Why not integrate a whois date lookup directly into SURBL or URIBL?
Design an encoding system whereby
suspectedspammydomain.spammertld.dr.surbl.org (or uribl.com) would
return the date somehow regex encoded in the IP address. Then write a
nice SA rule that decodes it, also using regex. Are there any regex
geniuses out there that could encode a date in an IP address?
-Matthew
> Well this has been brought up before. It is a very good idea,
> however difficult to implement. …
[View More]Unfortunetly the date
> returned by a whois querey comes in a wide variety of
> flavors. We (SARE) thought we had all of the returned date
> codes figured out. Nope. New ones still keep coming.
>
> uribl.com has some ideas on how to attack this very issue,
> but not sure it is worth it yet.
>
> In short, it would be wonderful to start doing whois lookups
> for every domain in an email. Lots of things could be flagged
> off of it. Think of a sort of baysien whois DB. But the
> traffic would be pretty dam big.
>
> --Chris
> _______________________________________________
> Discuss mailing list
> Discuss(a)lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
>
>
>
[View Less]
>-----Original Message-----
>From: Matthew Wilson [mailto:matthew@boomer.com]
>Sent: Sunday, May 08, 2005 9:29 PM
>To: Jeff Chan; SURBL Discussion list
>Subject: [SURBL-Discuss] newly registered domains
>
>
>Does anyone know of a SA rule to check how recently a domain name has
>been registered?
>
>The various uri lookups catch the vast majority of spammy urls during
>the day, but from 2-5 a.m. CST, my servers get hit with tons of spam
>with urls that …
[View More]aren't in SURBL yet. All of the domains are newly
>registered domains (registered in the past week or so).
>
>I know that the SARE ninjas have some private tools to do this kind of
>lookup for their feeds and manual lookups, but I'm wondering if this
>kind of thing could be worked directly into a SA rule.
Well this has been brought up before. It is a very good idea, however
difficult to implement. Unfortunetly the date returned by a whois querey
comes in a wide variety of flavors. We (SARE) thought we had all of the
returned date codes figured out. Nope. New ones still keep coming.
uribl.com has some ideas on how to attack this very issue, but not sure it
is worth it yet.
In short, it would be wonderful to start doing whois lookups for every
domain in an email. Lots of things could be flagged off of it. Think of a
sort of baysien whois DB. But the traffic would be pretty dam big.
--Chris
[View Less]
When you say several times an hour, does that mean weekends and holidays
also?
/E.
-----Original Message-----
From: discuss-bounces(a)lists.surbl.org
[mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan
Sent: Sunday, May 08, 2005 11:01 AM
To: SURBL Discussion list
Subject: Re: [SURBL-Discuss] multi.surbl.org.rbldnsd Update Times
On Sunday, May 8, 2005, 7:09:11 AM, Eric Smith wrote:
> I'm sure this is dependent on the mirror we are pulling the zone from, but
> how often is …
[View More]the source zone updated, and should we expect that mirrors
> update on a regular schedule around the clock? What I'm getting at is we
> are monitoring file changes to the zone file to ensure it's updating
often,
> but as of Friday we have received no updates (I'm guessing because it
> doesn't get updated on the weekends). Is my assumption correct? Does the
> schedule vary by mirror? If so is there a mirror that anyone knows the
> replication interval for? If not Jeff do you know the schedule
requirements
> for a site to become a mirror so we can base monitoring off this schedule?
If you're asking about spamhaus lists, I have no idea. SURBL
lists are updated several times an hour usually.
Jeff C.
--
Don't harm innocent bystanders.
_______________________________________________
Discuss mailing list
Discuss(a)lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
[View Less]
Does anyone know of a SA rule to check how recently a domain name has
been registered?
The various uri lookups catch the vast majority of spammy urls during
the day, but from 2-5 a.m. CST, my servers get hit with tons of spam
with urls that aren't in SURBL yet. All of the domains are newly
registered domains (registered in the past week or so).
I know that the SARE ninjas have some private tools to do this kind of
lookup for their feeds and manual lookups, but I'm wondering if this
kind …
[View More]of thing could be worked directly into a SA rule.
Thanks,
Matthew
[View Less]
I'm sure this is dependent on the mirror we are pulling the zone from, but
how often is the source zone updated, and should we expect that mirrors
update on a regular schedule around the clock? What I'm getting at is we
are monitoring file changes to the zone file to ensure it's updating often,
but as of Friday we have received no updates (I'm guessing because it
doesn't get updated on the weekends). Is my assumption correct? Does the
schedule vary by mirror? If so is there a mirror that …
[View More]anyone knows the
replication interval for? If not Jeff do you know the schedule requirements
for a site to become a mirror so we can base monitoring off this schedule?
Any input is greatly appreciated.
Thanks,
Eric
[View Less]
XBL actually, very strange, I will check and follow up regarding it.
/E.
-----Original Message-----
From: discuss-bounces(a)lists.surbl.org
[mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan
Sent: Friday, May 06, 2005 11:34 PM
To: SURBL Discussion list
Subject: Re: [SURBL-Discuss] SURBL Content
On Friday, May 6, 2005, 5:59:15 PM, Eric Smith wrote:
> This morning we received a huge blast from a spammer that spamhaus.org
> identified properly but multi.surbl.org.rbldnsd didn'…
[View More]t :( Just checking
> though :)
> Eric
When you say spamhaus.org, which list are you referring to, XBL
or SBL? Because one of the new lists we're experimenting with,
xu.surbl.org, gets data from CBL spamtrap URI hits. CBL feeds
into XBL, and some of the XBL senders probably end up in SBL
also.
Next time you see one like this, if you check it using the SURBL
checker:
http://www.rulesemporium.com/cgi-bin/uribl.cgi
it would be interesting to to hear if it hits the preliminary
version of the XS data.
Cheers,
Jeff C.
--
Don't harm innocent bystanders.
_______________________________________________
Discuss mailing list
Discuss(a)lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
[View Less]
Hi,
ab.surbl.org created a FP here today. The URI in question
www dot teleflora dot com
was in the ad part of a yahoogroups mail, in the part of the message that is
automatically added by yahoo.
please consider removing the URI to prevent false positives.
regards,
wolfgang
This morning we received a huge blast from a spammer that spamhaus.org
identified properly but multi.surbl.org.rbldnsd didn't :( Just checking
though :)
Eric
-----Original Message-----
From: discuss-bounces(a)lists.surbl.org
[mailto:discuss-bounces@lists.surbl.org] On Behalf Of Jeff Chan
Sent: Friday, May 06, 2005 8:03 PM
To: discuss(a)lists.surbl.org
Subject: Re: [SURBL-Discuss] SURBL Content
On Friday, May 6, 2005, 10:57:25 AM, Eric Smith wrote:
> Quick question regarding multi.surbl.…
[View More]org.rbldnsd; the list of content for
> this file (i.e. sc.surbl.org, ws.surbl.org, etc) on the surbl.org website
is
> all inclusive correct?
Yes.
> Does multi.surbl.org.rbldnsd contain anything from
> spamhaus.org or any other content providers?
Not yet, though we're working on some trapped URI data from the
CBL folks.
Why do you ask? :-)
> Thanks,
> Eric Smith
Cheers,
Jeff C.
--
Don't harm innocent bystanders.
_______________________________________________
Discuss mailing list
Discuss(a)lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
[View Less]
Quick question regarding multi.surbl.org.rbldnsd; the list of content for
this file (i.e. sc.surbl.org, ws.surbl.org, etc) on the surbl.org website is
all inclusive correct? Does multi.surbl.org.rbldnsd contain anything from
spamhaus.org or any other content providers?
Thanks,
Eric Smith
>-----Original Message-----
>From: Daniel Quinlan [mailto:quinlan@pathname.com]
>Sent: Thursday, May 05, 2005 1:19 AM
>To: discuss(a)lists.surbl.org
>Cc: jeffc(a)surbl.org; dev(a)spamassassin.apache.org
>Subject: registrar boundary inconsistencies
>
>
>I ran SURBL (well, a copy a few weeks old) through the split_domains()
>function in SpamAssassin to see which listings contained both a
>host+domain rather than just domain from the perspective of
>SpamAssassin.…
[View More] Those listings would be missed by the URIBL module.
>
>These are reversed for easier reading, but basically, it works
>like this:
>
>if this is listed:
>
> com.50megs.brisisbri
> com.50megs.cddvdmp3
> com.50megs.slashbackman
>
>were these then in SURBL:
>
> brisisbri.50megs.com
> cddvdmp3.50megs.com
> slashbackman.50megs.com
>
>However, the URIDNSBL plugin would catch none of those unless
>50megs.com
>was listed (it's not) since 50megs.com is the domain as far as
>SpamAssassin is concerned. However, it would catch them if 50megs.com
>was in SURBL in addition or instead of those hostname.domain
>combinations.
>
>Here is the data. We (SURBL or SpamAssassin) need to do one of these
>actions for each of these listings and SURBL probably has more to say
>about it (initially, at least) since it's your database.
>
> - change the domain code in SA to consider the domain a registry like
> eu.org or demon.co.uk (let us know and we'll change our
>code as long
> as it makes sense ;-). This means we don't expect blacklist the
> entire "registry".
>
> - SURBL (or your data provider) blacklists the entire domain
>
> - remove the hostname.domain listings ... why bother if nothing's
> going to hit them
>
>Daniel
I vote for changing the domain code to recognise these domains. Blacklisting
the entire domain can have too many problems. Removing the whole thing would
let spammers game these domains.
I imagine that SA would need updating a lot for more domains like this. Each
release. Unless of course there was some data cf file that we could just
update at SARE? SImply a list of these type of domains, so they aren't hard
coded?
anyway, I hope you devs are having a great Cinco De Mayo!!
--Chris
[View Less]