URIBL not as effective as it was

[Matt Kettler]

Paul Welsh wrote:
> This time last year I could rely on the URIBL family of anti-spam measures
> within spamassassin to detect loads of spam very reliably.  Examples
> include:
> 
> URIBL_SC_SURBL
> URIBL_AB_SURBL
> URIBL_WS_SURBL
> URIBL_SBL
> URIBL_OB_SURBL
> URIBL_WS_SURBL
> 
> Seems to me these are far less effective than they were (they aren't showing
> up as much).  Can anyone confirm this from their own experince?
> 

Yes, they are less effective than they were. And this is in general true for
*ALL* groups of spamassassin rules. As time goes on, spammers change their
methods to try to evade SA. The more time goes on, the less effective a given
kind of rule will be as spammers get better at evasion.

That's why SpamAssassin development continues. Spam changes, constantly, and in
direct reaction to what spam filters are looking for. If spammers didn't keep
changing, URIBLs would have never been made because razor would be a perfect
permanent solution.

Of course, URIBL's aren't useless. But they are hitting a lower percentage of
the spam than they did last year.

The current "hot trend" in spam is to send an embedded gif picture of your spam
ad. These messages have no URI's in them, just a picture of one so there's
nothing for URIBL to detect. (unless someone re-does the OCR plugin to call
URIBLs). This is most popular in stock spams, which never had URIs, but it's
also present in pill spams, which do have URIs but are now undetected by URIBL's.

Of course, these messages have a lower return for the spammers. Since there's no
URI to click, someone's going to have to manually re-type the domain to get to
the spamvertized site. Fewer people are willing to do this, so these ads are
less effective. These messages are also larger in size, so spammers can send
fewer of them per hour.