloudmark's Spamnet and maybe if someone should take their initiative and release a FOSS alternative...

Spam IS an annoyance and waste of bandwidth/time/money but when the medicine for it is just too hard or to expensive to implement it won't fly.

My "requires total cooperation at once" suggestion

[markv242]

Simple: have Sendmail, Postfix, etc, all stick in a sleep() call before they spit out the mail acknowledgement! No spammer could possibly hope to send out a million e-mails when they can't open that many sockets on their machine.

Won't catch JavaScript-constructed URL's

Though it might help marginally, just like my filter file that scans for the URL's of some of the worst repeat offenders and for any .biz or .info URLs. But if it this approach catches on significantly, the more sophisticated spammers will just build their URLs in scripts.

Damn HTML mail and whoever invented that.

Re:Won't catch JavaScript-constructed URL's

[julesh]

But if it this approach catches on significantly, the more sophisticated spammers will just build their URLs in scripts.

And the rest of us will just block all e-mail that contains scripts. Yeah, I can't wait for that to happen...

Re:Won't catch JavaScript-constructed URL's

[qualico]

Thats what I already do for browsing.
It makes only sense to block scripts, html, img scr, and anything that is *not* pure text in emails.

Counter-attacks are bad-- read this summary

[joelparker]

Counter-attacks are bad--
check this summary of spam methods.

http://netextend.com/junkmail

........

Overview

• What is Junk Mail?
• Why Send Junk Mail?
• How Bad is the Junk Mail Problem?
• What is Needed?

Solutions

• Blacklists
• Whitelists
• Greylists
• Adaptive Filters
• Challenge-Response
• Counter-Attacks
• Tagging
• Fake Honeypots, Tarpits, Spamholes
• Sender Policy Framework (SPF)
• Personal Digital Signatures
• Internet Mail 2000 (IM2000)

Conclusion

• Recommendations
• About the Author
• Feedback

  Read the full report at
  http://netextend.com/junkmail

joe jobs

[selfabuse]

One thing I've noticed a lot recently, is spammers including a big list of domains that have nothing to do with them in the text of thier junk mail. In the past 2 weeks, i've probally got about 10 spamcop reports for my customers, and in every case, my customer has had nothing to do with the junk mail, except for being listed in a list of about 15 URLs, that are not associated with the spammer. This system here says it has a whitelist for paces like ebay, paypal etc, but what about smaller people. They'd get blocked, and potentially lose business, due to something that they had absolutley nothing to do with.

Re:joe jobs

[life4m]

There can be technical approaches to deal with this.

One could think of a karma system; potentially joe jobbed networks would receive one abuse mail per incident with a link to confirm that a mailing is legit or that they are innocent bystanders. A timely response from owner would prevent a site from turning up in blocklists.

A spammer could theoretically confirm their spam messages, but this would require them to be tracable to a working email address and possibly IP address. To make it more robust, confirms could involve a visual image. The IP-addresses of the confirmation requests might also be useful for detecting spammer activity.

Re:My "requires total cooperation at once" suggest

Simple: spammers edit their clients to time out while waiting for acknowledgement.

Not sure you're getting it

[juhnke]

Having just configured my email server with a ROBUST array of RBLs, I think this is a fantastic idea. I've been using the body_checks feature in postfix and manually adding violating URI's to create my own blacklist for several months now. I would love to benefit from a shared list. I don't care much for the white-list feature, that seems to me to create a backdoor for the spammer. Combined, RBL and private blacklisting (IPs and Addys) allow me to block 6000 plus spam A DAY. That's for a mere 150 plus users. Server side spam blocking using only Bayesian processing is an immense processor drain as is server side virus scanning. Look at it this way. Spammers need to make money. To do so you must be presented a URI to complete a transaction to make that money. They cannot easily change this URI without incurring cost so it will always be in the spam. Spammers who try to include too much "sales" content in their spams instead of a URI will be caught by a secondary bayesian filter. P.s. We have been successfully blocking encrypted URI's for months now. It's an easy rule to set up and legitimate users will never encrypt a URI. It's really quite beautiful.

Re:Not sure you're getting it

[sunset]

P.s. We have been successfully blocking encrypted URI's for months now. It's an easy rule to set up...

Care to tell us what the setup is?

Re:Not sure you're getting it

[juhnke]

Sure! These are things you can do if you are using Postfix as your MTA.

In your main.cf file include this at the bottom

body_checks = regexp:/etc/postfix/spammerbodies

Learn more here about main.cf and other cool spam protections here:
http://www.afp548.com/Articles/mail/spam2.html including a really great RBL configuration.

Create a spammerbodies file and include this line
# various encoded URL formats. if they're trying to disguise the URL then they're up to no good /(ftp|https?):\/\/([^\/]*@)?([01]{10,})?(\d+|00+\d +(\.00+\d+){3}|[\%0-9a-zA-Z\.\?_-]*\%[\%0-9a-zA-Z\ .\?_-]+)(:\d+)?(\/|"|\s|$)/ REJECT

You can get a full list of other scripts here:
http://www.securitysage.com/guides/postfix_uce_bod y.html

and here

http://www.hispalinux.es/~data/postfix/

Hope that helps.

whitelist

[Bauguss]

Only out of laziness have I not implemented a whitelist approach to my email. I think this is probably the one true way to stop spam. (yes they could fake the addresses on my list but what are the chances of them getting the exact names on my list?)

What I would really like is a very easy to use whitelist manager at the MTA level. I've got norton spam block installed which does a good job but it doesn't bounce those messages back to the pricks who sent them. It does do a whitelist blacklist approach though.

Why not have a really cool plugin to mail programs that can manage your whitelist on the server. Then the only mail I get is the ones that I have purposely asked for. This would require some new standards put in place on the MTA but how hard could this really be? This doesn't work unless I can edit my whitelist from my email program.

This should work just like the phone. The only mail I get should be the ones that I've A) given my address to, and B) allow incoming messages from.

go ahead, bash the idea to the ground. my week isn't complete unless I see YetAnotherAntiSpam idea get pissed on at slashdot.

Re:whitelist

[Thundersnatch]

...but it doesn't bounce those messages back to the pricks who sent them.

Yours is a really, extraordinarily bad idea that has unfortunately found more than a few misguided sysadmins to implement it.

Spammers forge their return addresses and domains these days, so all you're doing is wasting more internet bandwidth on spam and possibly screwing over some poor schmoe who is getting Joe-jobbed by a spammer.

tried to install it spamassassin error

I'm getting the following spamassassin error after installing the SURBL plugin:

Failed to compile URI SpamAssassin tests, skipping: ^I(syntax error at /etc/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 1, near "eval:"

any idea?
SpamAssassin version 2.63

Another FUSSP?

Not really. It is another tool to make spammys lives difficult. Fighting spam is like tools on Unix. You put together a lot of little tools and come up with a big whomper to solve a problem.

Are there problems with this? Yes, there are some. It may be possible to "joe job" someone and get their domain listed. The same goes for RBLs on email servers, but those do tend to get sorted out sooner rather than later.

As far as objecting to the extra effort required to install, if it bothers you to spend a few hours now to stop endless hours of spam later, then put up with the spam and don't install the tool. If your users are going to revolt because you are using the tool, don't.

What I find interesting is the possibillity of using this to block spammy domains on my company network to keep clueless users from surfing to spammy's site while at work. This may force spammy to abandon using the web to spam and start handing out 800 numbers. That's fine, the same works on any text string, so blocking 800 numbers wouldn't be any more work than blocking web sites.

Re:Another FUSSP?

[Technician]

Remember the URL has to be in the body of the e-mail. For example say Earthlink got added to the list. My dad uses Earthlink. His text messages would not be blocked. The domain isn't blocked. The content is. If I sent you a mail from my ISP and put a link to Earthlink in the mail, then, yes it would be flagged as spam. For most e-mail the addition to the blacklist is not a problem. (it may help filter all the junk forwards I get from people who don't bother to actualy write a letter)

abandon using the web to spam and start handing out 800 numbers

This would be a good thing. The cost per contact is placed on the sender. If 100,000 people called to ask to be removed from the list, the phone bill and support costs would be astronomical. This is a good thing. Especialy true if it filled up the invalid address list and you called once per invalid address hit on your server. ;-)

I don't get it.

[geminidomino]

How is this anything other than just another test for spamassassin? The SURBL lists all seem to be based on OTHER RBLs. While I don't deny that it's a great tool for filtering, it has the same problems as any other filter:

1. The spam still has to be received in order to filter it. So bandwith, storage, and processing costs are still levied onto the receiver.
2. It does nothing to stop the spam being SENT. It just hides it from the user.In other words, automated "JHD" ("Just Hit Delete").
3. It's potentially easily defeated, as someone posted above. Just fill the message with widely whitelisted URL's and throw the whole thing into uselessness.

This isn't any closer to a silver bullet than any other filtering scheme. It might have a use for spoting mail that gets through SBL/XBL/DUHL/SPEWS/&c.lists, but worthless as a first line of defense.

Re:I don't get it.

[Kelson]

It might have a use for spoting mail that gets through SBL/XBL/DUHL/SPEWS/&c.lists, but worthless as a first line of defense.

That's right. It's not intended to be the first line of defense. It's intended to help spot spam that gets through your IP-based blacklists.

And for that purpose, it looks very promising.

Re:I don't get it.

[geminidomino]

Then I agree, it does look promising, and it is a very good idea. If I understand correctly how it works, it provides some more blocking for spam support services as well. If a spammers' site is on shared hosting, and the plugin resolves the host names, then emails containing any url that resolves to that host will be blocked too. Personally, I don't see that as a problem, but some of the other whiners will. AFAIC, that's what they get for giving their money to a spammy provider.

Re:I don't get it.

[Kelson]

Actually, as I understand it, shared hosting with spammers doesn't get a site blacklisted immediately, but it does lower the threshold for listing.

Essentially, it takes X reports of a spammers' website by spamcop users (filtered through the reporter's ability to uncheck obvious chaff, the SURBL's internal whitelists, and presumably some amount of spot-checking) before a domain name gets put on the list. Meanwhile, the system keeps track of the IP address, and as more websites with the same IP get reported, it reaches a point that a website hosted on that IP address only needs Y reports to be added to the list (Y being some number less than X).

That way it reduces the benefit to the spammer of adding more domain names, but does not immediately penalize third parties who buy hosting from the same provider.

I don't remember what X and Y are, and IIRC they're still refining the thresholds.

Re:I don't get it.

[geminidomino]

That's a spamcop-specific setup though. The site mentioned that SURBLs based on other blacklists are on the way.

Good, but not particularly new, idea

[eaolson]

First, there is no spam magic bullet. There never will be.

This is very similar to what SpamPal along with the URLBody plugin does. (Client-side, Windows-only, also not a magic bullet.) The only difference being that this checks URLs against existing DNSBLs, and this is a new DNSBL specifically for this purpose.

Already in use by MT-Blacklist

[santiago]

This exact method is the basis of the MT-Blacklist comment-spam prevention system for Movable Type-based blogs. It works wonderfully, as it identifies spam on the basis of the one feature it must have to be successful--a link back to the spammer's site.

Blocklists Suck. End of discussion.

I deal with a lot of small clients who have their own e-mail servers or use e-mail servers provided by their ISP.

I have long since quit trying to do ANY kind of filtering and/or blocking at the server and left it up to each recipient at their end.

Why? Because TOO MUCH legitimate mail from other small companies continually gets blocked.

In my experience, many many small and home-based organizations are falsely reported and added to blocklists. Most of the time, those companies have no clue that either they're even on a blacklist or that their ISPs mail servers and/or entire netblocks have been added.

Blocklists suck... and I'm also now having to try and educate (and convince) clients that e-mail is not, nor has it ever been, a reliable form of communication.

Mod up AC - Blind users shut out

How would blind people use this system? Are you just going to shut them all out?

Sounds similar to MT-Blacklist plugin

[Edgester]

This is similar to the MT-Blacklist MovableType Plugin. It features a central blacklist. The main difference is that it isn't real-time.

Perhaps these projects should work together. Is there an MovableType plugin that does real-time trackback and comment spam blocking? I wonder how difficult it would be to have the blacklist plugin for MovableType use the same technology.

Spam is good...

[qualico]

...if you want a free consistent testing of your email service.

Seriously, I have found and fixed problems quicker with my email service because I was *not* getting any Spam.

Regardless, Spam is certainly here to stay just like mosquitoes.

So buy some Off and start spraying!

I use a relay trap, adaptive filter with a simple keyword, 4 virus checking programs updating on the hour and whitelist the full email address of critical communicators to bring my Spam problems to a trickle.
Even that trickle has of late been next to zero as I adapt to any new technique.

The above system does require vigilance but pays off with Job Security.

Keep the spam a coming.
Can't leave em? Than love em!

How does this fill out?

This article advocates a ( ) technical ( ) legislative ( ) market-based ( ) vigilante approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.) ( ) Spammers can easily use it to harvest email addresses ( ) Mailing lists and other legitimate email uses would be affected ( ) No one will be able to find the guy or collect the money ( ) It is defenseless against brute force attacks ( ) It will stop spam for two weeks and then we'll be stuck with it ( ) Users of email will not put up with it ( ) Microsoft will not put up with it ( ) The police will not put up with it ( ) Requires too much cooperation from spammers ( ) Requires immediate total cooperation from everybody at once ( ) Many email users cannot afford to lose business or alienate potential employers ( ) Spammers don't care about invalid addresses in their lists ( ) Anyone could anonymously destroy anyone else's career or business Specifically, your plan fails to account for ( ) Laws expressly prohibiting it ( ) Lack of centrally controlling authority for email ( ) Open relays in foreign countries ( ) Ease of searching tiny alphanumeric address space of all email addresses ( ) Asshats ( ) Jurisdictional problems ( ) Unpopularity of weird new taxes ( ) Public reluctance to accept weird new forms of money ( ) Huge existing software investment in SMTP ( ) Susceptibility of protocols other than SMTP to attack ( ) Willingness of users to install OS patches received by email ( ) Armies of worm riddled broadband-connected Windows boxes ( ) Eternal arms race involved in all filtering approaches ( ) Extreme profitability of spam ( ) Joe jobs and/or identity theft ( ) Technically illiterate politicians ( ) Extreme stupidity on the part of people who do business with spammers ( ) Dishonesty on the part of spammers themselves ( ) Bandwidth costs that are unaffected by client filtering ( ) Outlook and the following philosophical objections may also apply: ( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical ( ) Any scheme based on opt-out is unacceptable ( ) SMTP headers should not be the subject of legislation ( ) Blacklists suck ( ) Whitelists suck ( ) We should be able to talk about Viagra without being censored ( ) Countermeasures should not involve wire fraud or credit card fraud ( ) Countermeasures should not involve sabotage of public networks ( ) Countermeasures must work if phased in gradually ( ) Sending email should be free ( ) Why should we have to trust you and your servers? ( ) Incompatiblity with open source or open source licenses ( ) Feel-good measures do nothing to solve the problem ( ) Temporary/one-time email addresses are cumbersome ( ) I don't want the government reading my email ( ) Killing them that way is not slow and painful enough Furthermore, this is what I think about you: ( ) Sorry dude, but I don't think it would work. ( ) This is a stupid idea, and you're a stupid person for suggesting it.

This isn't new

[KalvinB]

I've been doing this with my e-mail server (link in sig) for at least a year now. You can view the entire list of domains I filter at the Indie-Mail site. I even have a right up describing the why and how of this system on www.icarusindie.com called "An Analysis of Spam." And this is probably the 20th time I'm hawked this method up on Slashdot.

The process is mostly automated but when it comes to blacklisting a domain, it's manual. You cannot automate it fully because legitimate domains make it into spams. yahoo, msn and w3c.org are the most common. Even without it being intentional on the spammers part. The automated part rips through e-mail logs pulling out who it's to, from and the subject and then all the urls. I can then clear out any entries that are going to account that aren't mine. And from there I go through and make sure the ones that do get added are actually spam domains.

A computer can't really tell the difference between a spam domain and a legitimate domain. Humans can.

Spam domains are blatently labeled like "medsforyou.com" contain random letters and numbers or have the spams images linked in the root. 8000hosting.com/ad.jpg is a big giant clue that this is a spam domain. I've seen links with 6 or 7 subdomains tacked on. I manually remove all the subdomain garbage and block the main one.

The link ripper not only yanks out the root domain (and any subdomains) but also the exact URL of what it was pointing to.

The main problem with anti-spam tools is that they rely on computers to find patterns. Spammers are not computers. They're idiots but not computers. And you can't get around the fact you need humans to be effective without causing colateral damage. Spammers do not always use computer identifiable patterns.

The other "problem" with this method is that it only says 50% of the bandwidth cost at max since the server has to recieve the message for parsing. So it's only good for people offering e-mail services like myself who can't risk being over zealous in fighting spam which could result in losing other people's e-mail.

ISPs are forced for the sake of bandwidth to use IP blacklisting while this sort of method would work as a secondary filter.

Again, there is no silver bullet. You cannot just rely on one form of spam protection if your goal is irradication. This method is just the least error prone when done properly. IP blacklisting can be like nuking a small villiage to kill a fly. This is a highly focused and reasonably sized flyswatter that may occasionally flak off some paint if swung too hard.

And never underestimate the number of domains spammers own. I get a dozen or so new domains to filter out ever few days. I may get spam but at least it's costing them real money to get it to me.

Ben

Check out my Anonymous E-mail

[KalvinB]

check out the anonymous e-mail through www.icarusindie.com

Instead of a picture I just present a riddle or other question.

A human can search Google for the answer in order to be able to send their anonymous message. A program would need to be written and trained to be able to do that specifically for my web-site. I'm confident only someone with an academic interest in such a challenge would do it. And so far it hasn't been abused.

I use the same type of challenge but render the text to an image and add some noise on the Indie-Mail sign up page to keep bots off.

I also use a server generated ChallengeID that must be present which prevents anyone from using any page but the one I offer to even attempt to submit the form. If you don't use my page, the challenge file isn't generated on the server and without the file the server will ignore the request to process the form. You are also never sent the question number or question in text form. Everything the server needs to know about what question you're supposed to supply the answer to is stored in the server generated file that never leaves the server. And everything you need to know is in an image.

So far that hasn't been broken either. And if it is, I can adapt faster than bots can.

Ben

Too Late!

[TheOldFart]

It's too late. By the time I can "parse" the freaking email, I already received it. The server already spent time with it, it already consumed bendwidth, it already filled my logs. I don't want spam anywhere near my router. All these filtering tools suck in the sense you have to receive the whole shebang before deciding it is SPAM. Nothing short of public castration will satisfy the problem.

There is only one way to end SPAM

And that's mob vigilantism violence.

Won't work

[javab0y]

Why not? Because its simple to get around:

They will use a free webhosting service...and one with a legitimate name. Set up the account so the index.html contains a redirect to the spammer's client site. That is going to be tough to stop.

You can use this with an MTA *NOW*

[laing]

If you install "spamass-milter", you can have your MTA bounce spam based upon SpamAssassin's evaluation. If you install this plug-in, you're good to go.

--
All I know about Bush is that Clinton had a job before he was president

Who ya gonna call...

[xaoslaad]

Gozer the Traveler. He will come in one of the pre-chosen forms. During the rectification of the Vuldrini, the traveler came as a large and moving Torg. Then, during the third reconciliation of the last of the McKetrick supplicants, they chose a new form for him: that of a giant SURBL. Many Spammers and Mass mailers knew what it was to be roasted in the depths of the SURBL that day, I can tell you.

Mod parent up

[noda132]

Exactly what I was going to say. Outlook probably renders many things into a URL which are not technically URLs. Who's to say a content filter can catch them all? If the content filter parses Javascript, then spammers will send in emails which run infinite loops and bog down the mail server. But even without, I'll bet there are quite a few Outlook bugs/features which render quite questionable URLs as links.

Could be good, could be bad.

[autopr0n]

I see one major problem with this, which is that Spammers might now be able to cause problems for legitimate websites simply by including their URL in the a Spam.

I'm a little sensitive to this since a spammer is actually Jo-jobbing one of my domains (not autopr0n), and I get hundreds of "user unknown" messages every day, along with a handful of messages telling me "my" email was blocked. It's really irritating.

But, if it's done right, it could work out pretty well. In fact, this would actually be effective against a lot of the current Spam out there, and kill Spam with off-site images.

Anyway, let me throw one countermeasure out there. Suppose spammers start including commonly mailed URLs (such as those on hotornot, yahoo, etc) in their spams in order to decrease the usefulness of these things. If this thing gets popular, expect to see a lot of Spam include a lot of random URLs the way they now include lots of random words. You'll also start to see things like "Javascript decryption" and other techniques to prevent machines from figuring out which, exactly, URL it is that is being advertised, rather then random noise.

Re:Could be good, could be bad.

[hacker]

You'll also start to see things like "Javascript decryption" and other techniques to prevent machines from figuring out which, exactly, URL it is that is being advertised, rather then random noise.

This is precisely why my milter contains the following little filter, which strips anything inside Javascript and style blocks, including the tags themselves:

# Strip <script [..]>..</script> and <style>..</style>
$content =~ s!<(s(?:cript|tyle))[^>]*>.*?</\1>!!gi s;

If you want to go one step further, you can strip out all HTML, and convert it to plain, human-readible text, using the following:

use File::Slurp;
use HTML::Parse;
use HTML::FormatText;

$file = "email.html";
$html = read_file($file);
$plain = HTML::FormatText->new->format(parse_html($html) );
print $plain;

Problem solved.

Blocking by contry/ISP

[bluu]

You can also use this patch :
http://docsnyder.de/nospam/sa_check_blackhat_isps. patch.gz

(from the author) :
Since spammers often host their spamvertised sites at spamfriendly ISPs (e. g. Chinanet), I've been doing some tests with "hat-checking" spamvertised URLs.
After resolving the URL hostname, the resulting IPs get RBL-checked against *.blackholes.us to find if they belong to a known spamfriendly ISP. If yes, the spam score will rise.

and you can use http://www.blackholes.us for the country/ISP zones.

I couldn't work out how to solve joe jobs too.

[openmtl]

Yup, similar to one of my ideas too: of following links provided automatically so as to polute spammer databases, but I just couldn't work out how to solve the spammers using it to cause traffic to flow (or in this case block) legitimate sites.

My other idea of quarantine has yet to be proven to be a bad idea. Hopefully someone will now implement that.

Solution: aggressive, RFC-compliant mailservers...

[iamcf13]

Very well, (re)program ALL mailservers to adhere 100% without exception to all pertinent SMTP-related RFCs in their entirety (such as rfc821).

Try to nail the spammer and discconnect him/her before you get to the DATA phase of the connection. Otherwise, the mailserver will have to either accept the message unconditionally or return

570 Command DATA Message rejected due to content

after spam analysing the message like a particular 'clueless' ISP listed at rfc-ignorant.org does....

In this manner, header forgeries become (almost) impossible, sender hosts are properly FQDNed and whatnot....

Aforementioned In-Development Plugin

[meonkeys]

Is spamcopurl the one you're referring to?

re: javascript

[KalvinB]

I kill off any message that contains a script tag instantly.

There's no legitimate use for javascript in an e-mail. E-mails are not web-pages. The only interaction an e-mail needs is a link if that.

If you need to show someone some neat javascript trick you post it on a site and tell the user to go to the site.

Joe jobs will go up eventually but like I said in my other post, you can't fight spammers with computers alone. There has to be some manual work involved.

Like beating them over the head with shovels and making sure the only domains that make it into the filter are legitimate spam domains.

It's also not costly to initiate a connection to domains to verify they're live. It'd be very easy to plug in a simple TCP/IP winsock class into part of the processing program to try to connect to the domains you're ripping out of e-mails.

Ben

Not the right feature set yet.

[Backov]

Where's the MTA/Milter that after detecting a spam, sends a guy to the spammers house who, upon arrival, shoots the spammer in the back of the head and then deposits a can of Hormel SPAM(tm) on the corpse?

I'd require no more than 1% false positives for spammer identification. Can't make an omelette and all that.

I'll pay $29.95 a month for that one.

Okay, here's some MTA support

[aqua]

While I'm not totally sold on the idea, it seemed to have enough promise to be worth trying. So here's a plugin to qpsmtpd, a replacement smtpd for qmail (it also delivers to postfix, IIRC). Implements most of the basic suggestions in SURBL's proposal.

(I'd like to be able to slap a bell and yell "first implementation!" in a childish slashdot fashion, but I'd be surprised if this really was the first, since it's easy to do a simple implementation and parallels similar DNSBLs in some respects.)

Re: javascript

I don't think holding back technology is the answer. Your approach is like taking a step backward instead of confronting the problem in a proactive way.

SURBL resources, sa.surbl.org list renaming to ws.

[jeffcsu]

Hi All, First I wanted to let everyone know that the name of the SURBL list derived from Bill Stearns' sa-blacklist is changing from sa.surbl.org to ws.surbl.org . DNS for the old name will probably be up for another week or so before we switch it off. If anyone us using sa.surbl.org please update your rules or confs to use the new name: ws.surbl.org . The original SURBL derived from SpamCop URI domains remains unchanged at: sc.surbl.org . (One advantage of using Bill's list as an SURBL instead of hard-coded SpamAssassin rules is that it frees up a lot of SA memory and pushes storage of the spam domain data to your local DNS cache.)

Differences between the two lists and more topics about our project are described on the SURBL site. If anyone has a question or comment about SURBL you can write to me directly at jeffc at surbl dot org, or much better ask the growing SURBL community on our discussion list. The separate announcement list is a good way to keep up with news about the project. Archives of the lists are available on the list site.

Folks who have tried SURBL have generally been pleased with the results, and we expect to improve the ~60% spam detection rate and lower the already low (<0.1%) false positive rate further in the next version of the data engine behind sc.surbl.org. As has been previously mentioned, Devin Carraway has written an MTA use of SURBL domain data to check message body URIs in his qpsmtpd plugin called uribl. This is the first MTA use for SURBL that I've heard of, though I don't necessarily claim to have heard of all uses of SURBL so far. Some other folks are thinking about implementing a sendmail milter for which will probably use sc.surbl.org since they are also a major ISP source of SpamCop's data.

Since I probably won't be posting here too often, I'd like to thank some of the people who have been quietly very supportive and responsible for the success of this effort so far including Eric Kolve, Justin Mason, Daniel Quinlan, Raymond Dijkxhoorn, Julian Haight, Kelsey Cummings and others who already know how greatly they have helped to make SURBL possible.

One thing we could use some help with now are more BIND-compatible secondary DNS servers and rsynced rbldnsd servers. Please see the SURBL site for details, and lend a hand if you can. DNS traffic may get kind of heavy when SA 3.0 comes out since it has SURBL support in URIDNSBL (URIBL), so we definitely need some help with name service.

Ferriera

[Kainaw]

This is highly similar to chris.kainaw.com/ferriera with one exception. This system blocks domain names. Ferriera takes it one step further and blocks the IP addresses the domain names are mapped to.

Re:Ferriera

[jeffcsu]

Resolving the domains to IPs can be useful, and it's a technique we're about to use to improve our performance. Our main focus is going to stay on spam domain names, though I agree with some of the reasons for using IPs too.

A thread on our discussion list archive has an outline of our next engine with prior IPs used to lower the domain inclusion thresholds.

One major reason to avoid name resolution on the incoming messages is to cut out the timeouts needed for the DNS queries to complete. We figure the domain name is nearly as useful to block on, modulo the improvement we expect to make mentioned in the thread.

Re: ...GOOD idea? Conversations with RACTER?

>Colorless green dreams sleep furiously.

are you RACTER? is the policeman's beard half-constructed?

Re:SURBL resources, sa.surbl.org list renaming to

[jeffcsu]

In case it's not clear, ws.surbl.org uses different source data from sc.surbl.org. The former comes from Bill Stearns' sa-blacklist SpamAssassin rule set. The latter come from SpamCop URI reports aka "Spamvertised sites". Both target spam message body URIs; the SpamCop URI ones a bit moreso.

Both sc.surbl.org and ws.surbl.org SURBLs are intended to be used with message body scanning programs that can extact URI domains and compare them against name-type RBLs such as ours. Other uses of the lists such as in conventional RBL code won't work as well as the intended use. It needs to be stated clearly that our use of RBLs is pretty different from what they have been used for before. For example no name resolution of the message body domain is needed or desired.