- October 9, 2015: Improve URIBL hitrates w/ SMTP delays
As discussed below, the short lived, high-volume campaigns are becoming a new norm to try to avoid RBLs and URIBLs alike. Because real-time blacklist services are mostly reactive in nature, these short high volume campaigns can sneak by 10-30% of the spam run before blacklistings kick in.
A nice tactic to counter these efforts, is to use SMTP delays. By introducing a delay, you allow real-time blacklists a small window for identification and publication of the new information. It will also drop quite a few spam bots which dont want to hang around that long for an SMTP banner. Not all MTA's may have this ability, but if you run Exim, its super easy. Just add to your acl_smtp_connect in /etc/exim.conf
delay = 60s
Note, this will effectively delay all your incoming mail by 60 seconds, and may increase your SMTP concurrencies, so please monitor accordingly. If you have implmented SMTP delays on other MTAs and would like to share them with us, please contact us and let us know.
- July 8, 2015: Reduction in list time latency
The spam trend of late has been to use short lived, high-volume campaigns in order to capitalize on the reactive nature of blacklist services. In the past, it could take up to 4 minutes for us to identify, list, rebuild, and syncronize the update. Recent campaigns we have investigated have sent 80-90% of their payload within 3 minutes.
Because of this, we have made a handful of enhancements to improve our identification speed and reduce the list time latency. As a result, we have reduced identification times by up to 100 seconds for new spam campaigns, by improving the speed at which we deliver live query data into our system. All users should see immediate results from these changes.
For Datafeed over DNS users, we have taken this one step further by rolling out a realtime blacklist publication system. This system can reduce list time latency on new spam campaigns by up to 90 seconds, as there is no waiting for rebuilding or resyncronizing of the zone files. Because of this, Datafeed over DNS is now far superior to Datafeed over RSYNC in terms of list time latency. With Datafeed over RSYNC, you will still have to wait for zones to rebuild, and then rsync them from us. If list time latency has an impact on your spam catch rates, you should consider switching from RSYNC over to DNS.
- June 30, 2015: New TLD Spam (Cont..)
SpamAssassin 3.4.1 uses a new RegistryBoundaries module to support automatic updates of newly released TLDs via a config file (20_aux_tlds.cf) and sa-update. It is recommended that you upgrade to v3.4.1 to allow your SpamAssassin to query blacklist services for domains using these TLDs. If you cannot upgrade from an older version, see the news below about updating just your old RegistrarBoundaries.pm file.
- April 6, 2015: New TLD Spam
If you are using SpamAssassin, and are currently receiving spam with new TLDs such as .LINK, .SCIENCE, .CRICKET, .NINJA, .XYZ, .CLICK (and others), it is because those URLs are not being checked against URIBL. In order to lookup these URLs, you will need to upgrade your RegistrarBoundaries.pm.
If you are running a recent version of SpamAssassin such as 3.3.2 or 3.4, simply download the RegistrarBoundaries.pm from SpamAssassin SVN and replace the one you currently have installed. Restart spamd (if you run it) for the change to take effect.
Link to SVN:
- April 6th, 2015: Happy 10th Birthday URIBL.COM
Today marks the 10th year anniversary of URIBL.COM. Thank you to everyone who has contributed over the years to keeping this service going strong!
- December 27th, 2012: Datafeed over DNS Available
For those who want to take advantage of datafeed service, but cannot or do not want to setup their own rbl instance, URIBL now offers Datafeed over DNS. If you have been blocked for high query volume, Datafeed over DNS will allow you to resume sending those high volume queries against the public mirrors. For those low volume users who currently use public DNS, Datafeed over DNS provides additional zone information not available otherwise. See Requesting the Data Feed Service for more information.
- January 23rd, 2012: Blocked due to excessive queries?
If you are receiving a bounce message saying your email was blocked due to excessive queries, you should contact your email provider, as they have not correctly implemented URIBL lookups. In the event a high volume nameserver is blocked, a 127.0.0.1 response may be received to indicate the nameserver is sending high volume queries. Service providers who have implemented URIBL lookups outside of SpamAssassin should read http://www.uribl.com/about.shtml#implementation and correctly implement URIBL lookups. Those effected should also read http://www.uribl.com/about.shtml#abuse for more information. The limits in effect are by nameservers, not individual mailservers, as the DNS requests will be coming from your resolvers.
- December 13th, 2011: RSS Feed Update
We have removed the publication delays on the RSS feeds, and replaced it with limitations on the number of listings shown per Registrar, per Nameserver, per Abused Hoster, and now per Top-Level Domain, which was previously not publicly available.
- December 13th, 2011: Heavy Hitter block response change
We have changed the blocked response A record from 127.0.0.255 to 127.0.0.1 per the request of SpamAssassin (bug #6724). This will allow the spam engine to identify potential hosts that are blocked by firing on a new rule set to look for bit 1 set in the response, and not create false positives. Our Abuse page has been updated to reflect this change.
- December 1st, 2011: Negative TTL reduction
Today we have lowered our negative TTL cache times from 300 seconds to 60 seconds. For those using the public mirrors for resolution, this will result in a nice increase in spam accuracy on short spam runs, as it will reduce the amount of time your DNS server returns a cached NXDOMAIN response to you after the domain has been listed. For datafeed users, there will be no change, as your zone files do not include SOA entries, which allows full control to customize the SOA settings as needed. It is worth checking into what your ncache-ttl setting is currently set at, and adjusting it as necessary. A ncache-ttl setting of 0 would yeild best results, but higher DNS volumes will result from it.
- Sept 2nd, 2010: Publication delay on RSS Feeds
Due to ongoing issues, all public RSS feeds are being produced with publication delays. This was done as an alternative to completely taking them offline again.
- July 21st, 2010: RSS Feeds available
All RSS feeds that were previously disabled are now available.
- February 26th, 2009: Heavy Hitter ACL changes
URIBL.COM has recently introduced a Split-horizon DNS system at the root level to restrict queries from heavy hitters. All Positive ACLs (those which previously returned 127.0.0.255) have been disabled and moved into the split-horizon filtering system. People using nameservers that have been ACL'd can still contact URIBL.COM via the web or by email, but DNS resolution to the URIBL lists will timeout. See About->Abuse for more details on testing your nameserver if you suspect your nameserver has been blocked.
- January 26th, 2009: Decreased Replication Delay = Increased Accuracy
In an effort to help combat the short spam campaigns, we are in the process of making key changes that will decrease the replication delay for new listings. We have already made changes at the core that allow us to publish the public zone files 3x more often! We have decreased our negative cache time (ncache-ttl) on multi from 600 seconds to 300 seconds. Also, we have asked all public mirrors to increase their polling frequency by more than double. Between these changes, we have effectively reduced the average listing latency for new domains from 6.5 minutes down to just over 2 minutes. Possibly more on this to come! Stay tuned...
- March 3rd, 2008: Geocities and Blogspot listings (was Googlepages)
A month or so ago we posted news about how we are listing subdomains for googlepages, blogspot and similar abused hosting sites. Well, that news somehow disappeared. Anyways, if anyone was looking for it, you can find it here.
- October 16th, 2007: ACLs placed on public DNS Infastructure
UPDATE - Refusing queries on high traffic IPs just caused even more traffic to be generated. Because of the lack of negative caching when sending a refusal, this caused our mirrors to take on every query from IPs that are blocked. We have changed all REFUSED IP addresses over to simply returning NXDOMAIN to all the queries. By doing this, we at least benefit some from caching nameservers serving up the nxdomain for us, which reduces the amount of queries we have to handle from these high traffic hosts.
URIBL has begun to block IPs hitting our public DNS mirrors with high volume. If you are sending anything close to 500k queries/day to our public dns, you queries may be refused already, or in the near future. If you would like to become a part of the public dns infastructure and give some queries back to the world, please contact email@example.com
- June 7th, 2006: RSS Feeds Available
Certain sections of URIBL's RSS Site are now public. There you will find thing such as spam domain statistics by Registrar and by Nameserver. Each NIC or NS can be further drilled down on to obtain the most recent domains that have been black listed on that particular registrar or nameserver. Plus, the data is accessible via XML (RSS 2.0) feed for those who would like to know when domains on their registrar and/or nameservers become blacklisted (and hopefully take action).