Slashdot Mirror
A New Type Of Realtime Blocklist: The SURBL
Glamdrlng writes "The SURBL, or "Spam URI Realtime Blocklist", represents a nexus of RBL's and content filtering that may bring us one step closer to a spam magic bullet. While traditional RBL's perform a DNS lookup on the connecting mail server, SURBL's take this a step further by parsing the text of the email looking for URI's and doing a lookup on those web servers. They also prevent "joe jobs" by maintaining a whitelist of legitimate web servers whose domain names may show up in spam messages, e.g. EBay, Paypal, Microsoft, etc. The only requirement to implement the SURBL is a plugin on your MTA such as spamassassin that can parse the body of each email. While there is no MTA that directly supports SURBL's without a plugin, the author hints at one being in development."
Combine it with spamassassin, and you can whitelist emails from companies that you want to recieve email from. Heck, with spamassassin you can give it a very small weight, and adjust the results manually. Every bit of extra information helps, and just ignoring it because it is compiled by somebody else doesn't make sense to me.
A good way to start if you're running your own mailserver is to use an internal IP-based blacklist such as the one found here. It's incomplete due to Geocities limitations but send e-mail to that account and the guy running it will send you the whole file. It's a list that he's been compiling now for more than a year of IP blocks, mostly class Bs, that have virtually no useful SMTP traffic and should be completely cut off. This generally consists of the vast majority of Chinese, Korean and Brazillian DULs.
We've been able to effectively stop about 50% of the spam using these lists and save resources and bandwidth. What's left is to start RBL'ing the domestic DUL IP space (Comcast, SWBell, Bellsouth, etc.) on a class B-level until the ISPs start cracking down on their rogue users.
Let's coin a new term: YASSI for yet another stupid spam-related idea.
This boneheaded scheme falls into the same category as all content-based filtering systems: It doesn't address the most henous crime on the part of spammers, which is the consumption of bandwidth and network resources. And like other client-side/content-based filtering systems, the system will work about 12 minutes before the spammers figure out a way around it and then your system doesn't work. And of course, you'll have to constantly update it in order to make in effective, which means you have yet another piece of software that requires routine updating, slows down the mail service, your computer and everything in between. And after all that, you'll still get spam.
The main reason spam is prevalent is because SPAMMERS STEAL BANDWIDTH WITHOUT PAYING FOR IT. When you force them to operate from a single location, then they have to act ethically and then they have to pay premium money to spam, and then they go out of business because it's only economical when they steal resources.
You don't have content-based filtering on other primary methods of communication. It's a federal crime to go through mail; (at least before Patriot) you needed a court order to tap phones. E-mail should be an equally sacred communication medium that shouldn't be subject to "strip searches" before it hits your inbox. And this whole boneheaded scheme will NEVER stop spam in the first place, so let's stop pursuing these efforts.
RBLs are most effective right now. The worm invasion is evidence of that, as spammers are finding less IP space to operate from so they're engaging in more aggressive tactics to take over peoples' machines, which, hopefully sooner-or-later, will land these sleazebags in jail.
There is already a cure for spam - give everyone unlimited email addresses, give out different addresses to different recipients, and delete any email that receives spam (along with possibly sending an email of complaint to whoever you originally have that particular address to). The whole thing could easily be built into mail clients and supported by mail providers. It works fine for me. It costs me $35 to buy my own domain and a one off payment of about $30 to zoneedit to set up the mail forwarding. It works so well, and has worked for the least 3 or 4 years, that I almost suspect that there is some kind of conspiracy to overlook this method in order to promote other dubious methods.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Unfortunately I really don't see anything new or original in this idea. Until they start prosecuting these morons, we're not going to have a viable solution. By morons I mean the people that are BUYING this crap, rather than sending it ;)
check this summary of spam methods.
http://netextend.com/junkmail
Overview
Solutions
Conclusion
Read the full report at
http://netextend.com/junkmail
I don't see this as the be-all, end-all for spam
Either do I. In fact, the first thing that comes to mind is that the domains that start actually showing up in email will become random. This introduces a bit of additional cost to the spammer, but if that's the only way to survive, they'll do it.
They could also use IPs, but this would become even more of a pain for them since it's harder to get IPs. If you start doing blocking for the random domain names by resolving the IP, and banning based on that, you're going to get into pretty much the same situation as the RBL's get in now: blocking legitimate sites, that happen to be on the same subnet/server as a spammers site (think co-location and ISP hosting).
Another way to defeat this method would be to hack web servers, and put on files that redirect to the desired site. This has a lot of implications - legal and technical - but again gets into the same situation as before where blacklisting the site in the email would blacklist legitimate sites.
Interesting idea, but definately not the silver bullet.
Speak before you think
All it takes is one black-listed URL in the body of the message to get it tagged as spam. White-listed domains are simply ignored.
This exact method is the basis of the MT-Blacklist comment-spam prevention system for Movable Type-based blogs. It works wonderfully, as it identifies spam on the basis of the one feature it must have to be successful--a link back to the spammer's site.
Marking the odd legitimate mail as *not* spam should clue the filter in to those sites, and you only have to do this once per legitimate site.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"I've been doing this with my e-mail server (link in sig) for at least a year now. You can view the entire list of domains I filter at the Indie-Mail site. I even have a right up describing the why and how of this system on www.icarusindie.com called "An Analysis of Spam." And this is probably the 20th time I'm hawked this method up on Slashdot.
The process is mostly automated but when it comes to blacklisting a domain, it's manual. You cannot automate it fully because legitimate domains make it into spams. yahoo, msn and w3c.org are the most common. Even without it being intentional on the spammers part. The automated part rips through e-mail logs pulling out who it's to, from and the subject and then all the urls. I can then clear out any entries that are going to account that aren't mine. And from there I go through and make sure the ones that do get added are actually spam domains.
A computer can't really tell the difference between a spam domain and a legitimate domain. Humans can.
Spam domains are blatently labeled like "medsforyou.com" contain random letters and numbers or have the spams images linked in the root. 8000hosting.com/ad.jpg is a big giant clue that this is a spam domain. I've seen links with 6 or 7 subdomains tacked on. I manually remove all the subdomain garbage and block the main one.
The link ripper not only yanks out the root domain (and any subdomains) but also the exact URL of what it was pointing to.
The main problem with anti-spam tools is that they rely on computers to find patterns. Spammers are not computers. They're idiots but not computers. And you can't get around the fact you need humans to be effective without causing colateral damage. Spammers do not always use computer identifiable patterns.
The other "problem" with this method is that it only says 50% of the bandwidth cost at max since the server has to recieve the message for parsing. So it's only good for people offering e-mail services like myself who can't risk being over zealous in fighting spam which could result in losing other people's e-mail.
ISPs are forced for the sake of bandwidth to use IP blacklisting while this sort of method would work as a secondary filter.
Again, there is no silver bullet. You cannot just rely on one form of spam protection if your goal is irradication. This method is just the least error prone when done properly. IP blacklisting can be like nuking a small villiage to kill a fly. This is a highly focused and reasonably sized flyswatter that may occasionally flak off some paint if swung too hard.
And never underestimate the number of domains spammers own. I get a dozen or so new domains to filter out ever few days. I may get spam but at least it's costing them real money to get it to me.
Ben
Work Safe Porn
Absolutely, but that does not mean that a very restricted blacklist might not have a place.
One of the frustrating things about the spam world is that every good idea gets grabbed by zealots who start to make a bigger nuisance of themselves than the spammers.
It would be really good to have some mechanism that could used to protect people against phishing frauds. If some web site is pretending to be citybank or paypal then they simply have no business doing that. It is not a first ammendment or censorship issue, its a public safety issue. People have no business carrying box cutters on airplanes and setting up phishing sites is the same thing.
But I really would like to see some better controls in place. I would like to have a transparent process for listing and unlisting the phishing sites. I would like to see efforts being made to notify the site admins (almost all phishing sites are on hijacked machines of some sort) about the listing.
Even with such a limited blacklist you need serious controls in place to stop abuse. Otherwise you will have people setting up phishing sites as a way to get a provider shut down. I think there are ways to make the scheme workable though.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
omr-blah is actually AOL's e-mail bouncing complex. That is why all the messages show up as having a null return path. No real spam filtering on those, as the messages aren't considered to have really been "sent" by AOL, someone else hit AOL with mail from fake addresses, to addresses they knew didn't exist.
I had very high hopes for DSPAM. The installation was very easy, the CGI based web interface works pretty much out of the box and is very handy for the users.
However, I had to abandon my DSPAM testing after a few weeks. The filter was *way* to slow to learn and in the process generated an incredible amount of false positives. With about 400 spams learned I still got around 29 false positives. And filtering accuracy according to its own built-in stats was less than 60%...
Considereing that I get about 2500+ spams a day on my server, my users were very quick rebel. Weeks into the trial with thousands of spams+hams learned it was time to abort the project.
Very dissapointing.
Sure! These are things you can do if you are using Postfix as your MTA.
/(ftp|https?):\/\/([^\/]*@)?([01]{10,})?(\d+|00+\d +(\.00+\d+){3}|[\%0-9a-zA-Z\.\?_-]*\%[\%0-9a-zA-Z\ .\?_-]+)(:\d+)?(\/|"|\s|$)/ REJECT
d y.html
In your main.cf file include this at the bottom
body_checks = regexp:/etc/postfix/spammerbodies
Learn more here about main.cf and other cool spam protections here:
http://www.afp548.com/Articles/mail/spam2.html including a really great RBL configuration.
Create a spammerbodies file and include this line
# various encoded URL formats. if they're trying to disguise the URL then they're up to no good
You can get a full list of other scripts here:
http://www.securitysage.com/guides/postfix_uce_bo
and here
http://www.hispalinux.es/~data/postfix/
Hope that helps.