Re: [Asrg] spam down?

Rob McEwen <> Wed, 30 January 2013 03:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2527321F886F for <>; Tue, 29 Jan 2013 19:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OwDFH-AbNTzB for <>; Tue, 29 Jan 2013 19:03:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 2FFF821F88A1 for <>; Tue, 29 Jan 2013 19:03:17 -0800 (PST)
Received: from ([]) by (IceWarp 10.4.3) with ASMTP id PEH80315 for <>; Tue, 29 Jan 2013 22:03:15 -0500
Message-ID: <>
Date: Tue, 29 Jan 2013 22:03:15 -0500
From: Rob McEwen <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] spam down?
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jan 2013 03:03:22 -0000

On 1/26/2013 11:03 AM, Chris Lewis wrote:
> What we're seeing instead, is an evolution from the massive
> scatter-gunning of a Rustock infecting a home computer, to that of
> compromised servers, compromised user accounts etc.  These are harder to
> deal with, harder to stop, harder to filter.
> So, while there are fewer spams in the Internet, I strongly suspect that
> more of them are getting through.

EXACTLY!!! Along those lines, there has been an uptick in hijacked
domains where, instead of the spammer buying their own domain, they
break through a hoster's security (or obtained the FTP credentials), and
then they install their spammy scripts or pages. Then, when they send
out their spams, the domains are not so easily blacklist-able because
the various URI or domain blacklists often skip listing these due to the
false-positive-prevention-filters preventing such listings. In other
words, the same legitimacy or "good reputation" which would cause a URI
blacklist's engine to purposely NOT blacklist innocent decoy domains...
often give these hijacked domains a free pass, too.

Therefore, over at, we made recent improvements to our
ivmURI blacklist to allow us to now more surgically target many of these
hijacked domains, yet without lessening our protections against
blacklisting innocent "decoy" domains.

FOR EXAMPLE... The following is a list of about 2,500 domains which are
CURRENTLY hijacked with "live" spammy URLs present:

Actually, the number of such hijacked domains blacklisted by invaluement
is much larger, but we narrowed it down in THAT example list to only
those domains NOT currently blacklisted by either SURBL or Spamhaus's
DBL list... to make it more interesting! See the included "notes" text
file for more details.

PS - as the notes file mentions, please don't throw these into manual
local blacklists since many of these sites will fix their problems and
then get removed from ivmURI. These generally shouldn't be permanently
blacklisted. Again, see the included "notes" file for more information.

Rob McEwen
+1 (478) 475-9032