Post by Chris LewisWhat we're seeing instead, is an evolution from the massive
scatter-gunning of a Rustock infecting a home computer, to that of
compromised servers, compromised user accounts etc. These are harder to
deal with, harder to stop, harder to filter.
So, while there are fewer spams in the Internet, I strongly suspect that
more of them are getting through.
EXACTLY!!! Along those lines, there has been an uptick in hijacked
domains where, instead of the spammer buying their own domain, they
break through a hoster's security (or obtained the FTP credentials), and
then they install their spammy scripts or pages. Then, when they send
out their spams, the domains are not so easily blacklist-able because
the various URI or domain blacklists often skip listing these due to the
false-positive-prevention-filters preventing such listings. In other
words, the same legitimacy or "good reputation" which would cause a URI
blacklist's engine to purposely NOT blacklist innocent decoy domains...
often give these hijacked domains a free pass, too.
Therefore, over at invaluement.com, we made recent improvements to our
ivmURI blacklist to allow us to now more surgically target many of these
hijacked domains, yet without lessening our protections against
blacklisting innocent "decoy" domains.
FOR EXAMPLE... The following is a list of about 2,500 domains which are
CURRENTLY hijacked with "live" spammy URLs present:
http://dnsbl.invaluement.com/urls-hijacked-by-spammers-Jan-29-2013.zip
Actually, the number of such hijacked domains blacklisted by invaluement
is much larger, but we narrowed it down in THAT example list to only
those domains NOT currently blacklisted by either SURBL or Spamhaus's
DBL list... to make it more interesting! See the included "notes" text
file for more details.
PS - as the notes file mentions, please don't throw these into manual
local blacklists since many of these sites will fix their problems and
then get removed from ivmURI. These generally shouldn't be permanently
blacklisted. Again, see the included "notes" file for more information.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032