Discuss June 2004

discuss@lists.surbl.org

44 participants
88 discussions

RE: SURBL works well on envelope sender
by Chris Santerre 08 Jun '04

08 Jun '04

>-----Original Message----- >From: Daniel Quinlan [mailto:quinlan@pathname.com] >Sent: Monday, June 07, 2004 10:22 PM >To: spamassassin-dev(a)incubator.apache.org >Cc: discuss(a)lists.surbl.org >Subject: SURBL works well on envelope sender > *snip* > >How's the multi roll-out going? It would definitely be handy for this >test (the code to support it already exists). The simple answer is, "Its begining to look a lot like christmas." :) We are finally making some good headway. Bill has a nice system up. More _trusted_ people able to make submissions. A little more testing needed, and some scripts added. BigEvil.cf will be retiring from its current form soon, and be changing over to being created off of WS. I can't tell you how happy that makes me!! (And how much time it saves me!) Possibility of another SURBL taking the place of BE. 6dos.surbl.org? Still in discussion. Those stats should go thru the roof when we change over. --Chris (The tired one.)

1 0

IP addresses in SURBL?
by Chris Santerre 08 Jun '04

08 Jun '04

I forgot, DO I add these into the SURBL, or do I keep IPs out for now and add to my BigEvil dynamic version? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 3

Huh? Anyone know chinease?
by Chris Santerre 08 Jun '04

08 Jun '04

Huh??? I have no clue if this is a legit, spam, or shammer site! www.631.cn Anyone? --Chris >-----Original Message----- >From: SURBL+ Checker [mailto:surbl@rulesemporium.com] >Sent: Tuesday, June 08, 2004 4:37 AM >To: csanterre(a)MerchantsOverseas.com >Subject: SURBL+ Checker Submission > > >Date: Tue Jun 8 03:37:17 2004 >Reporter: Alex <alex(a)munged.de> >Reporter IP: 146.140.8.121 > >Applicable List: URIBL:be.surbl.org >Reported URI/IP: www.631.cn > >Email Source: >---------------------------------------- > >From dsfahgfsdjg(a)sina.com Tue Jun 8 05:11:32 2004 >Return-Path: <dsfahgfsdjg(a)sina.com> >X-Original-To: ciphelp@localhost >Delivered-To: ciphelp(a)localhost.igd.fhg.de >Received: from localhost (localhost [127.0.0.1]) > by electra.igd.fhg.de (Postfix) with ESMTP id 43EC4284F > for <ciphelp@localhost>; Tue, 8 Jun 2004 05:11:32 +0200 (CEST) >Delivered-To: fsf(a)zeitform.de >Received: from mail.zeitform.de [146.140.212.117] > by localhost with POP3 (fetchmail-6.2.0) > for ciphelp@localhost (single-drop); Tue, 08 Jun 2004 >05:11:32 +0200 (CEST) >Received: (qmail 18309 invoked by uid 906); 8 Jun 2004 03:09:03 -0000 >Received: from dsfahgfsdjg(a)sina.com by guildenstern by uid 89 >with qmail-scanner-1.22 > (clamdscan: 0.72. spamassassin: 2.63. >Clear:RC:0(219.137.195.16):SA:1(7.6/5.0):. > Processed in 1.51324 secs); 08 Jun 2004 03:09:03 -0000 >X-Spam-SavedStatus: Yes, hits=7.6 required=5.0 >X-Spam-SavedLevel: ******* >Received: from unknown (HELO sina.com) (219.137.195.16) > by guildenstern.zeitform.de with SMTP; 8 Jun 2004 03:09:01 -0000 >From: dsfahgfsdjg(a)sina.com >Subject: Chinese handicraft >To: fsf(a)zeitform.de >Content-Type: text/html;charset="GB2312" >Date: Tue, 8 Jun 2004 11:08:57 +0800 >X-Priority: 4 >X-Mailer: Foxmail 4.1 [cn] >X-Qmail-Scanner-1.22: added fake MIME-Version header >MIME-Version: 1.0 >X-Qmail-Scanner-Message-ID: <108666414267218299@guildenstern> >Message-Id: <20040608031132.43EC4284F(a)electra.igd.fhg.de> >X-Spam-Contact: Please contact alex(a)zeitform.de if anything looks wrong >X-Spam-Flag: YES >X-Spam-Checker-Version: SpamAssassin >2.63-zeitform_1.11_electra (2004-01-11) > on electra.igd.fhg.de >X-Spam-Level: ********************* >X-Spam-Status: Yes, hits=21.6 required=8.0 tests=BAYES_99,DCC_CHECK, > DEAR_SOMETHING,DNS_FROM_RFCI_DSN,FRONTPAGE,HTML_70_80, > HTML_CHARSET_FARAWAY,HTML_FONTCOLOR_BLUE,HTML_IMAGE_AREA_05, > HTML_MESSAGE,MIME_CHARSET_FARAWAY,MIME_HTML_ONLY,NO_REAL_NAME, > RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_RFCI autolearn=no > version=2.63-zeitform_1.11_electra >X-Spam-Report: > * 0.2 NO_REAL_NAME From: does not include a real name > * 2.3 DEAR_SOMETHING BODY: Contains 'Dear (something)' > * 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue > * 0.1 HTML_MESSAGE BODY: HTML included in message > * 2.2 HTML_IMAGE_AREA_05 BODY: HTML has 5-6 kilopixels >of images > * 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives >confidence between 51 and 100 > * [cf: 100] > * 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML > * 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > * [score: 1.0000] > * 0.3 MIME_HTML_ONLY BODY: Message only has text/html >MIME parts > * 2.5 FRONTPAGE BODY: Frontpage used to create the message > * 1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > * 2.9 DCC_CHECK Listed in DCC >(http://rhyolite.com/anti-spam/dcc/) > * 0.3 DNS_FROM_RFCI_DSN RBL: From: sender listed in >dsn.rfc-ignorant.org > * 0.1 RCVD_IN_RFCI RBL: Sent via a relay in >ipwhois.rfc-ignorant.org > * [$ has inaccurate or missing WHOIS data at the] > [RIR] > * 0.5 HTML_CHARSET_FARAWAY A foreign language charset >used in HTML markup > * 2.5 MIME_CHARSET_FARAWAY MIME character set >indicates foreign language >Status: RO >Content-Length: 6551 >Lines: 93 > ><html> > ><head> ><meta http-equiv="Content-Type" content="text/html; charset=gb2312"> ><meta name="GENERATOR" content="Microsoft FrontPage 4.0"> ><meta name="ProgId" content="FrontPage.Editor.Document"> ><title>Ýþ²Ý</title> ></head> > ><body> > ><table border="0" width="100%" height="84" cellspacing="0" >cellpadding="0"> > <tr> > <td width="100%" height="46"> > <p style="line-height: 100%"> <font color="#0000FF" >size="3" face="Comic Sans MS">Dear > Sirs,</font><p style="line-height: 100%"><font >color="#0000FF" size="3" face="Comic Sans MS">We > are a big manufacturer and exporter for the straw hat in >Guangdong China > and export to European market for years' >experiences. </font><p style="line-height: 100%"><font >color="#0000FF" size="3" face="Comic Sans MS">Nowadays, We > own eight franchised stores and many alliance stores. We >export all kinds > of straw hat to many countries and get high reputation >for our top > quality, reasonable price, quick delivery, punctuate and >cordial service > among the customers. </font><p style="line-height: >100%"><font color="#0000FF" size="3" face="Comic Sans MS">For > more our company information and arranged items, pleased >go to our > Internet Nebsite:<a href="http://www.631.cn/cm/cm" >target="_blank">www.631.cn/cm/cm > </a> Hope you will show some interested in > our strong parts. </font><p style="line-height: >100%"><font color="#0000FF" size="3" face="Comic Sans MS">Sincerely > hope for you kind compare. We are eager to building up >business relation > with you in near future. </font><p >style="line-height: 100%"><font color="#0000FF" size="3" >face="Comic Sans MS">Looking > forward to your attention and early reply.</font><p >style="line-height: 100%"><font color="#0000FF" size="3" >face="Comic Sans MS">Best > Regards,</font><p style="line-height: 100%"><font >color="#0000FF" size="3" face="Comic Sans MS">Ms. > Greace (Sales)</font><p style="line-height: 100%"><font >color="#0000FF" size="3" face="Comic Sans >MS">E-mail:sh040601@yahoo.com.cn</font><p style="line-height: >100%"><font color="#0000FF" size="3" face="Comic Sans MS">Mobile > Phone:+86 20 13711547452/33501929</font><p >style="line-height: 100%"><font color="#0000ff" size="3" >face="Comic Sans MS">Fax:+86-20-87249995</font></td> > </tr> > <tr> > <td width="100%" height="26"><font color="#0000ff" >size="2">   </font></td> > </tr> ></table> ><table cellSpacing="8" cellPadding="8" width="56%" border="8" >height="1172"> > <tbody> > <tr> > <td width="33%" height="217"><a >href="http://www.631.cn/cmtp/101.htm" target="_blank"><img >src="http://www.631.cn/cm/101.gif" border="0" width="200" >height="200"></a></td> > <td width="35%" height="217"><a >href="http://www.631.cn/cmtp/102.htm" target="_blank"><img >src="http://www.631.cn/cm/102.gif" border="0" width="200" >height="200"></a></td> > <td width="36%" height="217"><a >href="http://www.631.cn/cmtp/103.htm" target="_blank"><img >src="http://www.631.cn/cm/103.gif" border="0" width="200" >height="200"></a></td> > </tr> > <tr> > <td width="33%" height="200"><a >href="http://www.631.cn/cmtp/105.htm" target="_blank"><img >src="http://www.631.cn/cm/105.gif" border="0" width="200" >height="200"></a></td> > <td width="35%" height="200"><a >href="http://www.631.cn/cmtp/112.htm" target="_blank"><img >src="http://www.631.cn/cm/112.gif" border="0" width="200" >height="200"></a></td> > <td width="36%" height="200"><a >href="http://www.631.cn/cmtp/113.htm" target="_blank"><img >src="http://www.631.cn/cm/113.gif" border="0" width="200" >height="200"></a></td> > </tr> > <tr> > <td width="33%" height="225"><a >href="http://www.631.cn/cmtp/108.htm" target="_blank"><img >src="http://www.631.cn/cm/108.gif" border="0" width="200" >height="200"></a></td> > <td width="35%" height="225"><a >href="http://www.631.cn/cmtp/109.htm" target="_blank"><img >src="http://www.631.cn/cm/109.gif" border="0" width="200" >height="200"></a></td> > <td width="36%" height="225"><a >href="http://www.631.cn/cmtp/107.htm" target="_blank"><img >src="http://www.631.cn/cm/107.gif" border="0" width="200" >height="200"></a></td> > </tr> > <tr> > <td width="33%" height="200"><a >href="http://www.631.cn/cm/110.htm" target="_blank"><img >src="http://www.631.cn/cm/110.gif" border="0" width="200" >height="200"></a></td> > <td width="35%" height="200"><a >href="http://www.631.cn/cmtp/117.htm" target="_blank"><img >src="http://www.631.cn/cm/117.gif" border="0" width="200" >height="200"></a></td> > <td width="36%" height="200"><a >href="http://www.631.cn/cmtp/120.htm" target="_blank"><img >border="0" src="http://www.631.cn/cm/120.gif" width="200" >height="200"></a></td> > </tr> > <tr> > <td width="33%" height="200"><a >href="http://www.631.cn/cmtp/118.htm" target="_blank"><img >src="http://www.631.cn/cm/118.gif" border="0" width="200" >height="200"></a></td> > <td width="35%" height="200"><a >href="http://www.631.cn/cmtp/111.htm" target="_blank"><img >src="http://www.631.cn/cm/111.gif" border="0" width="200" >height="200"></a></td> > <td width="36%" height="200"><a >href="http://www.631.cn/cmtp/106.htm" target="_blank"><img >src="http://www.631.cn/cm/106.gif" border="0" width="200" >height="200"></a></td> > </tr> > </tbody> ></table> ><table height="1" borderColorDark="#ffffff" width="704" >borderColorLight="#333333" border="1"> > <tbody> > <tr> > <td width="70" bgColor="#ffb051" height="1"><font >size="2">Adders:</font></td> > <td width="618" bgColor="#fff8a2" height="1"><font >size="2">Barbe Industrial Ltd.<br> > No.1521,7Floor, HengLong Tower Guangzhou<br> > Big Rd.Guangdong China.</font></td> > </tr> > <tr> > <td width="70" bgColor="#ffb051" height="1"><font >size="2">Packing:</font></td> > <td width="618" bgColor="#fff8a2" height="1"><font >size="2">Have two > >packing:400PCS/CTN,MEAS:80¡Á52¡Á70£»200PCS/CTN£¬MEAS:80¡Á21¡Á70 >¡£</font></td> > </tr> > <tr> > <td width="70" bgColor="#ffb051" height="1"><font >size="2">Description:</font></td> > <td width="618" bgColor="#fff8a2" height="1"><font size="2">The > hats are made of push, that is fine natural plant >(without any pollution), > surface innocuous coated; The push is very soft and >toughness, knitted by > a special technology method( about80 years history), >being able to stand > wear and tear.</font></td> > </tr> > </tbody> ></table> > ></body> > ></html> > > >---------------------------------------- > >

1 0

http://.virtual-pc.org
by Frank Ellermann 08 Jun '04

08 Jun '04

Hi, I've just seen http://.virtual-pc.org in a spam, and SC handled it as virtual-pc.org resp. www.virtual-pc.org SURBL got it, virtual-pc.org.sc.surbl.org is listed, can SA also handle this trick ? Bye, Frank

1 0

[SURBL-Discuss] Fwd: URI with one slash not recognised by SA/SPAMCOP_URI?
by Jeff Chan 07 Jun '04

07 Jun '04

This is a forwarded message From: Menno van Bennekom <mvbengro(a)xs4all.nl> To: spamassassin-users(a)incubator.apache.org Date: Monday, June 7, 2004, 5:00:50 AM Subject: URI with one slash not recognised by SA/SPAMCOP_URI? ===8<==============Original message text=============== Hi, I get spam with a different URL, the redirect has only one '/': <a href="http://rd.yahoo.com/oashoscy/*http:/hjktccbz.woodwheel.info/mn/num17"> This is not recognised by BIZ_TLD (in this example my copy, INFO_TLD). I can change that in the regular expression. But I don't think SPAMCOP_URI_RBL recognizes it too because woodwheel is in the database but SA gives no hit. If you click on the link above it works, so it seems the one slash is possible. Can anyone confirm that one slash is not recognized? Regards Menno van Bennekom ===8<===========End of original message text===========

1 0

large number of empty URIs preceeding actual one
by Jeff Chan 05 Jun '04

05 Jun '04

Not sure if this is a new type of spam or not: http://www.surbl.org/fitch7826drug.us.4jun04.txt This example I just received had many real or joe job URIs with no text in the anchor like: <a href=3D"http://www.elysian-MUNGED.com"></a> Perhaps it's trying to run out some counters, but the real target domain is visible as the last "removal" URI: <a href=3D"http://= www.ozone.fitch7826drug-MUNGED.us/d.ddd">here.</a> > Name: fitch7826drug.us > Address: 61.250.93.214 Where this IP is in sbl.spamhaus.org of course. The "ordering" link just before it was broken (no dot, at least in my MUA, The Bat!): <a href=3D"http://fitch7826drug= us/b94">Click Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones. That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

5 5

Re: [SURBL-Discuss] Joe Job again: Watchsound.com
by Jim Knuth 04 Jun '04

04 Jun '04

Hallo und guten Morgen Jeff, danke für die Email vom 04.06.2004 um 00:43 Jeff Chan schrieb - wrote: > On Thursday, June 3, 2004, 7:25:06 AM, Chris Santerre wrote: >> LOL, guess they don't like being added to BigEvil! watchsound.com is Joe >> Jobbing me now. Poor little pron spammer hosted in China. (61.152.133.68). >> Feel free to add this to the other SURBL servers, firewall blocks, Host file >> blocks, squid blocks, ect..... > FWIW This domain is currently in sc.surbl.org and ws.surbl.org.. > (But not be.surbl.org? That doesn't seem right...) warum schickst Du mir das? Hab ich damit etwas zu tun? why do you send that to me? Have done I with that something? -- Viele Grüße, Kind regards, Jim Knuth jk(a)jkart.de ICQ #277289867 ---------- Zufalls-Zitat ---------- Frauen würden sich leichter damit abfinden, dass ihr Mann später nach Hause kommt, wenn sie sich wirklich darauf verlassen könnten, dass er nicht früher da ist. [Sidonie-Gabrielle Colette] ---------- Dieser Text hat nichts mit dem Empfänger der Mail zu tun ---------- virengeprüft mit NOD32 Version 1.780 Update 03.06.2004

1 0

Joe Job again: Watchsound.com
by Chris Santerre 04 Jun '04

04 Jun '04

LOL, guess they don't like being added to BigEvil! watchsound.com is Joe Jobbing me now. Poor little pron spammer hosted in China. (61.152.133.68). Feel free to add this to the other SURBL servers, firewall blocks, Host file blocks, squid blocks, ect..... Thankfully a LOT of people have wised up to Joe Jobs and seem to be checking the sending IP vs. the From. So I don't get many complaints. I guess I should be flatered? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 2

Whitelist sparklist.com
by Chris Santerre 04 Jun '04

04 Jun '04

They *seem* to be white. But have spammers signup and run one time spam runs. They aren't in the URL links, but are the senders. Just something to look out for. However, surpluscomputers.com can be blacklisted to the stoneage! ALong with softwareandstuff.com ! Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 2

RE: [SURBL-Discuss] Whitelist sparklist.com
by Chris Santerre 03 Jun '04

03 Jun '04

>-----Original Message----- >From: Kris Deugau [mailto:kdeugau@vianet.ca] >Sent: Thursday, June 03, 2004 12:47 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Whitelist sparklist.com > > >Chris Santerre wrote: >> However, surpluscomputers.com can be blacklisted to the stoneage! >> ALong with softwareandstuff.com ! > >Why? Their list management seems... dubious at times, but they're a >legit business and I for one specifically signed up for their >newsletter- which, IIRC, was properly confirmed opt-in. (Both domains >are for the same company; they've been trying to change their name and >domain.) > >-kgd Because they sent a SPAM to me, to an email that was setup specifically to be used by at another site. I make alias emails for everything I sign up for. So I can track when this happens. They used this email address, which they somehow got from a competitor of theirs. It was obviously not signed up for use with them, because I would have made a new one. So not only did they spam, but they got the address thru ill means. I am working with the original site to find how they got it. They are NOT affiliates or partners. --Chris

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss June 2004