Discuss May 2005

discuss@lists.surbl.org

34 participants
64 discussions

RE: [SURBL-Discuss] newly registered domains
by Matthew Wilson 09 May '05

09 May '05

Why not integrate a whois date lookup directly into SURBL or URIBL? Design an encoding system whereby suspectedspammydomain.spammertld.dr.surbl.org (or uribl.com) would return the date somehow regex encoded in the IP address. Then write a nice SA rule that decodes it, also using regex. Are there any regex geniuses out there that could encode a date in an IP address? -Matthew > Well this has been brought up before. It is a very good idea, > however difficult to implement. Unfortunetly the date > returned by a whois querey comes in a wide variety of > flavors. We (SARE) thought we had all of the returned date > codes figured out. Nope. New ones still keep coming. > > uribl.com has some ideas on how to attack this very issue, > but not sure it is worth it yet. > > In short, it would be wonderful to start doing whois lookups > for every domain in an email. Lots of things could be flagged > off of it. Think of a sort of baysien whois DB. But the > traffic would be pretty dam big. > > --Chris > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss > > >

1 0

RE: [SURBL-Discuss] newly registered domains
by Chris Santerre 09 May '05

09 May '05

>-----Original Message----- >From: Matthew Wilson [mailto:matthew@boomer.com] >Sent: Sunday, May 08, 2005 9:29 PM >To: Jeff Chan; SURBL Discussion list >Subject: [SURBL-Discuss] newly registered domains > > >Does anyone know of a SA rule to check how recently a domain name has >been registered? > >The various uri lookups catch the vast majority of spammy urls during >the day, but from 2-5 a.m. CST, my servers get hit with tons of spam >with urls that aren't in SURBL yet. All of the domains are newly >registered domains (registered in the past week or so). > >I know that the SARE ninjas have some private tools to do this kind of >lookup for their feeds and manual lookups, but I'm wondering if this >kind of thing could be worked directly into a SA rule. Well this has been brought up before. It is a very good idea, however difficult to implement. Unfortunetly the date returned by a whois querey comes in a wide variety of flavors. We (SARE) thought we had all of the returned date codes figured out. Nope. New ones still keep coming. uribl.com has some ideas on how to attack this very issue, but not sure it is worth it yet. In short, it would be wonderful to start doing whois lookups for every domain in an email. Lots of things could be flagged off of it. Think of a sort of baysien whois DB. But the traffic would be pretty dam big. --Chris

2 1

RE: [SURBL-Discuss] multi.surbl.org.rbldnsd Update Times
by Smith, Eric 09 May '05

09 May '05

When you say several times an hour, does that mean weekends and holidays also? /E. -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan Sent: Sunday, May 08, 2005 11:01 AM To: SURBL Discussion list Subject: Re: [SURBL-Discuss] multi.surbl.org.rbldnsd Update Times On Sunday, May 8, 2005, 7:09:11 AM, Eric Smith wrote: > I'm sure this is dependent on the mirror we are pulling the zone from, but > how often is the source zone updated, and should we expect that mirrors > update on a regular schedule around the clock? What I'm getting at is we > are monitoring file changes to the zone file to ensure it's updating often, > but as of Friday we have received no updates (I'm guessing because it > doesn't get updated on the weekends). Is my assumption correct? Does the > schedule vary by mirror? If so is there a mirror that anyone knows the > replication interval for? If not Jeff do you know the schedule requirements > for a site to become a mirror so we can base monitoring off this schedule? If you're asking about spamhaus lists, I have no idea. SURBL lists are updated several times an hour usually. Jeff C. -- Don't harm innocent bystanders. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

2 1

newly registered domains
by Matthew Wilson 09 May '05

09 May '05

Does anyone know of a SA rule to check how recently a domain name has been registered? The various uri lookups catch the vast majority of spammy urls during the day, but from 2-5 a.m. CST, my servers get hit with tons of spam with urls that aren't in SURBL yet. All of the domains are newly registered domains (registered in the past week or so). I know that the SARE ninjas have some private tools to do this kind of lookup for their feeds and manual lookups, but I'm wondering if this kind of thing could be worked directly into a SA rule. Thanks, Matthew

2 1

multi.surbl.org.rbldnsd Update Times
by Smith, Eric 08 May '05

08 May '05

I'm sure this is dependent on the mirror we are pulling the zone from, but how often is the source zone updated, and should we expect that mirrors update on a regular schedule around the clock? What I'm getting at is we are monitoring file changes to the zone file to ensure it's updating often, but as of Friday we have received no updates (I'm guessing because it doesn't get updated on the weekends). Is my assumption correct? Does the schedule vary by mirror? If so is there a mirror that anyone knows the replication interval for? If not Jeff do you know the schedule requirements for a site to become a mirror so we can base monitoring off this schedule? Any input is greatly appreciated. Thanks, Eric

2 1

RE: [SURBL-Discuss] SURBL Content
by Smith, Eric 08 May '05

08 May '05

XBL actually, very strange, I will check and follow up regarding it. /E. -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan Sent: Friday, May 06, 2005 11:34 PM To: SURBL Discussion list Subject: Re: [SURBL-Discuss] SURBL Content On Friday, May 6, 2005, 5:59:15 PM, Eric Smith wrote: > This morning we received a huge blast from a spammer that spamhaus.org > identified properly but multi.surbl.org.rbldnsd didn't :( Just checking > though :) > Eric When you say spamhaus.org, which list are you referring to, XBL or SBL? Because one of the new lists we're experimenting with, xu.surbl.org, gets data from CBL spamtrap URI hits. CBL feeds into XBL, and some of the XBL senders probably end up in SBL also. Next time you see one like this, if you check it using the SURBL checker: http://www.rulesemporium.com/cgi-bin/uribl.cgi it would be interesting to to hear if it hits the preliminary version of the XS data. Cheers, Jeff C. -- Don't harm innocent bystanders. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

False Positive on AB_URI_RBL
by wolfgang 07 May '05

07 May '05

Hi, ab.surbl.org created a FP here today. The URI in question www dot teleflora dot com was in the ad part of a yahoogroups mail, in the part of the message that is automatically added by yahoo. please consider removing the URI to prevent false positives. regards, wolfgang

2 1

RE: [SURBL-Discuss] SURBL Content
by Smith, Eric 07 May '05

07 May '05

This morning we received a huge blast from a spammer that spamhaus.org identified properly but multi.surbl.org.rbldnsd didn't :( Just checking though :) Eric -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan Sent: Friday, May 06, 2005 8:03 PM To: discuss(a)lists.surbl.org Subject: Re: [SURBL-Discuss] SURBL Content On Friday, May 6, 2005, 10:57:25 AM, Eric Smith wrote: > Quick question regarding multi.surbl.org.rbldnsd; the list of content for > this file (i.e. sc.surbl.org, ws.surbl.org, etc) on the surbl.org website is > all inclusive correct? Yes. > Does multi.surbl.org.rbldnsd contain anything from > spamhaus.org or any other content providers? Not yet, though we're working on some trapped URI data from the CBL folks. Why do you ask? :-) > Thanks, > Eric Smith Cheers, Jeff C. -- Don't harm innocent bystanders. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

2 1

SURBL Content
by Smith, Eric 07 May '05

07 May '05

Quick question regarding multi.surbl.org.rbldnsd; the list of content for this file (i.e. sc.surbl.org, ws.surbl.org, etc) on the surbl.org website is all inclusive correct? Does multi.surbl.org.rbldnsd contain anything from spamhaus.org or any other content providers? Thanks, Eric Smith

2 1

RE: registrar boundary inconsistencies
by Chris Santerre 06 May '05

06 May '05

>-----Original Message----- >From: Daniel Quinlan [mailto:quinlan@pathname.com] >Sent: Thursday, May 05, 2005 1:19 AM >To: discuss(a)lists.surbl.org >Cc: jeffc(a)surbl.org; dev(a)spamassassin.apache.org >Subject: registrar boundary inconsistencies > > >I ran SURBL (well, a copy a few weeks old) through the split_domains() >function in SpamAssassin to see which listings contained both a >host+domain rather than just domain from the perspective of >SpamAssassin. Those listings would be missed by the URIBL module. > >These are reversed for easier reading, but basically, it works >like this: > >if this is listed: > > com.50megs.brisisbri > com.50megs.cddvdmp3 > com.50megs.slashbackman > >were these then in SURBL: > > brisisbri.50megs.com > cddvdmp3.50megs.com > slashbackman.50megs.com > >However, the URIDNSBL plugin would catch none of those unless >50megs.com >was listed (it's not) since 50megs.com is the domain as far as >SpamAssassin is concerned. However, it would catch them if 50megs.com >was in SURBL in addition or instead of those hostname.domain >combinations. > >Here is the data. We (SURBL or SpamAssassin) need to do one of these >actions for each of these listings and SURBL probably has more to say >about it (initially, at least) since it's your database. > > - change the domain code in SA to consider the domain a registry like > eu.org or demon.co.uk (let us know and we'll change our >code as long > as it makes sense ;-). This means we don't expect blacklist the > entire "registry". > > - SURBL (or your data provider) blacklists the entire domain > > - remove the hostname.domain listings ... why bother if nothing's > going to hit them > >Daniel I vote for changing the domain code to recognise these domains. Blacklisting the entire domain can have too many problems. Removing the whole thing would let spammers game these domains. I imagine that SA would need updating a lot for more domains like this. Each release. Unless of course there was some data cf file that we could just update at SARE? SImply a list of these type of domains, so they aren't hard coded? anyway, I hope you devs are having a great Cinco De Mayo!! --Chris

5 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss May 2005