Domain Based Spam Prevention? 42
aralin asks: "Recently I got this idea and wrote a little perl script to extract all the second (third in case of co.uk) level domains from my last month's collection of spam (some 4000 messages). I ran that against a nameserver to find the ones with NS record (valid domains) and made a list for my procmail filter. I get about 10 mails a day that escape to SpamAssassin for various reasons and since I began to check them against my list of domains I caught half of these. The idea is that if they want to sell something, or put a working web bug in my email, they need to provide a valid url with valid domain. If we filter domains from a URL in confirmed spam, then its almost certain any other email referencing such domain is spam as well. What I wanted to ask Slashdot is whether you know about some software project that already uses this form of spam detection as an addition to rule matching and Bayes filters?"
Easily Defeated (Score:5, Insightful)
In this case they could start including (hidden, web-bug style) links to popular webmail sites, like hotmail. If you start blocking all messages with links to hotmail, you are probably going to miss some e-mail that you want!
Re:Easily Defeated (Score:2)
Also, many times the URLs contained in an e-mail points to a cracked Windoze box, which has been turned into a WWW server b
Re:Easily Defeated (Score:3, Informative)
Spamassassin already has rules to catch this kind of obfuscation. However, it wouldn't be hard to merely translate these things back into real IP's. After all, the author of this article has already said that he filters on the 2nd (3rd) level domain name, and in an instance like this, there IS no domain name - any good filter would skip over the stuff before the @ and after the :
Re:Easily Defeated (Score:2, Informative)
The "Received: " header added by your server. Filtering on anything the spammer can control means an arms race; filtering on the IP address is the only consistent thing, whether the hosts are complicit with spammers (netvision.il, wideopenwest.net, chello.nl) or just too incompetent/lazy to act on reports of trojanned machines on their network (attbi / comc
Re:Easily Defeated (Score:2)
Oh yeah, the email I want to receive is most likely to come from a hotmail account (or yahoo or AOL), right, sure...
The only solution is to replace email with something else based on "sender pays".
Handling first contact with legitimate clients? (Score:1)
Oh yeah, the email I want to receive is most likely to come from a hotmail account (or yahoo or AOL), right, sure...
I'll assume that was sarcasm. What if one of your clients uses an account on Hotmail, Yahoo! mail, or AOL mail as his or her primary e-mail account? Or do you whitelist only clients who have approached you through a web form?
Re:Easily Defeated (Score:2)
Take it easy. He only said you'd probably miss some e-mail you'd want. He didn't say anything about 'most likely.' And what kind of elitist doesn't accept e-mail from Hotmail? Wow.
How 'bout a mail rule (Score:3, Insightful)
Isn't this just like adding a mail client filtering rule to trash all emails with "mydomain.com" in the body?
Now, having said that, I don't think any mail filter does this explicitly because of problems with legit web page links. All the spammer would need to do is redirect through a page on a hosting service like fortunecity.com or geocities.com.
Comment removed (Score:4, Informative)
Re:IIRC SendMail allows this already (Score:3, Informative)
There are two checks for this - one rejects (501) mail that comes from bogus domains (domains which do not exist) and one that sends a temporary failure message (451) for domains which are unresolvable.
Such rules are necessary for proper operation of a mail server - the MAIL FROM: should always be a resolvable address (with the exception of empty sender) because that's where the bounces should go.
domain names often are temporarily unr
Re:IIRC SendMail allows this already (Score:1)
Milter-Sender attempts a connect to the MX host of record for the purported From address, and if that MX host does not accept mail for that account, your sendmail will not accept mail _from_ that account.
It's tunable, so you can tell it to wait and try again later, or just pass-thru emails unreachable MX hosts, or just reject them outright.
It's not a perfect solution for what you're looking for, because as spammer just needs
genetic classification (Score:3, Informative)
An Idea (Score:1)
Already been done (Score:3, Informative)
I suppose you could write some scripts to automatically add new domains and expire those beyond a certain age, but I don't see much point. I've been writing custom SpamAssassin rules for a several months now, and for me at least the ones that give the best results by far are the general purpose ones. Sure, if you have a big spam run or something like MyDoom to deal with, then a specific rule can really help, but that seems very much an exception to the rule.
The rules I have most success with are targeting the obfuscation attempts, which is great because if the spammer omits obfuscation then Bayes has a field day instead. Even if you don't use SpamAssassin, the Wiki [exit0.us] is great for examples of this kind of rule that you can adapt to your own engine if need be. Best of all, this is the kind of stuff that will *always* work, rather than a rule that will at best have a shelf life of a couple of months before it starts to bog down your mail gateway for no benefit.
Would already get too many false positives for me (Score:2)
Most of us have probably seen spams pushing various pump-and-dump scams. Many of these are just plain text, bragging that such-and-such a stock is undervalued and will skyrocket in the next few {days|weeks|decades} when the company announces that the {RIAA|FBI|SCOX} have placed a $1 {m|b|tr}illion order for their new whizz-bang {frobnicator|KaZaA-killer|pengiun trap}.
Usually, there's no URL, because if you were stupid enough to buy the shares, you'd buy them from someone else. Some of these spams, though,
Bayes (Score:3, Informative)
Re:Bayes (Score:2)
ways and after you demangle the domain in the email and compare it with the list you get better match.
Joe-Job (Score:2, Insightful)
OK, the first spammer that wants to irritate you can thus easily block anyone from ever hearing about your website (by running a "joe-job" with your website's URL in it).
Two thoughts (Score:2)
Two, this doesn't help with the strangest category of spam -- email that doesn't refer to a particular product, include a valid reply-to or from address, or contain any valid urls. Those spam emails are the ones that just blow my mind. They suck up bandwidth, cost everyone money and resources, yet they contain only a few random words, none of which c
Re:Two thoughts (Score:2)
Re:Two thoughts (Score:1)
Yep, that's the case, in SpamAssassin 2.6x at least.
Re:Two thoughts (Score:2)
Think of it as a one-two punch against your email box.
Lots of ways around this (Score:3, Informative)
Wont work (Score:2)
One big problem with this (Score:3, Informative)
IMHO a better method would be to use the WHOIS information for a given domain name to match it to other spamming domains. I used to maintain the largest list of Alan Ralsky's [spamhaus.org] spamming domains. My list was enormous. Alan had a bad habit (good for us anti-spammers though) of using identical or very similar WHOIS information in each of his spamming domains. This was the case with probably 90% of his spamming domains. He frequently used the same nameservers as well. I think a crafty programmer could come up with a way to use a Bayesian filter to identify spam by the WHOIS records of the domains in a given message that's been marked as spam. This would be a worthwhile project to me. Best of luck.
Filter out HTML (Score:1)
Re:Filter out HTML (Score:2)
I, for one, am not going to miss a business opportunity (as in a job, not transfereing money out of Nigeria), because the poor guy with the money and the standard Outlook setup sends me a HTML mail.
I might also just stop reading email, y'know
By the way - I send MIME-multipart mails with both the text and HTML version. And I reply above the quote. So shoot me.
Doing something simular (Score:1)
Another basic idea (Score:2)
So I have the domain "blah.com" and I want to register for an Ebay account. Instead of simply giving "me@blah.com", I'd instead register "ebay@blah.com" which would just point to my inbox. Now I can easily filter mail appropriately as it comes through. Not only that, but I can tell which places gave my email address out to spaming co
Re:Another basic idea (Score:1)
You don't even need additional 2nd-level domains to do this, just add a 3rd-level domain for this purpose.
For instance, suppose my normal address is me@mydomain.com, but when I give out my address on websites, I use something like amazon@replies.mydomain.com. In your DNS, just set up an MX record for the subdomain. If you use sendmail, it's easy to add a mailertable entry on the final delivery server like this:
replies.mydomain.com local:myreplymailbox
Make sure replies.mydomain.com also appears in /e
Re:Another basic idea (Score:2)
Most spam comes from having your address posted on some websites. Even newsgroups don't seem to be heavilly crawled by spammers. I did a test last year, posted to a few
Re:Another basic idea (Score:2)
It lets you do dated addresses that expire after a period of time. It also lets you generate cryptographically signed addresses through the web interface (you-keyword-kht9840w@youraddress.com), so they can't just make them up.
It also allows you to do challenge response where people have to prove they aren't lying about their email address.
http://marc.merlins.org/linux/exim/sa.html (Score:1)
Check URLs' IP addresses against some RBLs... (Score:2)
A while ago, I made a SpamAssassin patch [gmane.org] which resolves any URL found within an email and tests the resulting IP addresses against blacklists which are otherwise used to block unwanted email. A lot of Chinese bulletproof servers' IP addresses are listed on the Spamhaus Block List (SBL) [spamhaus.org] and/or SPEWS [spews.org] as well as on certain *.blackholes.us [blackholes.us] lists.
Re:Check URLs' IP addresses against some RBLs... (Score:2)
Check it out, it uses a different approach to any other block list I've seen thus far.
Obscured addresses (Score:1)
question (Score:1)