Announce

announce@lists.surbl.org

183 discussions

Whitelisting log added
by Jeff Chan 15 Apr '04

15 Apr '04

Given the probable need to improve whitelisting, I've added a log of domains that would go onto sc.surbl.org but are then prevented from getting onto the list by the whitelist(s): http://www.surbl.org/whitelist-hits.new.log That goes along with the log of new additions to sc.surbl.org, i.e., essentially a blacklisting log: http://www.surbl.org/top-sites-domains.new.log I've also grabbed copy of 500 popular web site domains for addition to the whitelist. A couple of the recent whitelist hits have been from it. So far they seem reasonable. Whitelisting will continue in the next version of the engine, hopefully with some larger data sets. Blacklisting based on SpamCop URI domain data will hopefully be more stable and broader in the next version also. In other words, there should be significantly less activity on the blacklist log since the list itself will be more stable. (For example under the current system you may see some domains that come off the list then get back on it.... Pay no attention to the man behind the curtain... :-) There should be a lot less of that.) Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 1

[SURBL-Announce] Like sc.surbl.org, ws.surbl.org works with any SURBL-compatible programs
by Jeff Chan 13 Apr '04

13 Apr '04

A question about whether SpamCopURI would support using the alternative SURBL ws.surbl.org came up, so I thought I'd address that for everyone. Any program that knows how to extract URIs from message bodies, then domains from the URIs, then compare those domains against an RBL can use any or all of the SURBL lists. Therefore SpamCopURI will work with ws.surbl.org just fine. (Noting of course that the ws results won't necessarily be related to the SpamCop-derived data in the sc list.) All you need to do is add a rule with the name of that list: uri SA_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe SA_URI_RBL URI's domain appears in spamcop database at ws.surbl.org tflags SA_URI_RBL net score SA_URI_RBL 3.0 (Likewise in SpamAssassin 3.0 with urirhsbl:) urirhsbl URIBL_SA_SURBL ws.surbl.org. A header URIBL_SA_SURBL eval:check_uridnsbl('URIBL_SA_SURBL') describe URIBL_SA_SURBL Contains a URL listed in the SA SURBL blocklist tflags URIBL_SA_SURBL net score URIBL_SA_SURBL 3.0 You can run either SURBL or both if you like. Note that ws has a higher spam detection rate (currently) but also a somewhat higher false positive rate than sc. Here's a corpus check Dan Quinlan ran: OVERALL% SPAM% HAM% S/O RANK SCORE NAME 11189 1200 9989 0.107 0.00 0.00 (all messages) 100.000 10.7248 89.2752 0.107 0.00 0.00 (all messages as %) 6.095 56.2500 0.0701 0.999 1.00 1.00 URIBL_SC_SURBL 6.855 59.7500 0.5006 0.992 0.98 1.00 URIBL_SBL 9.545 72.8333 1.9421 0.974 0.95 0.01 T_URIBL_SA_SURBL 0.116 0.5000 0.0701 0.877 0.58 0.01 T_URIBL_DSBL SA_SURBL above reflects the old name for ws; SC_SURBL is sc.surbl.org. ws detected ~73% of spams in the spam corpus with a ~1.9% FP rate in the ham corups. sc detected ~56% with a <0.1% FP rate. We're still tuning how the SpamCop data is used, so the sc hit rates should improve and FPs decrease hopefully in the next version of the sc data engine. Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.jeffchan.com/

1 0

Name of sa.surbl.org being changed to ws.surbl.org
by Jeff Chan 13 Apr '04

13 Apr '04

Hello SURBL users, Please note that the name of the SURBL derived from Bill Stearns' sa-blacklist is being changed from sa.surbl.org to ws.surbl.org . If you were using the old name in your rules or configs please update them to the new name. We will keep DNS queries up on the old name for a week or so but will probably drop them after that. This is only a name change for that list. Functionality should remain the same. Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.jeffchan.com/

1 0

MTA qpsmtpd URIBL plugin for use with SURBL
by Jeff Chan 13 Apr '04

13 Apr '04

Devin Carraway has written a plugin for the Perl-based MTA qpsmtpd to compare domains from message body URIs to SURBL domain lists. Here's his announcement of what I believe is the first MTA use of SURBL. Congrats and thanks to Devin! __ Date: Tue, 13 Apr 2004 02:07:15 -0700 From: Devin Carraway <qpsmtpd(a)devin.com> Subject: qpsmtpd plugin Saw today's slashdot article on SURBL -- glad to see someone's taken up the idea. I had thought of something similar, but somehow hadn't connected it with "oh yeah, they're already hostnames, make a DNSBL out of it." You commented that it'd be nice to see support for it in MTAs, so I wrote a plugin for qpsmtpd to do it. Qpsmtpd, if you haven't encountered it, is a replacement smtpd for qmail and postfix, with a primary emphasis on detecting and declining spam during the initial SMTP transaction. http://www.nntp.perl.org/group/perl.qpsmtpd/1216 http://devin.com/qpsmtpd/uribl -- Jeff Chan mailto:jeffc@surbl.org-nospam http://www.surbl.org/

1 0

[SURBL-Announce] SpamCop spamvertised sites page currently not serving data
by Jeff Chan 13 Apr '04

13 Apr '04

SpamCop's Spamvertised sites page is up but not currently serving data. I've take this opportunity to make sure that the SURBL engine does the right thing when there's no new data coming in. When that happens the sc.surbl.org list stays unchanged except for domains that may come off the list due to expiration of old reports. Once the data feed is up again, sc.surbl.org should pick up where it left off and things should continue to operate normally. As an aside, the next version of the data engine will have a much longer memory, especially of spam domains and IP addresses so there won't be nearly as much churn in the domains. There will also be more domains on the list. Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 1

example.com testpoints added
by Jeff Chan 13 Apr '04

13 Apr '04

At Roger Marquis' (RAM) suggestion we have added example.com testpoints to the RBLs: Name: example.com.sc.surbl.org Address: 127.0.0.2 Also added the name of the zone to the text of the testpoints: example.com.sc.surbl.org text = "sc.surbl.org permanent test point" Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 0

[SURBL-Announce] numeric testpoints added: 2.0.0.127.sc.surbl.org, etc.
by Jeff Chan 13 Apr '04

13 Apr '04

At Eric Kolve' good suggestion, we've added numeric testpoints into the SURBLs: Name: 2.0.0.127.sc.surbl.org Address: 127.0.0.2 Name: 2.0.0.127.sa.surbl.org Address: 127.0.0.2 Those go along with the existing name ones: Name: test.surbl.org.sc.surbl.org Address: 127.0.0.2 Name: test.sc.surbl.org.sc.surbl.org Address: 127.0.0.2 Name: test.surbl.org.sa.surbl.org Address: 127.0.0.2 Name: test.sa.surbl.org.sa.surbl.org Address: 127.0.0.2 Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org-nospam http://www.surbl.org/

1 0

Slashdot about SURBL
by Jeff Chan 12 Apr '04

12 Apr '04

Made Slashdot: http://slashdot.org/ A New Type Of Realtime Blocklist: The SURBL Posted by timothy on Monday April 12, @05:02PM from the chicken-egg-spam dept. Glamdrlng writes "The SURBL, or "Spam URI Realtime Blocklist", represents a nexus of RBL's and content filtering that may bring us one step closer to a spam magic bullet. While traditional RBL's perform a DNS lookup on the connecting mail server, SURBL's take this a step further by parsing the text of the email looking for URI's and doing a lookup on those web servers. They also prevent "joe jobs" by maintaining a whitelist of legitimate web servers whose domain names may show up in spam messages, e.g. EBay, Paypal, Microsoft, etc. The only requirement to implement the SURBL is a plugin on your MTA such as spamassassin that can parse the body of each email. While there is no MTA that directly supports SURBL's without a plugin, the author hints at one being in development." http://yro.slashdot.org/yro/04/04/12/1956252.shtml?tid=111&tid=126&tid=95 Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 0

[SURBL-Announce] Re: [SURBL-Zones] sa.surbl.org TXT message shanged to add URI
by Jeff Chan 12 Apr '04

12 Apr '04

It may be worth mentioning that I fixed my typo in the text record. Or not. ;-) > On Sunday, April 11, 2004, 6:32:49 AM, William Stearns wrote: >> On Sun, 11 Apr 2004, Jeff Chan wrote: >>> "Message body contains domain in sa-backlist. See: http://www.stearns.org/sa-blacklist/" > >> Looks good, except sa-backlist needs another "l". *smile* > > Indeed it does. Fixed. Thanks! LOL! It now reads: "Message body contains domain in sa-blacklist. See: http://www.stearns.org/sa-blacklist/" Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 0

Lists archivess are available at correct URL
by Jeff Chan 12 Apr '04

12 Apr '04

Hi All, and Welcome to the folks who recently joined! Looks like the list archive links need a slight fix. Currently the URLs have the host as "localhost.localdomain" where that should be "lists.surbl.org" instead. Let me ask Raymond to please update that config in Mailman. :-) In the meantime all the list archives can be found at: http://lists.surbl.org/pipermail/announce/ http://lists.surbl.org/pipermail/discuss/ http://lists.surbl.org/pipermail/zones/ Of perhaps special interest, please see and comment on the proposal on the discussion list for the second revision of the sc.surbl.org data engine which will resolve spam domains to IP addresses and prejudice future domain reports based on prior statistics for those IP addresses. (These IP addresses would only be used internally and the resulting hopefully-improved RBL data would still be domain-based. It does not represent a shift to a numbered RBL *for URI checking*, which I feel is a suboptimal approach.) I think this could be a very effective way to catch spam operations and spam ISPs with simply more intelligent use of the existing SpamCop URI domain data. That thread starts at: http://lists.surbl.org/pipermail/discuss/2004-April/000002.html Frankly I think it's going to rock and would like your comments on it. Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

2 2

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Announce