Discuss September 2004

discuss@lists.surbl.org

62 participants
229 discussions

RE: Start an IP list to block?
by Chris Santerre 09 Sep '04

09 Sep '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Thursday, September 09, 2004 5:26 PM >To: Chris Santerre >Cc: SURBL Discussion list (E-mail); Spamassassin-Talk (E-mail) >Subject: Re: Start an IP list to block? > > >On Thursday, September 9, 2004, 1:56:33 PM, Chris Santerre wrote: >> OK, this isn't the first time we've had this discussion, but >Raymond and I >> felt this should be made public again. He ran thru some >tests of 1500+ >> domains and found the following data. Looks like they maybe send from >> zombies, and never their hosts. IPs are similar across the board. > >> So is there a way to use the IP info in a good way? Could SA >or SURBL do a >> quick ping of the URL and match against a URL? This would >allow us to simply >> list 1 IP instead of all these domains. > >> (I'm well aware of virtual hosts! So only the filthiest of >spammers would be >> put on this IP list. Then their IP better boot them or >anyone hosted on that >> box would feel the rath of SURBL.) > >Yes, we've already discussed reasons why we're using only the >data actually found in spam URIs. The potential for collateral >damage in looking at resolved IPs is too high. > >It would be very easy for a large hosting provider to have 1 >bad guy sharing a web server with 100 or 1000 non-spammers. >Given that we can't see those other 100 or 1000, it would be >very easy for us to add that 1 IP address and block the >other 100 or 1000 *without even knowing it*. > >It is a question about the limits of knowledge. In our >universe we can't see the potential collateral damage from >listing a shared host, so we should not do it. From our >point of view it's not knowable. Sure the hosting company >knows whether that's the case, but we can't. > >I'd encourage people with questions like this to read up or >take some classes on epistemology or the theory of knowledge. >Or just contemplate the possibilities harder... ;-) LOL, I love our conversations ;) Well when I said filthy, I meant down right Christina Aguleira raunchy spammers! The drippiest of rotten stinking spammers. Basically those hosted by spam friendly hosts. This is a step I was sure you would not want to do, but I can think of a ton on the SPAM-L list who would jump at the chance. Makes ISPs become more responsible. However this is just theory discussion anyway...or is it :p --Chris

1 0

Re: Start an IP list to block?
by Raymond Dijkxhoorn 09 Sep '04

09 Sep '04

Hi! > Chris, Raymond , > > I went thru a random few of these and they're were listed at Spamhaus. > Using spamhaus at SMTP level or SA doing RBL lookups would have caught and > stopped them... Spamcop probably has quite a few of them listed as well No, that wont work. The spams are sended in via trojans/proxys only the websites are static. SOME are blocked with DSBL and so but most of the time they start a spamrun with a fresh set it seems. So yes, they are inside spamhaus, but only the websites, didnt see mails sended out from there (yet). Bye, Raymond.

3 3

RE: Start an IP list to block?
by Chris Santerre 09 Sep '04

09 Sep '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Thursday, September 09, 2004 5:14 PM >To: SpamAssassin Users; SURBL Discuss >Subject: Re: Start an IP list to block? > > >On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote: >> Chris Santerre wrote: > >>> OK, this isn't the first time we've had this discussion, >but Raymond and I >>> felt this should be made public again. He ran thru some >tests of 1500+ >>> domains and found the following data. Looks like they maybe >send from >>> zombies, and never their hosts. IPs are similar across the board. >>> >>> So is there a way to use the IP info in a good way? Could >SA or SURBL do a >>> quick ping of the URL and match against a URL? This would >allow us to simply >>> list 1 IP instead of all these domains. >>> >>> (I'm well aware of virtual hosts! So only the filthiest of >spammers would be >>> put on this IP list. Then their IP better boot them or >anyone hosted on that >>> box would feel the rath of SURBL.) >>> >>> --Chris > >> Chris, Raymond , > >> I went thru a random few of these and they're were listed at >Spamhaus. >> Using spamhaus at SMTP level or SA doing RBL lookups would >have caught >> and stopped them... > >Yes, that is a good answer. Use Spamhaus RBLs... :-) > No it isn't a good answer. They are NOT sending from these IPs. You can list them in all the RBLs from here to eternity. If they don't send from them, it doesn't matter. They are hosting from them. Which means SURBL needs to convert the domain to IP, then use Spamhaus. --Chris

1 0

Re: Start an IP list to block?
by Jeff Chan 09 Sep '04

09 Sep '04

On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote: > Chris Santerre wrote: >> OK, this isn't the first time we've had this discussion, but Raymond and I >> felt this should be made public again. He ran thru some tests of 1500+ >> domains and found the following data. Looks like they maybe send from >> zombies, and never their hosts. IPs are similar across the board. >> >> So is there a way to use the IP info in a good way? Could SA or SURBL do a >> quick ping of the URL and match against a URL? This would allow us to simply >> list 1 IP instead of all these domains. >> >> (I'm well aware of virtual hosts! So only the filthiest of spammers would be >> put on this IP list. Then their IP better boot them or anyone hosted on that >> box would feel the rath of SURBL.) >> >> --Chris > Chris, Raymond , > I went thru a random few of these and they're were listed at Spamhaus. > Using spamhaus at SMTP level or SA doing RBL lookups would have caught > and stopped them... Yes, that is a good answer. Use Spamhaus RBLs... :-) Jeff C. > Spamcop probably has quite a few of them listed as well > ideas? > Alex

1 1

RE: [SURBL-Discuss] http://www.antiphishing.org/
by Matthew Wilson 09 Sep '04

09 Sep '04

Jeff, I'd be willing to put up some money for the annual subscription fee that gets us access to the whole repository of submitted phishing messages. Is anyone else willing? -Matthew -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan Sent: Thursday, September 09, 2004 3:56 PM To: discuss(a)lists.surbl.org Subject: Re: [SURBL-Discuss] http://www.antiphishing.org/ On Thursday, September 9, 2004, 1:38:03 PM, Frank Ellermann wrote: > Jeff Chan wrote: >> Let's see if I can get either of them to respond. > Please say so if you get an answer from antiphishing.org > At the moment my impression is that it's some kind of Dave Null - but > with a working vacation auto-responder. > Bye, Frank Yes, we would definitely announce if we got them. However if anyone knows any personal contacts for us at antiphishing.org or millersmiles.co.uk, please let me know. I'm not sure if my messages to their role accounts/public addresses will get through. BTW, I hope everyone here is subscribed to the SURBL announce list, since that's where important announcements are posted: http://lists.surbl.org/mailman/listinfo/announce Jeff C. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

http://www.antiphishing.org/
by Jeff Chan 09 Sep '04

09 Sep '04

Does anyone know anybody at antiphishing.org? It might be nice if we could get them to publish their phishing data as a SURBL or add it to PH. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

3 6

RE: [SURBL-Discuss] test.surbl.org
by Chris Santerre 09 Sep '04

09 Sep '04

>-----Original Message----- >From: Theo Van Dinter [mailto:felicity@kluge.net] >Sent: Thursday, September 09, 2004 10:59 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] test.surbl.org > > >On Thu, Sep 09, 2004 at 11:08:17AM -0300, Leonardo Helman wrote: >> Should I send this to spamassasin list? > >Questionable. > >> That's because it only checks the registered domain and >> not its subdomains? > >Yes. The SA 3.0 URIDNSBL plugin trims down to the actual domain for >the query. > >That's to avoid something like: > >foo.bar.baz.test.something.else.spam.com > >where if it wasn't just domain only, there'd be queries for: > >foo.bar.baz.test.something.else.spam.com >bar.baz.test.something.else.spam.com >baz.test.something.else.spam.com >test.something.else.spam.com >something.else.spam.com >else.spam.com >spam.com > >which is just bad for lots of reasons. > But for research giggles, the SURBL lookup page on the SARE website DOES do this ;) It helps make it somewhat user friendly as well. But like Theo said, doing this in SA would be bad. --Chris

2 1

Draw the line (was: Need help checking FP list from Theo)
by SM 09 Sep '04

09 Sep '04

Hi Chris, At 08:09 08-09-2004, Chris Santerre wrote: >NO it doesn't! The point was..... its interesting!! :) 123inkjets has been >linked to a ton of other spam domains. The fact that they have customers >makes it legit???? SO anyone who falls for these spams and buys something, >makes it legit? Think about that. Where do you draw the line? If a few legitimate customers are enough to get a domain off a blacklist, then most of the domains currently listed will sooner or later get off. There will always be false positives because one man's spam is another man's ham. Someone should draw the line somewhere. Regards, -sm

3 3

SARE_FRAUD into PH? (Was: RE: Mass-check errors)
by Jeff Chan 09 Sep '04

09 Sep '04

David Hooton, This message prompts me to ask, are we getting the SARE_FRAUD data into PH? If not... Chris and other SARE guys, can you get the SARE_FRAUD records to David for inclusion in PH? Jeff C. __ This is a forwarded message From: Smart,Dan <SmartD(a)VMCMAIL.com> To: SpamAssassin-users(a)incubator.apache.org Date: Wednesday, September 8, 2004, 7:12:26 AM Subject: Mass-check errors ===8<==============Original message text=============== > -----Original Message----- > From: Theo Van Dinter [mailto:felicity@kluge.net] > Sent: Tuesday, September 07, 2004 7:12 PM > To: Smart,Dan > Cc: SpamAssassin-users(a)incubator.apache.org > Subject: Re: Mass-check errors > TextCat looks for $rulesdir/languages, which via your above > command is /etc/mail/spamassassin/languages ... > > -- Thanks Theo. I ended up running Dprof against spamassassin, which was simpler to get running. What I found was that the Textcat language rules was main time-sink, followed by the SARE_FRAUD ruleset. Since SURBL now has the PH list, I removed the FRAUD ruleset too. <<Dan>> ===8<===========End of original message text===========

1 1

RE: [SURBL-Discuss] Re: Need help checking FP list from Theo
by Chris Santerre 09 Sep '04

09 Sep '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, September 07, 2004 9:38 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Re: Need help checking FP list from Theo > > >On Tuesday, September 7, 2004, 6:16:36 PM, Jeff Chan wrote: >> On Tuesday, September 7, 2004, 5:40:47 PM, Joe Wein wrote: >>> Chris Santerre wrote: >>>> Domain List matching contacts_email of hostmaster(a)1and1.com >>>> >>>> * 1: 1-asian-sex.com >>>> * 2: 1and1.com >>> ... >>>> * 48: uptimesoftware.com >>>> * 49: wonderfulldeals.com > >>> I think you're missing the point, Chris. The domain >1and1.com is unlikely to >>> be listed in spam, let alone *only* listed in spam. >Furthermore, of the >>> domains you list I had a hard time finding one that was >both active and >>> SURBL-listed. > >> I hope Chris was showing us some other domains with similar >> registration information. That said, *registrar* information >> isn't to useful except in the case of mostly blackhat registrars. > >I should add, this kind of data is only useful in proving a >blackhat registrar if we also know how many other domains >they have registered. > >If a registrar has 100 spam domains but 100,000 legitimate >ones they're probably not a blackhat registrar. If another >registrar has 100 spam domains but 20 legitimate ones, they're >likely a blackhat. Domains belonging to the second registrar >could be "scored" as more likely spammy by some yet to be >written (or revealed) software. However that only works if >you can see the other 100,000 and the 20, which normally you >can't. > >In other words not enough information may be visible to >draw reliable conclusions about the badness of a given >registrar. On the other hand some general information >about the number of domains some large registrar holds is >available at registration statistics sites like: > > http://www.whois.sc/internet-statistics/registrar-stats-2003.html > Jeff and Joe, This is exactly why I posted this info! For info purposes. I don't know a german web hoster from a hole in the wall! (Thats a crazy american saying for I don't know jack about them!) But I do have access to similar registrar info. And quite a lot more then what I posted. It is my hope that one day I can make it privately availible to SURBL guys. But right now I can't. Look at Jeff's comment: " > Domain List matching cluster of russ-effrig > * 1: 007inkjets.com > * 2: 00inkjets.com > * 3: 111inkjets.com > * 4: 123cartridges.com > * 5: 123inkjets.com [...] >That's interesting, but I think it misses the point:" NO it doesn't! The point was..... its interesting!! :) 123inkjets has been linked to a ton of other spam domains. The fact that they have customers makes it legit???? SO anyone who falls for these spams and buys something, makes it legit? Think about that. Where do you draw the line? All spams will have some suckers. All spams will therefore have customers. All spams will have SOMEONE report it is legit. This shall forever now be known as the Santerre Theory of Spam Legitamicy. :) I fully intend to be the Ying to Jeff's Yang. *giggle* SO we gather a few things from the info I posted, and added to by what you guys know. 1and1 is ok to whitelist. But 123inkjets is a more difficult domain. For me I say leave them listed. Sometimes legit companies spam. If they feel little pain, they will do it again. I hate FPs as much as Jeff. --Chris

2 1

← Newer
1
...
11
12
13
14
15
16
17
...
23
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss September 2004