The one year anniversary of the DBL bringsa new zone (spamhaus.org)

tawmmy

New member
Aug 9, 2010
10
0
0
Story copied from: http://www.spamhaus.org/news.lasso?article=667

2011-03-03 09:51 GMT, by Steve Linford & the DBL team

5 March 2011: One year ago this week, The Spamhaus Project released a new spam-blocking advisory list for the world's internet users. Its focus was on the domain side of email filtering. Called the Domain Block List, the DBL has now been in worldwide use for a full year. The reported results have been excellent with the domain filtering ability of the DBL helping "clean up" most of what the front line IP-address based lists may miss - and as with all our data, having virtually no false positives. The DBL design

Following in the footsteps of two other excellent domain blocklists SURBL and URIBL, Spamhaus tailored the DBL to work specifically in conjunction with our IP address based lists. We also added some of our own tweaks to the way the our domain blocklist functions. These include a very fast turnaround time from bad domain detection, to the domain being listed in our global blocklist system: 60-seconds! This makes it harder for spammers who register and use thousands of domains to get them by email filters during a lag in the domain blocklist zone being built.

Spamhaus also worked with SpamAssassin who released a version specifically with DBL support: SpamAssassin 3.3.1. This and newer SpamAssassin versions allow users to benefit from the DBL's special "wildcard" feature. Wildcarding defeats a trick spammers use called subdomaining. On one of their domains, they will create thousands of second-level subdomains (e.g. for example.ru, spammers could create spam1.example.ru, spam2.example.ru, spam3.example.ru, etc.). But with DBL wildcarding, once we detect example.ru as malicious, all its subdomains will also be reported to users as malicious.

These features help detect far more spam emails and help drive up the costs to the spammers as domains, even very low cost ones, must still be purchased. Behind the scenes, Spamhaus uses data produced by the DBL to alert registrars to the spammer domains. Over the past year, Spamhaus working in cooperation with these progressive registrars have been able to disable hundreds of thousands of spammer domains. A New Problem...

Due to the success of ISPs and email providers in preventing inbox delivered spam from domains in the DBL and other domain blocklists, spammers have resorted to new tactic: Using URL shortening services (such as bit.ly, is.gd, goo.gl, t.co) to shorten (hide) the real spammer domain/URL with a legitimate shortening service URL.

There are hundreds or more of these URL shorteners (also called redirectors) on the web these days. The cybercriminal-type spammers have tracked down many of them and set up thousands of these short URLs to put in the body of their spams trying to avoid detection by the DBL and other domain blocklist systems.

The spammers also know that by using these legitimate services, ISPs and email providers will be less inclined to block them as it can cause false positives. ...brings a New Solution

One way to address this problem would have been to treat URL shortener domains the same way as any other spammed domain and include them in our main DBL zone. But, as mentioned, most of these URL shortener serve a legitimate purpose and are used in non-spam emailings. Spamhaus has always worked to avoid the blocklisting of assets that would cause unjustified false positives.

Many URL shortener services have worked hard to eliminate the abuse of their systems. Using several methods they are able to vastly limit the large scale creation of URLs by spammers. Sadly, others have ignored this issue and we continue to see their URLs in millions of spam messages each day.

The best solution was to give users a way to choose what they want to do with these spammed URL shorteners. Spamhaus created a new "URL shortener/redirector" zone in the DBL. By returning a specific code for this zone, filter designers and end-users of the Spamhaus DBL can decide what to do with the information. This may be to block fully, or to score email messages in a way to avoid false positives. How to use the DBL

Please see our original DBL announcement and our DBL FAQ for information on how to implement the DBL and the new "URL shortener/redirector" zone.