[clamav-users] MailFollowUrl alternative?

G.W. Haywood clamav at jubileegroup.co.uk
Sun Apr 2 14:10:06 EDT 2017


Hi there,

On Sun, 2 Apr 2017, Matus UHLAR wrote:
> On 31.03.17 19:51, Steve Basford wrote:
> 
>> It did a curl on any urls found in the body ...
>>
> among other, it provided spammers evidence their mail was read.

Yes, almost the last thing you want to do is give some scrote feedback
that he has a genuine address that might even accept mail if he keeps
trying for long enough.

I say 'almost' because apart from verifying for some criminal that he
has a genuine address to sell, scanning URLs in mail is rather begging
to participate in a DOS attack on some innocent bystander - presumably
you don't want to do that.  If you intend to follow URLs to the ends
of the Earth, try to be intelligent about it and be prepared to invest
considerable resources into the activity.

There are much, much better ways of dealing with dodgy messages with
unknown URLs in them.  For example most of them come from the country
codes we blacklist, so they're very easy to spot.  Here's the list at
the moment, suggestions for new candidates are welcome:

AE AL AM AO AP AR AT AU AZ BA BD BE BG BH BJ BO BR BW BY CI CL CM CN
CO CR CV CZ DK DO DZ EC EE EG ES ET FI GA GE GH GR GT HN HR HT HU ID
IL IN IQ IR IS IT JM JO JP KE KG KH KR KW KZ LA LB LK LT LV LY MA MD
ME MK ML MN MQ MR MU MV MX MY MZ NG NO PA PE PH PK PL PR PS QA RO RS
RU RW SA SC SD SE SG SK SN SV TG TH TJ TL TN TR TT TW TZ UA UY VE VN
ZA ZM

Anything in that list automatically gets the '550' treament until the
sender can persuade us to whitelist him.

At the moment we're seeing of the order of ten thousand attempts per
month to send us suspicious messages.  This is down by a factor of
about fifteen since we moved to an IPv6-only primary mail exchanger
last November.  In 2017 we've averaged accepting about three of them.

Really irritating.

-- 

73,
Ged.



More information about the clamav-users mailing list