>-----Original Message-----
>From: David Thurman [mailto:listonly@webpresencegroup.net]
>Sent: Wednesday, October 27, 2004 8:58 AM
>To: SURLB Discussions
>Subject: Re: [SURBL-Discuss] In support of Project Honeypot [Scanned]
>
>
>On 10/27/04 7:01 AM, "Christopher Albert" wrote:
>
>> Are you guys serious!?
>> Did you look at this page:
>> http://www.projecthoneypot.org/bots_and_servers.php
>> The ads placed there do not look all that encouraging:
>>
>> http://www.expedite-email-marketing.com/index.htm
>> http://www.l-i-s-t.com/main_site/opt_in_email_lists.asp
>> http://www.classmates.com/cmo/reg/school/index.jsp
>> http://www.definitivedatabase.com/
>>
>> You almost feel that this must be a joke.
>>
>I saw that also, and wondered a bit about it. Good concerns.
>>
>> I think you guys are making a mistake by participating. We could do
>> this ourselves in a completely open and noncommercial way where the
>> information is available in near real time.
>
>I would be one of the first to join, though we did sign up at
>the honeypot
>site but now that you bring up your concerns I think I will
>hold off for a
>bit and see what it really is all about.
>--
I also signed up but haven't implemented the code yet. I have to open up a
small hole in my security to do it. I haven't decided if I want to do that
yet. Mainly because I'm lazy and rather not walk over to the firewall ;)
--Chris
(My power to misspell is only overshadowed by my lack of stick handling
ability)
Justin Mason mentioned Project Honeypot on the SpamAssassin Users
list shortly after they opened things up for public use:
On Monday, October 25, 2004, 1:26:55 PM, Justin Mason wrote:
> http://www.projecthoneypot.org/
> seems interesting, they plan to share their resulting corpora, and they
> seem like nice guys too [...]
> --j.
I've donated 25 MX records to Project Honeypot so far. It looks
like a good project mainly to provide solid data for legal action
against spammers, harvesters, zombie deployers, etc. I'd
encourage others to do likewise.
Project Honeypot will also share their data with us so eventually
we may have another good source of spam URI domains for SURBLs.
What they need now are more people to donate DNS MX records and
put up honeypots on their own sites. (The two aspects are
separate; you can do either or both if you like.) Their site
offers plenty of good explanations about legal, technical, etc.
areas of the project:
http://www.projecthoneypot.org
So I'd like to encourage more folks to participate.
Cheers,
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Catherine Hampton's SpamBouncer has a zillion blacklisted domains:
http://www.spambouncer.org/webdev/downloads/beta.shtml
1. download sb-new.tar.gz
2. mkdir sb; cd sb; tar xfz ../sb-new.tar.gz
3. perl -lne 'print "$1.$2" if /\)([\w-]+?)\(.*?\)([a-z]{2,4}?)\(/' *.rc \
| sort | uniq -c | sort -nr
I suspect Catherine has a list in raw format (for all I know, there are
some whitelisted domains somewhere in there). Merging it with WS might
make sense. Catherine is probably a bit (*cough*) more aggressive than
you.
Also, many domains are listed more than once. I'm guessing that they're
worse in some way. Or something. ;-)
Daniel
--
Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin
http://www.pathname.com/~quinlan/http://www.apachecon.com/ sessions & more)
Hi, I'm in the progress of upgrading SA from 2.63 to 2.64 and SpamCopURI
from 0.19 to 0.22.
During make test of SA I get these during each t/rule_tests:
t/rule_tests................ok 61/62Failed to compile URI SpamAssassin
tests, skipping:
(syntax error at /etc/mail/spamassassin/local.cf, rule WS_URI_RBL,
line 1, near "eval:"
syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule
SPAMCOP_URI_RBL, line 1, near "eval:"
syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule
SPAMCOP_URI_RBL, line 6, near "}
}"
I am aware that there was a discussion on the surbl list about this a few
months ago, where someone said it could be caused by two Conf.pm's.
However, I only have the one in
/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm and the two in
the 2.64 distribution: the original ./lib/Mail/SpamAssassin/Conf.pm and
the make-generated ./blib/lib/Mail/SpamAssassin/Conf.pm
The errors didn't go away after installing SpamCopURI 0.22. I still
haven't dared install SA.
This is the relevant entry in local.cf:
# Domain blacklists
uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
describe WS_URI_RBL URI's domain appears in sa-blacklist
tflags WS_URI_RBL net
score WS_URI_RBL 3.0
And this is from spamcop_uri.cf:
uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2')
describe SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org
tflags SPAMCOP_URI_RBL net
score SPAMCOP_URI_RBL 3.0
So, what is causing the test errors? Can I safely ignore them, or will my
RBL's stop working if I upgrade?
I had hoped for a quick upgrade from 2.63 to 2.64 due to warnings about
DOS (and the last few days our mailserver actually went out of memory
twice, so it could be that spammers have started actually using this
DOS)...
-Frank.
cokesbury.com
0 Nanas
Domain registered since 1998 (6 yrs).
Whois Results for cokesbury.com
Registrant:
United Methodist Publishing House (COKESBURY3-DOM)
201 8th Ave S
Nashville, TN 37202
US
Domain Name: COKESBURY.COM
Administrative Contact, Technical Contact:
umph, domains (38034410P) domains(a)umpublishing.org
201 8th ave. south
Nashville, TN 37202
US
615-749-6106
Record expires on 27-Aug-2006.
Record created on 28-Aug-1998.
Database last updated on 26-Oct-2004 13:00:52 EDT.
Domain servers in listed order:
NS.UMPUBLISHING.ORG 67.106.203.110
NS1.UMPUBLISHING.ORG 67.106.203.98
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
mailto:info@i-is.com
>-----Original Message-----
>From: Jeff Chan [mailto:jeffc@surbl.org]
>Sent: Monday, October 25, 2004 5:01 PM
>To: SURBL Discuss
>Subject: Re: [SURBL-Discuss] free host: greatnow.com
>
>
>On Monday, October 25, 2004, 1:23:32 PM, Chris Santerre wrote:
>>>From: Jeff Chan [mailto:jeffc@surbl.org]
>
>>>If we're thinking about setting up a blog list (as we were
>>>earlier), then it might be useful to test the data before using
>>>it, don't you agree?
>>>
>>>I don't see how dumping lists with arbitrary FPs onto UC helps
>>>either UC or SURBLs. In fact it's one of the bad things we
>>>predicted: that a grey list would become a dumping ground with
>>>some FPs and some domains that belong on a blocklist, all sitting
>>>there underclassified, unchecked or ignored.
>
>> They are NOT going unchecked. UC is still in beta form right
>now. So we are
>> testing. Most people have no clue where the server is as it
>is NOT part of
>> SURBL, so UC.SURBL.ORG doesn't work. Not a dumping ground at
>all. It will be
>> as active as WS.
>
>> I fully intend to mirror most of what goes into WS into UC.
>UC will simply
>> have a different policy. Grey domains need to be considered.
>UC will do
>> that. You said yourself earlier you didn't want to be any
>part of a list
>> that handled grey domains. That it would waste time. So you
>don't have to
>> worry about UC.
>
>> UC will get as much attention to detail as I put into WS. I
>just won't
>> delete grey domains, like I do now. I will instead list then in UC.
>
>How about a blog spam SURBL? Or is all blog spam grey?
You want a seperate list for blog spammers? Have at it. I'll add what I can
to it.
--Chris
>-----Original Message-----
>From: Jeff Chan [mailto:jeffc@surbl.org]
>Sent: Monday, October 25, 2004 3:08 PM
>To: SURBL Discuss
>Subject: Re: [SURBL-Discuss] free host: greatnow.com
>
>
>On Monday, October 25, 2004, 8:18:34 AM, Chris Santerre wrote:
>>>>> Fine. Removed. A known blog spammer host gets one FP and we
>>>remove then all.
>>>>> Done.
>>>
>>>> Chris,
>>>> Instead of withdrawing the list can you give us a chance to
>>>> review it?
>>>
>>>Chris,
>>>If you put the file back up with a non-used name, I can turn it
>>>into a test SURBL for people to try. After testing and debugging
>>>we could look at adding it to a list. The broader the testing,
>>>the better the results.
>>>
>>>I usually put up new lists for people to test as widely as
>>>possible before turning them live.
>
>> No need. Moved to UC list.
>
>Might it be better to set up the blog spam domains as a separate
>list inside multi, but testing them first? We would still want
>to find a way to minimize collateral damage and keep otherwise
>legitimate domains off a blog list.
>
Legitimate domains like greatnow.com?
http://www.blackjack.greatnow.comhttp://www.viaga-viagra.greatnow.comhttp://www.debtconsolidation.greatnow.comhttp://generic-cialis.greatnow.comhttp://www.ed.greatnow.com/http://www.bulk-email.greatnow.comhttp://www.bonds.greatnow.comhttp://www.1-dating.greatnow.comhttp://www.credit-card.greatnow.comhttp://www.car-insurance.greatnow.com
We got the UC list covered. It isn't in the SURBL group. You don't have to
worry about it.
--Chris
>-----Original Message-----
>From: Jeff Chan [mailto:jeffc@surbl.org]
>Sent: Monday, October 25, 2004 4:05 PM
>To: SURBL Discuss
>Subject: Re: [SURBL-Discuss] free host: greatnow.com
>
>
>On Monday, October 25, 2004, 12:55:07 PM, Chris Santerre wrote:
>>>From: Jeff Chan [mailto:jeffc@surbl.org]
>
>>>Might it be better to set up the blog spam domains as a separate
>>>list inside multi, but testing them first? We would still want
>>>to find a way to minimize collateral damage and keep otherwise
>>>legitimate domains off a blog list.
>>>
>
>> Legitimate domains like greatnow.com?
>
>> http://www.blackjack.greatnow.com
>> http://www.viaga-viagra.greatnow.com
>> http://www.debtconsolidation.greatnow.com
>> http://generic-cialis.greatnow.com
>> http://www.ed.greatnow.com/
>> http://www.bulk-email.greatnow.com
>> http://www.bonds.greatnow.com
>> http://www.1-dating.greatnow.com
>> http://www.credit-card.greatnow.com
>> http://www.car-insurance.greatnow.com
>
>Probably every free hosting site has abuse, but most have far
>more legitimate uses than abusive ones. greatnow may be an
>exception. I did find a ton of blog spam for it on google, as
>you suggested. The real question is how much legitimate use they
>have. I did apparently find some, but it doesn't mean they're a
>whitehat. They could be a blackhat with a few incidental or
>unintentional legitimate users. :-(
>
>The question deserves some research. The reason I brought them
>up is because some had an apparent legitimate use for
>greatnow.com. That's usually a reason to not list them.
>
>> We got the UC list covered. It isn't in the SURBL group. You
>don't have to
>> worry about it.
>
>> --Chris
>
>If we're thinking about setting up a blog list (as we were
>earlier), then it might be useful to test the data before using
>it, don't you agree?
>
>I don't see how dumping lists with arbitrary FPs onto UC helps
>either UC or SURBLs. In fact it's one of the bad things we
>predicted: that a grey list would become a dumping ground with
>some FPs and some domains that belong on a blocklist, all sitting
>there underclassified, unchecked or ignored.
They are NOT going unchecked. UC is still in beta form right now. So we are
testing. Most people have no clue where the server is as it is NOT part of
SURBL, so UC.SURBL.ORG doesn't work. Not a dumping ground at all. It will be
as active as WS.
I fully intend to mirror most of what goes into WS into UC. UC will simply
have a different policy. Grey domains need to be considered. UC will do
that. You said yourself earlier you didn't want to be any part of a list
that handled grey domains. That it would waste time. So you don't have to
worry about UC.
UC will get as much attention to detail as I put into WS. I just won't
delete grey domains, like I do now. I will instead list then in UC.
I predict UC won't be ready for prime time for a few weeks at least. And it
will be its own animal, not part of the SURBL group.
It is also a group effort. As working on this myself would drive me crazier
then I am.
--Chris
>-----Original Message-----
>From: Jeff Chan [mailto:jeffc@surbl.org]
>Sent: Monday, October 25, 2004 12:50 AM
>To: SURBL Discuss
>Subject: Re: [SURBL-Discuss] free host: greatnow.com
>
>
>On Friday, October 22, 2004, 3:57:47 PM, Jeff Chan wrote:
>> On Friday, October 22, 2004, 11:28:13 AM, Chris Santerre wrote:
>>>>From: Jeff Chan [mailto:jeffc@surbl.org]
>
>>>>This was the most recent discussion I could find. It doesn't
>>>>seem to mention actually using the jayallen data in WS, though I
>>>>might have missed a message:
>
>>> Fine. Removed. A known blog spammer host gets one FP and we
>remove then all.
>>> Done.
>
>> Chris,
>> Instead of withdrawing the list can you give us a chance to
>> review it?
>
>Chris,
>If you put the file back up with a non-used name, I can turn it
>into a test SURBL for people to try. After testing and debugging
>we could look at adding it to a list. The broader the testing,
>the better the results.
>
>I usually put up new lists for people to test as widely as
>possible before turning them live.
No need. Moved to UC list.
--Chris