Spamhaus has accused internet giant Yahoo! of hosting almost 5000 phishing websites.
Read More… (From Phishing News)
-
Categories
-
Archives
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Aug | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
-
Links
Introducing a unique
way of killing spam: SpamShootout! Available exclusively in:
E-mail Client for Windows Download Free Trial
(POP3/SMTP/SSL)
View Demo
Screenshots
Features
-
Admin
27 Jun
Re-thinking Spamcop
It’s time to go back to the drawing board for a new opinion on Spamcop’s SCBL blacklist. In the past, I had consistently observed significant false positive issues, which now seem to be resolved.
For more on the topic, including metrics showing how well Spamcop is working in my test environment, click here.
Published by Al Iverson. I welcome your feedback - visit http://contact.aliverson.com to contact me.
The DNSBL relays.radparker.com is no longer valid. If you are using relays.radparker.com in a mail server or spam filtering product, please stop doing so immediately. It will not block any spam. No DNSBL has been available under this domain for years, and unexpected results may be returned.
It used to be the home to a list called the Radparker Relay Spam Stopper (RRSS). The RRSS was a list that I myself (Al Iverson) created in early 1999 to help mail server administrators reject mail from open relaying mail servers. Back then, open relays were the primary transmission vector for the worst-of-the-worst kinds of spam. I created the list primarily to offer an alternative to ORBS, an open relay blocking list run by Alan Brown out of New Zealand. (This ORBS was a sort of descendant of a previous ORBS, run in Canada by Alan Hodgson.) Alan (Brown) had a habit of getting into arguments with people who were listed, actively probing mail servers without permission, listing things that didn’t actually qualify as an open relays, and so forth. I found it distasteful and unfriendly.
Major policy differences for my new alternative open-relay list included:
-
A remote server was not tested for open relay unless a spam message was received.
-
Public record was kept of the spam message, and test proving the site was an open relay.
-
Anybody could request that any listing be removed, and it would be removed.
The net result was that ORBS ended up imploding under various legal challenges, and the RRSS ended up becoming the Mail Abuse Prevention System (MAPS) RSS, later a component of a commercial spam-filtering solution, provided as of late by MAPS’ current owners, Trend Micro.
Throughout the spring and summer of 1999, the RRSS list grew in popularity. At its peak, we figured that it was protecting over 350,000 mailboxes from open relay spam, and was used by quite a few local and regional ISPs, including USWest/Qwest.
I created the list on my own, on my spare time. Back then, it was hosted by my employer, with their permission. This mean that the company would occasionally get a screaming goober phone call from somebody whose mail got blocked, who couldn’t figure out how to resolve the issue, and was sure that there was some giant conspiracy in place to harass them. (I probably wasn’t as polite to some of those folks as I should have been, either.) Eventually enough of those calls started coming in that I decided it wasn’t very wise to continue hosting the RRSS on my employer’s network. That’s when I started talking to MAPS. They offered to host the project for me under the MAPS umbrella, a partnership I entered into somewhere around August or September 1999. Eventually my volunteer work turned into a full time job working for MAPS, where I continued to manage and develop the RSS project, as well as working as an investigator for the MAPS RBL (Realtime Blackhole List) project.
I left MAPS in October, 2000.
The zone relays.radparker.com was emptied out sometime after the project was moved to the MAPS’ servers in California. That was back sometime in 1999 or 2000. It’s not been used to host a DNSBL since.
Interestingly, the RRSS data, process, and code was my own intellectual property that I brought with me to MAPS, and never had any sort of formal agreement to transfer ownership to them. When I later left, I decided my heart lay elsewhere and I never pursued any sort of plan to take the project back unto myself. My friend Gordon Fecyk, who created what became the MAPS DUL, found himself in a similar situation when he left MAPS in 2002. In his case, he attempt to continue with his DUL project. This resulted in him being sued by MAPS, having been accused of stealing MAPS’ own intellectual policy– a claim I suspect was distorted and probably unfounded, as did others.
MAPS founder Paul Vixie recently posted to a mailing list that the original, long-dead MAPS RBL zone of rbl.maps.vix.com is still receiving may queries against it. This got me to thinking I did a bit of Google searching myself and found that there are still some people out there wondering if the RRSS zone of relays.radparker.com is working. So, here I am, posting this information, in the hope that the next time somebody’s wondering, they’ll query Google for more information, and find this page with the definitive answer: Nope, there is no DNSBL to be found at relays.radparker.com.
The Blars DNSBL (block.blars.org) appears to have gone on walkabout.
Created in 2002, the Blars Block List was an aggressive, semi-private blacklist run by a gentleman known to the greater internet community only by the pseudonym of Blars.
The “BlarsBL” had a broad criteria for listing. This included spam sending domains, open relays, sites with disagreeable spam reporting policies, sites lacking abuse addresses, those who host spammer dropboxes or websites, those who have threatened Blars or others with legal action, and sites originating break-in attempts and other exploits (open proxy, open relay, etc.).
The blacklist has been critizied for implying that payment was required for removal. From the site: “If you would like a site be added or removed from BlarsBL, you may hire Blars at his normal consulting rates (currently $250/hour, 2 hour minimum, $1000 deposit due in advance for non-established customers) to investigate your evidence about the site. If it is found that the entry was a mistake, no charge will be made and the entire deposit will be refunded.”
The list appears to be no more. The websites www.blars.org and block.blars.org both resolve to a This domain is parked free with GoDaddy placeholder page.
Note: I confirmed today that all lookups against block.blars.org DSNBL will result in a match. This is the Osirusoft solution, also known as blacklisting the whole world. Intentional or not, this means that if you continue to use this blacklist, you will receive no incoming mail whatsoever.
If you are using this list to reject mail, I recommend you cease doing so immediately. It will block all of your inbound mail.
See this page at MXToolbox.com further confirmation of BLARS mysterious disappearance. This post from the newsgroup news.admin.net-abuse.email indicates that it has likely been out of operation since approximately December 18, 2006.
As of Sunday, May 27th, 2007, the blacklist Spambag, with the DNSBL zone blacklist.spambag.org, is no longer available. The website www.spambag.org does not resolve to an IP address, and there appear to be no DNS entries under the DNSBL sub-zone.
Spambag, created and run by Sam Varshavchik, developer of the Courier mail server, has been operating this list since at least November, 2001.
The list had the following listing criteria: “[Spambag is my] personal list of networks who I block from sending me mail or accessing my web servers, because I believe the networks actively or passively allow abusive or antisocial behavior. Examples of what I consider abusive or antisocial behavior are: spamming, mailbombing, mail server dictionary attacks, and web page E-mail address harvesting.”
I last noted a hit against this DNSBL on May 26th, at 1:34 am US central time. Note that I was not a user of this list; I simply measure its effectiveness and status, like I do for many other blacklists.
This post to news.admin.net-abuse.email explains that Sam Varshavchik shut the list down, and that he felt his efforts had not been as productive as he would’ve liked them to be.
I would recommend removing blacklist.spambag.org from your list of DNSBLs to check, as it is no longer in operation.
With the advent of Spamhaus’s new PBL anti-spam blacklist, it appears that the NJABL Dynablock list is now obsolete. I just saw the following post on the public SPAM-L mailing list, from the NJABL folks:
The following text was sent to list AT njabl.org on Jan 19, 2007. Judging from the number of DNS queries still being handled for dynablock.njabl.org, the message doesn’t seem to have made it to a wide enough audience.
If you use or know people who use dynablock.njabl.org, this is important information:With the advent of Spamhaus’s PBL (http://spamhaus.org/pbl/), dynablock.njabl.org has become obsolete. Rather than maintain separatesimilar DNSBL zones, NJABL will be working with Spamhaus on the PBL. Effective immediately, dynablock.njabl.org exists as a copy of the Spamhaus PBL. After dynablock users have had ample time to update their configurations, the dynablock.njabl.org zone will be emptied.Other NJABL zones (i.e. dnsbl, combined, bhnc, and the qw versions) will continue, business as usual, except that combined will eventually lose its dynablock component.If you currently use dynablock.njabl.org we recommend you switch immediately to pbl.spamhaus.org.If you currently use combined.njabl.org, we recommend you add pbl.spamhaus.org to the list of DNSBLs you use.You may also want to consider using zen.spamhaus.org, which is a combination zone consisting of Spamhaus’s SBL, XBL, and PBL zones.(Editor’s note: I’m very happy with ZEN so far. See this post detailing my recent experiences.)
According todocuments filed with the SEC yesterday, Michael Egan, presidentof theglobe.com which owns Tralliance, lent them $250,000 on onerous termsto keep the company going.The terms of the loan allow him to increase the amount up to $3,000,000.It pays 10% interest, assuming theglobe had the cash to pay interestwhich is unlikely, and can be converted into stock at one cent per share.The filings say this loan is to provide working capital while they lookfor longer term financing.See more …
Read More… (From E-mail, tech policy and more )
27 Jun
50 Billion Spam a Day
Regardless of whether this is FUD or not, there is growing talk in the IT/email world over whether or not a US court blocking Spamhaus (via removal of ownership rights to their domain name through ICANN). This all stemming from…
Read More… (From spamblogging)
Phishers seemed to have developed a new weapon in their phishing arsenal - DNS Redirecting.
Read More… (From Phishing News)
In a press releasesent out this morning, Godaddy says they’re the new registrar forRegisterfly’s former domains.Godaddy has their own issues, but they’re one of the few registrars thatcould import that many domains quickly.This should solve the problem for the RF customers whose registrationdata is correctly transferred over. But it still leaves in limbo thosewhose domains went into redemption or expired due to RF’s inabilityto process renewals. There also seem to be a fair number of domainswhose contact info is wrong due to incompetence or malice at RF.There doesn’t yet seem to be any plan to clean up the rest of themess.There’s nothing about this on the ICANN web site other than a blogentry on Friday proudly saying that they finally got RF’s Kevin Medinato show up in court. Whoopee. But there’s no reason to doubt whatGodaddy has said.
Read More… (From E-mail, tech policy and more )
There is a new DNS service that has just appeared on the market calledDNSPOD.NET. The concept is actually quite interesting, both on a service leveland on a technical level. Dnspod.net allows anyone to use their name serversfor their domain name, for free.
Unfortunately, their service has come under attack by spammers who use theirname servers to service spamvertised domains.
Description of my dnspod.net experience
At first, the interface - all in Chinese - is unsettling. This being said, withthe help of an online translater I was able to set up an account in just aminute or two and apply the DNS to one of my domains.
In wanting to see if I could remain anonymous, I entered false information intoevery box. This was not a problem. I was then given a box in which to enter mydomain - afterwards I was given access to the zone file editor.
You are only given a choice between the following records: A, CNAME, MX, so itis definitely targeting the absolute basic services, but these are enough toallow for a spamvertised domain to be visible on the web. All the recordspecifications were by drop-down menus, and so I did not need to enter recordsmanually using BIND syntax.
Examples of spamvertized domains using dnspod.net
- buyvista2007cheap.biz
- office2007buynow.info
- softwaresmarket.info
- vista-enterprise.info
- alline1cdssoftwares.biz
- trackerronline.com
- bluetechriver.com
- mysoftwarehouse.biz
- bestsoftwaresforyou.biz
It appears that the "Cheap Software & OEM Cds" sponsor considers hisDNSPOD.NET to be a free bullet-proof NS.
Read More… (From A Spamtracker’s Blog)
27 Jun
Home of the free
Career scofflaws The Pirate Bay have just launched a new service called BayImg, which promises free, uncensored image hosting for any ‘legal’ image. This has certain implications for spam.
Read More… (From Spamnation)
The primary project of the Blitzed group is the Blitzed Internet Relay Chat (IRC) network.
They also operated a DNSBL zone called opm.blitzed.org. This was the Blitzed Open Proxy Monitor (OPM). This popular open proxy DNSBL was run in such a way as to not probe a remote server to determine its open proxy status unless the server was implicated in reports of abuse. It did not list open relays.
The Blitzed group seems to have suffered a database or server failure as of May, 2006. This email to the OPM Announce mailing list details the situation, and explains that the OPM list would not be resurrected.
The list is not active at this time.
Based on this information, I would recommend that you remove opm.blitzed.org from the list of DNSBLs being checked in your mail server. It will no longer block any spam, and the potential exists for unpredictable results to be returned. Additionally, you’ll be generating unnecessary DNS query traffic to the Blitzed network.
27 Jun
Which blacklists work well?
Just for kicks, I’ve embarked upon a large spam and blacklist tracking project. Wondering how well Spamhaus works? Preliminary results are showing me that it’s actually very accurate and has a much better (lower) false positive rate than every other blacklist I’ve tested. At the other side of the spectrum, Fiveten blocks nearly a third of desired mail, and isn’t as good at tagging spam. Read more about it, and link to the actual data I’m publishing every day, over here on dnsbl.com.
Published by Al Iverson. I welcome your feedback - visit http://contact.aliverson.com to contact me.
I figured it would be helpful if people were able to check my work. If youd like to confirm for yourself whether or not SPEWS has been updated recently, heres a couple different ways you could do that.
From here you can return to SPEWS Current Status, or return to What to do if youre listed on SPEWS.
Now that we have seen how email headers are inserted by the receiving machine upon receipt of an email, we need to go into a little bit on how mail servers convert IP addresses to host names and vice versa. DNS stands for Domain Name System. It converts a host name to its IP address. Reverse DNS is the opposite, it converts an IP address to its host name. It does this by examining the IP’s PTR record. From answers.com:
A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org.
The converse of a PTR record is the A record, which maps a hostname to its 32-bit IP address. So, A-records are used for DNS lookups, PTR records are used for reverse DNS lookups. This brings us to Forward Confirmed Reverse DNS, or FCrDNS. An IP is said to have FCrDNS if it has a forward DNS (name -> IP) and reverse DNS (IP -> name) that match. First, an IP has a reverse DNS performed. This returns a list of hostnames associated with that IP (the list could 0, 1 or more entries). For each entry in that list (assume it is greater than or equal to 1), a regular DNS lookup is performed to see if the IP matchup matches the original IP address. So, for example: IP = 292.28.75.16 Reverse DNS = tzink-is-awesome.com, tzink-is-okay.com, tzink-is-not-that-great.com A-record for tzink-is-awesome.com = 292.13.130.22 — no match
A-record for tzink-is-okay.com = 292.21.14.15 — no match
A-record for tzink-is-not-that-great.com = 292.28.75.16 — match! Since we matched the IP address in one of the domain’s A-records that was found in the PTR, we are said to have FCrDNS for the IP. In spam filtering, if an IP has FCrDNS then we can be sure that the mail originated at the domain. Spammers cannot normally forge this if they are sending from zombie computers. Of course, if the ISP in question doesn’t care about spammers then this form of authentication won’t stop the mail. On the other hand, if the ISP doesn’t care about spam filtering and a spam analyst figures this out, this IP can very quickly be placed on a blocklist and accept no further mail from them until they clean up their act. You can see how DNS lookups can be useful in some circumstances. At the very least, if the connecting IP says HELO, has an rDNS that matches the HELO, then the mail did indeed originate from that domain. The DNS information can then be inserted into the received headers. If the mail is spammy, the ISP can be complained to. If the ISP ignores the spammee, they can be placed on a blacklist. After all, it’s proof that the IP is sending spam that indeed is originating from that host.
Read More… (From Terry Zink’s Anti-spam Blog)
27 Jun
SPEWS Current Status: DEAD
Please note: I have no involvement in SPEWS. I publish this information simply to be helpful to people I see trying to figure out what to do about a SPEWS listing.
SPEWS appears to be dead:
- As of Wednesday, January 31, 2007, the SPEWS data appears to be very out of date.
- It has not been updated since: Wednesday, August 23, 2006 11:03:29 PM
If you’d like to confirm this for yourself, I explain how to do that here.
I confirmed with other smart anti-spam folks to ensure that I am checking this properly, and Im pretty sure its correct.
Update as of Thursday, February 1, 2007: Matthew Sullivan of SORBS has emptied out the SPEWS data he was previously serving via his nameservers. Read more >>
If you are listed on SPEWS, don’t despair. I’ve compiled some tips on how to deal with the situation. Click here to read on.
