Re: [Asrg] spam down?
Rob McEwen <rob@invaluement.com> Wed, 30 January 2013 03:03 UTC
Return-Path: <rob@invaluement.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2527321F886F for <asrg@ietfa.amsl.com>; Tue, 29 Jan 2013 19:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwDFH-AbNTzB for <asrg@ietfa.amsl.com>; Tue, 29 Jan 2013 19:03:21 -0800 (PST)
Received: from mail.powerviewmail.com (mail.powerviewmail.com [204.9.77.40]) by ietfa.amsl.com (Postfix) with ESMTP id 2FFF821F88A1 for <asrg@irtf.org>; Tue, 29 Jan 2013 19:03:17 -0800 (PST)
Received: from ([204.9.77.40]) by mail.powerviewmail.com (IceWarp 10.4.3) with ASMTP id PEH80315 for <asrg@irtf.org>; Tue, 29 Jan 2013 22:03:15 -0500
Message-ID: <51088D73.2050806@invaluement.com>
Date: Tue, 29 Jan 2013 22:03:15 -0500
From: Rob McEwen <rob@invaluement.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: asrg@irtf.org
References: <5103DC4E.4090004@mtcc.com> <5103FE36.7010908@mustelids.ca>
In-Reply-To: <5103FE36.7010908@mustelids.ca>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] spam down?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jan 2013 03:03:22 -0000
On 1/26/2013 11:03 AM, Chris Lewis wrote: > What we're seeing instead, is an evolution from the massive > scatter-gunning of a Rustock infecting a home computer, to that of > compromised servers, compromised user accounts etc. These are harder to > deal with, harder to stop, harder to filter. > > So, while there are fewer spams in the Internet, I strongly suspect that > more of them are getting through. EXACTLY!!! Along those lines, there has been an uptick in hijacked domains where, instead of the spammer buying their own domain, they break through a hoster's security (or obtained the FTP credentials), and then they install their spammy scripts or pages. Then, when they send out their spams, the domains are not so easily blacklist-able because the various URI or domain blacklists often skip listing these due to the false-positive-prevention-filters preventing such listings. In other words, the same legitimacy or "good reputation" which would cause a URI blacklist's engine to purposely NOT blacklist innocent decoy domains... often give these hijacked domains a free pass, too. Therefore, over at invaluement.com, we made recent improvements to our ivmURI blacklist to allow us to now more surgically target many of these hijacked domains, yet without lessening our protections against blacklisting innocent "decoy" domains. FOR EXAMPLE... The following is a list of about 2,500 domains which are CURRENTLY hijacked with "live" spammy URLs present: http://dnsbl.invaluement.com/urls-hijacked-by-spammers-Jan-29-2013.zip Actually, the number of such hijacked domains blacklisted by invaluement is much larger, but we narrowed it down in THAT example list to only those domains NOT currently blacklisted by either SURBL or Spamhaus's DBL list... to make it more interesting! See the included "notes" text file for more details. PS - as the notes file mentions, please don't throw these into manual local blacklists since many of these sites will fix their problems and then get removed from ivmURI. These generally shouldn't be permanently blacklisted. Again, see the included "notes" file for more information. -- Rob McEwen http://dnsbl.invaluement.com/ rob@invaluement.com +1 (478) 475-9032
- [Asrg] spam down? Michael Thomas
- Re: [Asrg] spam down? Martijn Grooten
- Re: [Asrg] spam down? Chris Lewis
- Re: [Asrg] spam down? Barry Shein
- Re: [Asrg] spam down? Rob McEwen
- Re: [Asrg] spam down? Dotzero
- Re: [Asrg] spam down? Chris Lewis
- Re: [Asrg] spam down? Dotzero
- [Asrg] more validation methods, was spam down? Alessandro Vesely