On 4/10/2012 11:42 AM, Thomas Johnson wrote:
> Any other ideas on these pill spams? What are they scoring for anyone else?
Hi. I've been following this thread. Here are some (random) thoughts &
suggestions:
(1) In some of those examples Thomas provided, at least one of the
assigned name servers had a hostname which contained a domain name...
where that domain name was blacklisted on either multi.surblorg or
dbl.spamhaus.org ...Therefore, an SA rule that grabs the name servers
for the same domains it checked against URI lists, extracts out the
domain names from them (where different from the actual domain you did
the lookup on), and then checks those against URI blacklists--could
possibly have produced a higher score... even where other URI lists had
missed those domains.
NOTES:
(a) BTW, invaluement does NOTHING regarding name servers of
spamvertized domains... and we've never done anything with them in
the past. Eventually, we plan to change that... in a variety of ways...
(b) If anyone programs this idea into SA, or anywhere else, then
this should be a separate step AFTER regular URI checking....giving
the message a chance to "short circuit" out of processing if it
already scored high enough after URI checking. Why? Because this
would defeat some of the benefits of fast URI checking if it was
done in tandem with the URI checking. Basically, URI checking can be
lightening fast... especially if you are checking the extracted URIs
against a local rbldnsd server. In contrast, anytime you do a name
server lookup to some stranger's domain, you're subjecting yourself
to the mercy of their reply speed... and many of those spammers use
screwed up and/or overloaded equipment. (even if your DNS timeout
setting becomes a "safety net", that is still order of magnitudes
slower than rbldnsd checking!)
(2) Thomas specifically mentioned that invalument, and other lists he
uses, didn't catch these. There may be a reason invaluement missed some
of these:
(a) In February and early March, we implemented the largest hardware
and software upgrades in the 15-year history of our company. It was
massive (for us). We went "all 64 bit" at the same time. Overall,
the upgrade was a huge success... but even as recently as today...
we're still putting a few things back together and are not quite up
to "full speed". There were intermittent outages and degradation in
effectiveness though large parts of February and March. But we're
almost finished and are now "fine tuning" various things. I wonder
if some of those missed spams came when we were having some of our
worst problems, during the thick of those hardware/software
upgrades? (even last week, we had some disruptions) Hopefully, we'll
do much better from this point forward... certainly, in other ways,
the improves hardware is already speeding things up... we just
needed to work out the kinks... getting all that new 64-bit software
to work together.
(b) Now that we have this upgrade completed... we're trying now to
expand our spam feeds. I think that spammers have often learned not
only how to avoid hitting our traps directly... but may have
discovered (even if just through process of elimination) some of our
external spam sources. (which is not a bad thing as that means that
those providing us spam... are getting less spam). Or, maybe not...
maybe I'm just paranoid! But, the bottom line is that our new
equipment greatly expands our ability to quickly process more spam
sources. If anyone reading this is interested, and can provide one..
let me know (off list!). We could possibly even work out a discount
on invaluement access ...if your feed is VERY prolific. (contact me
off-list for details, if interested) With more spam feeds, we hope
to cast a "wider net" and catch more of those URIs that have eluded
many (and sometimes all!) blacklists!
--
Rob McEwen
http://dnsbl.invaluement.com/ rob@invaluement.com
+1 (478) 475-9032