ANNOUNCEMENT: update to ivmURI regarding surge in rarely-blacklisted domains spammers use from legit site that are "compromised"
There has been a surge during the past couple of days in rarely-blacklisted domains (as in, you see few of these blacklisted on SURBL/URIBL/DBL) ...where the spammers used "compromised" sites which are normally legit sites. (maybe the FTP password was cracked? or some other security hole exploited?) Likewise, ivmURI was missing many of these because our FP-prevention-filters... which normally prevent "decoy" domains or innocent domains from getting blacklisted... were also causing many of these to be overlooked. (I suspect that the same was happening with the other URI blacklists, since [it seems?] even fewer of these were getting blacklisted on those other URI/domain blacklists?) This isn't new. For months, it has been on my mind to make some adjustments to "surgically target" listing these types of domains... where our FP-prevention-filters would then "back off" just a tad... yet in a very "surgically targeted" way... so that these would start blacklisting, yet without those changes to the filters suddenly causing many FPs, and where these domains would also expire off of ivmURI faster--with the idea that the site owners would probably find and fix their problem somewhat quickly. (we don't want these to remain blacklisted weeks after the spam has ceased and the security problem fixed) Yes, this WILL cause a tiny bit of "collateral damage"... but my estimation is that the ratio is off-the-chart GOOD! These are relatively minor sites. This could potentially cause hundreds of thousands of spams blocked for every one legit mail blocked. And if someone STILL has a problem with that ratio... then my message to them is... the site owner should be somewhat held accountable for their poor security--which is partly at fault for so much elusive spam making it into inboxes! (and, again, these listings will expire MUCH faster than regular ivmURI listings) Many of these spams are especially elusive because the spammers then combine the use of a somewhat legit domain... with sending from "freemail" servers, or other legit mail servers which would cause far too much collateral damage if blocked by IP. At best, this puts a HUGE burden on content filters. At worst, many of these are slipping past many spam filters. This major milestone improvement for ivmURI was implemented mere hours ago. Here are some results... where these were added to the ivmURI list today: http://dnsbl.invaluement.com/uri_surge.txt NOTE: These are all domains impacted by this change. Unfortunately, many in that list would been blacklisted on ivmURI anyways, without the changes... but many domains in that list required this change to get listed on ivmURI. Also, across the board, you'll also find very few in that list which are on ANY other URI blacklists! Questions/Feedback are welcome! -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
