Discuss October 2004

discuss@lists.surbl.org

44 participants
134 discussions

RE: [SURBL-Discuss] In support of Project Honeypot [Scanned]
by Chris Santerre 27 Oct '04

27 Oct '04

>-----Original Message----- >From: David Thurman [mailto:listonly@webpresencegroup.net] >Sent: Wednesday, October 27, 2004 8:58 AM >To: SURLB Discussions >Subject: Re: [SURBL-Discuss] In support of Project Honeypot [Scanned] > > >On 10/27/04 7:01 AM, "Christopher Albert" wrote: > >> Are you guys serious!? >> Did you look at this page: >> http://www.projecthoneypot.org/bots_and_servers.php >> The ads placed there do not look all that encouraging: >> >> http://www.expedite-email-marketing.com/index.htm >> http://www.l-i-s-t.com/main_site/opt_in_email_lists.asp >> http://www.classmates.com/cmo/reg/school/index.jsp >> http://www.definitivedatabase.com/ >> >> You almost feel that this must be a joke. >> >I saw that also, and wondered a bit about it. Good concerns. >> >> I think you guys are making a mistake by participating. We could do >> this ourselves in a completely open and noncommercial way where the >> information is available in near real time. > >I would be one of the first to join, though we did sign up at >the honeypot >site but now that you bring up your concerns I think I will >hold off for a >bit and see what it really is all about. >-- I also signed up but haven't implemented the code yet. I have to open up a small hole in my security to do it. I haven't decided if I want to do that yet. Mainly because I'm lazy and rather not walk over to the firewall ;) --Chris (My power to misspell is only overshadowed by my lack of stick handling ability)

2 1

In support of Project Honeypot
by Jeff Chan 27 Oct '04

27 Oct '04

Justin Mason mentioned Project Honeypot on the SpamAssassin Users list shortly after they opened things up for public use: On Monday, October 25, 2004, 1:26:55 PM, Justin Mason wrote: > http://www.projecthoneypot.org/ > seems interesting, they plan to share their resulting corpora, and they > seem like nice guys too [...] > --j. I've donated 25 MX records to Project Honeypot so far. It looks like a good project mainly to provide solid data for legal action against spammers, harvesters, zombie deployers, etc. I'd encourage others to do likewise. Project Honeypot will also share their data with us so eventually we may have another good source of spam URI domains for SURBLs. What they need now are more people to donate DNS MX records and put up honeypots on their own sites. (The two aspects are separate; you can do either or both if you like.) Their site offers plenty of good explanations about legal, technical, etc. areas of the project: http://www.projecthoneypot.org So I'd like to encourage more folks to participate. Cheers, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

5 6

possible blacklist source
by Daniel Quinlan 27 Oct '04

27 Oct '04

Catherine Hampton's SpamBouncer has a zillion blacklisted domains: http://www.spambouncer.org/webdev/downloads/beta.shtml 1. download sb-new.tar.gz 2. mkdir sb; cd sb; tar xfz ../sb-new.tar.gz 3. perl -lne 'print "$1.$2" if /\)([\w-]+?)$.*?$([a-z]{2,4}?)\(/' *.rc \ | sort | uniq -c | sort -nr I suspect Catherine has a list in raw format (for all I know, there are some whitelisted domains somewhere in there). Merging it with WS might make sense. Catherine is probably a bit (*cough*) more aggressive than you. Also, many domains are listed more than once. I'm guessing that they're worse in some way. Or something. ;-) Daniel -- Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin http://www.pathname.com/~quinlan/ http://www.apachecon.com/ sessions & more)

4 3

Spamassassin and SpamCopURI
by Frank Tore Johansen 27 Oct '04

27 Oct '04

Hi, I'm in the progress of upgrading SA from 2.63 to 2.64 and SpamCopURI from 0.19 to 0.22. During make test of SA I get these during each t/rule_tests: t/rule_tests................ok 61/62Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/local.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 6, near "} }" I am aware that there was a discussion on the surbl list about this a few months ago, where someone said it could be caused by two Conf.pm's. However, I only have the one in /local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm and the two in the 2.64 distribution: the original ./lib/Mail/SpamAssassin/Conf.pm and the make-generated ./blib/lib/Mail/SpamAssassin/Conf.pm The errors didn't go away after installing SpamCopURI 0.22. I still haven't dared install SA. This is the relevant entry in local.cf: # Domain blacklists uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe WS_URI_RBL URI's domain appears in sa-blacklist tflags WS_URI_RBL net score WS_URI_RBL 3.0 And this is from spamcop_uri.cf: uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2') describe SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org tflags SPAMCOP_URI_RBL net score SPAMCOP_URI_RBL 3.0 So, what is causing the test errors? Can I safely ignore them, or will my RBL's stop working if I upgrade? I had hoped for a quick upgrade from 2.63 to 2.64 due to warnings about DOS (and the last few days our mailserver actually went out of memory twice, so it could be that spammers have started actually using this DOS)... -Frank.

3 5

RE: [SURBL-Discuss] Possible False Positive
by Chris Santerre 26 Oct '04

26 Oct '04

Agreed. And Whitelisted. :P >-----Original Message----- >From: Fred [mailto:tech2@i-is.com] >Sent: Tuesday, October 26, 2004 1:10 PM >To: SURBL Discussion list >Subject: [SURBL-Discuss] Possible False Positive > > >cokesbury.com >0 Nanas >Domain registered since 1998 (6 yrs). > >Whois Results for cokesbury.com >Registrant: >United Methodist Publishing House (COKESBURY3-DOM) > 201 8th Ave S > Nashville, TN 37202 > US > Domain Name: COKESBURY.COM > Administrative Contact, Technical Contact: > umph, domains (38034410P) domains(a)umpublishing.org > 201 8th ave. south > Nashville, TN 37202 > US > 615-749-6106 > Record expires on 27-Aug-2006. > Record created on 28-Aug-1998. > Database last updated on 26-Oct-2004 13:00:52 EDT. > Domain servers in listed order: > NS.UMPUBLISHING.ORG 67.106.203.110 > NS1.UMPUBLISHING.ORG 67.106.203.98 > > >Frederic Tarasevicius >Internet Information Services, Inc. >http://www.i-is.com/ >810-794-4400 >mailto:info@i-is.com > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

Possible False Positive
by Fred 26 Oct '04

26 Oct '04

cokesbury.com 0 Nanas Domain registered since 1998 (6 yrs). Whois Results for cokesbury.com Registrant: United Methodist Publishing House (COKESBURY3-DOM) 201 8th Ave S Nashville, TN 37202 US Domain Name: COKESBURY.COM Administrative Contact, Technical Contact: umph, domains (38034410P) domains(a)umpublishing.org 201 8th ave. south Nashville, TN 37202 US 615-749-6106 Record expires on 27-Aug-2006. Record created on 28-Aug-1998. Database last updated on 26-Oct-2004 13:00:52 EDT. Domain servers in listed order: NS.UMPUBLISHING.ORG 67.106.203.110 NS1.UMPUBLISHING.ORG 67.106.203.98 Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:info@i-is.com

1 0

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 26 Oct '04

26 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 5:01 PM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Monday, October 25, 2004, 1:23:32 PM, Chris Santerre wrote: >>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>If we're thinking about setting up a blog list (as we were >>>earlier), then it might be useful to test the data before using >>>it, don't you agree? >>> >>>I don't see how dumping lists with arbitrary FPs onto UC helps >>>either UC or SURBLs. In fact it's one of the bad things we >>>predicted: that a grey list would become a dumping ground with >>>some FPs and some domains that belong on a blocklist, all sitting >>>there underclassified, unchecked or ignored. > >> They are NOT going unchecked. UC is still in beta form right >now. So we are >> testing. Most people have no clue where the server is as it >is NOT part of >> SURBL, so UC.SURBL.ORG doesn't work. Not a dumping ground at >all. It will be >> as active as WS. > >> I fully intend to mirror most of what goes into WS into UC. >UC will simply >> have a different policy. Grey domains need to be considered. >UC will do >> that. You said yourself earlier you didn't want to be any >part of a list >> that handled grey domains. That it would waste time. So you >don't have to >> worry about UC. > >> UC will get as much attention to detail as I put into WS. I >just won't >> delete grey domains, like I do now. I will instead list then in UC. > >How about a blog spam SURBL? Or is all blog spam grey? You want a seperate list for blog spammers? Have at it. I'll add what I can to it. --Chris

3 6

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 26 Oct '04

26 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 3:08 PM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Monday, October 25, 2004, 8:18:34 AM, Chris Santerre wrote: >>>>> Fine. Removed. A known blog spammer host gets one FP and we >>>remove then all. >>>>> Done. >>> >>>> Chris, >>>> Instead of withdrawing the list can you give us a chance to >>>> review it? >>> >>>Chris, >>>If you put the file back up with a non-used name, I can turn it >>>into a test SURBL for people to try. After testing and debugging >>>we could look at adding it to a list. The broader the testing, >>>the better the results. >>> >>>I usually put up new lists for people to test as widely as >>>possible before turning them live. > >> No need. Moved to UC list. > >Might it be better to set up the blog spam domains as a separate >list inside multi, but testing them first? We would still want >to find a way to minimize collateral damage and keep otherwise >legitimate domains off a blog list. > Legitimate domains like greatnow.com? http://www.blackjack.greatnow.com http://www.viaga-viagra.greatnow.com http://www.debtconsolidation.greatnow.com http://generic-cialis.greatnow.com http://www.ed.greatnow.com/ http://www.bulk-email.greatnow.com http://www.bonds.greatnow.com http://www.1-dating.greatnow.com http://www.credit-card.greatnow.com http://www.car-insurance.greatnow.com We got the UC list covered. It isn't in the SURBL group. You don't have to worry about it. --Chris

6 10

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 25 Oct '04

25 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 4:05 PM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Monday, October 25, 2004, 12:55:07 PM, Chris Santerre wrote: >>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>Might it be better to set up the blog spam domains as a separate >>>list inside multi, but testing them first? We would still want >>>to find a way to minimize collateral damage and keep otherwise >>>legitimate domains off a blog list. >>> > >> Legitimate domains like greatnow.com? > >> http://www.blackjack.greatnow.com >> http://www.viaga-viagra.greatnow.com >> http://www.debtconsolidation.greatnow.com >> http://generic-cialis.greatnow.com >> http://www.ed.greatnow.com/ >> http://www.bulk-email.greatnow.com >> http://www.bonds.greatnow.com >> http://www.1-dating.greatnow.com >> http://www.credit-card.greatnow.com >> http://www.car-insurance.greatnow.com > >Probably every free hosting site has abuse, but most have far >more legitimate uses than abusive ones. greatnow may be an >exception. I did find a ton of blog spam for it on google, as >you suggested. The real question is how much legitimate use they >have. I did apparently find some, but it doesn't mean they're a >whitehat. They could be a blackhat with a few incidental or >unintentional legitimate users. :-( > >The question deserves some research. The reason I brought them >up is because some had an apparent legitimate use for >greatnow.com. That's usually a reason to not list them. > >> We got the UC list covered. It isn't in the SURBL group. You >don't have to >> worry about it. > >> --Chris > >If we're thinking about setting up a blog list (as we were >earlier), then it might be useful to test the data before using >it, don't you agree? > >I don't see how dumping lists with arbitrary FPs onto UC helps >either UC or SURBLs. In fact it's one of the bad things we >predicted: that a grey list would become a dumping ground with >some FPs and some domains that belong on a blocklist, all sitting >there underclassified, unchecked or ignored. They are NOT going unchecked. UC is still in beta form right now. So we are testing. Most people have no clue where the server is as it is NOT part of SURBL, so UC.SURBL.ORG doesn't work. Not a dumping ground at all. It will be as active as WS. I fully intend to mirror most of what goes into WS into UC. UC will simply have a different policy. Grey domains need to be considered. UC will do that. You said yourself earlier you didn't want to be any part of a list that handled grey domains. That it would waste time. So you don't have to worry about UC. UC will get as much attention to detail as I put into WS. I just won't delete grey domains, like I do now. I will instead list then in UC. I predict UC won't be ready for prime time for a few weeks at least. And it will be its own animal, not part of the SURBL group. It is also a group effort. As working on this myself would drive me crazier then I am. --Chris

2 1

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 25 Oct '04

25 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 12:50 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Friday, October 22, 2004, 3:57:47 PM, Jeff Chan wrote: >> On Friday, October 22, 2004, 11:28:13 AM, Chris Santerre wrote: >>>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>>This was the most recent discussion I could find. It doesn't >>>>seem to mention actually using the jayallen data in WS, though I >>>>might have missed a message: > >>> Fine. Removed. A known blog spammer host gets one FP and we >remove then all. >>> Done. > >> Chris, >> Instead of withdrawing the list can you give us a chance to >> review it? > >Chris, >If you put the file back up with a non-used name, I can turn it >into a test SURBL for people to try. After testing and debugging >we could look at adding it to a list. The broader the testing, >the better the results. > >I usually put up new lists for people to test as widely as >possible before turning them live. No need. Moved to UC list. --Chris

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss October 2004