Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
[OT} RE: SA Blacklists
brose at med
Feb 2, 2004, 5:29 PM
Post #1 of 4 (1363 views)
Permalink
I use it but good luck with his URI blacklist. It's huge and I had slow
performance using it.

Check out the RulesDuJour script on http://www.exit0.us/index.php

-----Original Message-----
From: Jon [mailto:groups@ez15loan.com]
Sent: Monday, February 02, 2004 7:28 PM
To: spamassassin-users@incubator.apache.org
Subject: Re: SA Blacklists

Here's a little more, in short:

This is a list of domains, hosts, and IP addresses used by spammers.
This can include bulk email houses, individual companies that send spam,
and servers that are used to host images for spam. Spam is strictly
defined as Unsolicited Bulk Email, and so I will include unsolicited
mail where the sender is not explicity asking for money, such as
political and religious spam.

The domains and IP's can be the original ones listed in the
mail, but also include the intermediate redirectors and the final target
site. If the company is attempting to hide behind a temporary domain
used for email campaign(s), the real company domain is included as well.

The list does _not_ include hosting services where spammers and
non-spammers can sign up for accounts (geocities, store.yahoo.com, etc.)
It also does not include counters, ad trackers (although this is
severely borderline), free email services (hotmail, msn, etc.), and
generic ISP's that host normal user accounts (earthlink, etc.). It does
not include individual email addresses; this takes far too much work for
too little payback.

In short, I want this list to be a list of domains, hosts, and
IP addresses used exclusively by companies that spam.

--
Jon
Re: [OT} RE: SA Blacklists [ In reply to ]
kai-sa-talk at conti
Feb 3, 2004, 3:51 PM
Post #2 of 4 (1331 views)
Permalink
On 2/2/2004 at 7:29 PM, "Rose, Bobby" <brose@med.wayne.edu> wrote:

> I use it but good luck with his URI blacklist. It's huge and I had slow
> performance using it.

> Check out the RulesDuJour script on http://www.exit0.us/index.php

> -----Original Message-----
> From: Jon [mailto:groups@ez15loan.com]
> Sent: Monday, February 02, 2004 7:28 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: SA Blacklists

> Here's a little more, in short:

> This is a list of domains, hosts, and IP addresses used by spammers.
[...]

> Jon

"rules du jour" kind of sums this up: the concept of centrally administering
a list of fast- and ever-changing spammer resources (domains, IP ranges) in
this fashion does not scale.

- If your list gets too popular, your servers will be targeted with DoS attacks,
whether that's by IP traffic or cease&desist letters purporting to be
"permissible legal assault" does not make a difference.
- Got "Slow performance" now? You expect this list to grow, don't you?

For a real solution, look no further than
http://bugzilla.spamassassin.org/show_bug.cgi?id=1375 ,

which has an experimental patch by Florian Klein that does DNSBL lookups
against hostnames contained in URL/URI's. At least one comment (#7)
explains the scaling issue - and also suggests creating a DNSBL that
lists domains for purposes of blacklisting. I personally prefer to
list by network number and/or ASN - it scales much better.

I encourage people to apply the posted patch - and read the detailed
discussion in the bugzilla ticket - 70% positive hit rate on incoming
spam by querying SPEWS and SBL alone is probably the best single-case
rule so far.

bye,Kai


--
"Just say No" to Spam Kai Schlichting
New York, Palo Alto, You name it Sophisticated Technical Peon
Kai's SpamShield <tm> is FREE! http://www.SpamShield.org
| |
LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes
WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath
Re: [OT} RE: SA Blacklists [ In reply to ]
groups at ez15loan
Feb 3, 2004, 11:37 PM
Post #3 of 4 (1336 views)
Permalink
Thanks for all those who replied for the input.

--
Jon

> Kai said:
>> On 2/2/2004 at 7:29 PM, "Rose, Bobby" <brose@med.wayne.edu> wrote:
>>
>>> I use it but good luck with his URI blacklist. It's huge and I had
>>> slow
>>> performance using it.
>>
>>> Check out the RulesDuJour script on http://www.exit0.us/index.php
>>
>>> -----Original Message-----
>>> From: Jon [mailto:groups@ez15loan.com]
>>> Sent: Monday, February 02, 2004 7:28 PM
>>> To: spamassassin-users@incubator.apache.org
>>> Subject: Re: SA Blacklists
>>
>>> Here's a little more, in short:
>>
>>> This is a list of domains, hosts, and IP addresses used by spammers.
>> [...]
>>
>>> Jon
>>
>> "rules du jour" kind of sums this up: the concept of centrally
>> administering
>> a list of fast- and ever-changing spammer resources (domains, IP ranges)
>> in
>> this fashion does not scale.
>>
>> - If your list gets too popular, your servers will be targeted with DoS
>> attacks,
>> whether that's by IP traffic or cease&desist letters purporting to be
>> "permissible legal assault" does not make a difference.
>> - Got "Slow performance" now? You expect this list to grow, don't you?
>>
>> For a real solution, look no further than
>> http://bugzilla.spamassassin.org/show_bug.cgi?id=1375 ,
>>
>> which has an experimental patch by Florian Klein that does DNSBL lookups
>> against hostnames contained in URL/URI's. At least one comment (#7)
>> explains the scaling issue - and also suggests creating a DNSBL that
>> lists domains for purposes of blacklisting. I personally prefer to
>> list by network number and/or ASN - it scales much better.
>>
>> I encourage people to apply the posted patch - and read the detailed
>> discussion in the bugzilla ticket - 70% positive hit rate on incoming
>> spam by querying SPEWS and SBL alone is probably the best single-case
>> rule so far.
>>
>> bye,Kai
>>
>>
>> --
>> "Just say No" to Spam Kai
>> Schlichting
>> New York, Palo Alto, You name it Sophisticated Technical
>> Peon
>> Kai's SpamShield <tm> is FREE!
>> http://www.SpamShield.org
>> |
>> |
>> LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes
>> WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath
>>
>>
>
>
RE: [OT} RE: SA Blacklists [ In reply to ]
csanterre at MerchantsOverseas
Feb 4, 2004, 8:37 AM
Post #4 of 4 (1341 views)
Permalink
> -----Original Message-----
> From: Kai [mailto:kai-sa-talk@conti.nu]
> Sent: Tuesday, February 03, 2004 5:52 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: [.OT} RE: SA Blacklists
>
>
> On 2/2/2004 at 7:29 PM, "Rose, Bobby" <brose@med.wayne.edu> wrote:
>
> > I use it but good luck with his URI blacklist. It's huge
> and I had slow
> > performance using it.
>
> > Check out the RulesDuJour script on http://www.exit0.us/index.php
>
> > -----Original Message-----
> > From: Jon [mailto:groups@ez15loan.com]
> > Sent: Monday, February 02, 2004 7:28 PM
> > To: spamassassin-users@incubator.apache.org
> > Subject: Re: SA Blacklists
>
> > Here's a little more, in short:
>
> > This is a list of domains, hosts, and IP addresses used by spammers.
> [...]
>
> > Jon
>
> "rules du jour" kind of sums this up: the concept of
> centrally administering
> a list of fast- and ever-changing spammer resources (domains,
> IP ranges) in
> this fashion does not scale.
>
> - If your list gets too popular, your servers will be
> targeted with DoS attacks,
> whether that's by IP traffic or cease&desist letters
> purporting to be
> "permissible legal assault" does not make a difference.
> - Got "Slow performance" now? You expect this list to grow, don't you?
>
> For a real solution, look no further than
> http://bugzilla.spamassassin.org/show_bug.cgi?id=1375 ,
>
> which has an experimental patch by Florian Klein that does
> DNSBL lookups
> against hostnames contained in URL/URI's. At least one comment (#7)
> explains the scaling issue - and also suggests creating a DNSBL that
> lists domains for purposes of blacklisting. I personally prefer to
> list by network number and/or ASN - it scales much better.
>
> I encourage people to apply the posted patch - and read the detailed
> discussion in the bugzilla ticket - 70% positive hit rate on incoming
> spam by querying SPEWS and SBL alone is probably the best single-case
> rule so far.
>
> bye,Kai
>
>
> --
> "Just say No" to Spam Kai
> Schlichting
> New York, Palo Alto, You name it Sophisticated
> Technical Peon
> Kai's SpamShield <tm> is FREE!

Take it from someone who knows, Kai has it correct. This is the way to go.
Hopefully future RBLs like spamcop will pull out URLs into a seperate list.
This would raise the hit ratio above 70%. SImply because some hosting
domains are never used to send spam.

My Bigevil.cf was spawn out of frustration. It started like Stearns list but
I quickly realised this effort is semi futile. With DNSRBLs and Bigevil, we
get almost zero spams sneaking thru. When this is all automated via RBLs it
will rock. I'm so looking forward to this.

"Sophisticated Technical Peon" and "REALYHARDMATH" Hah!!! :)

--Chris

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal