>From discuss-bounces(a)lists.surbl.org Thu May 5 11:47:09 2005
>To: John Gardiner Myers <jgmyers(a)proofpoint.com>
>In-Reply-To: <427A6488.8020603(a)proofpoint.com>
>From: jm(a)jmason.org (Justin Mason)
>...
>Cc: Chris Santerre <csanterre(a)MerchantsOverseas.com>, quinlan(a)pathname.com,
> dev(a)spamassassin.apache.org, discuss(a)lists.surbl.org
>Subject: [SURBL-Discuss] Re: registrar boundary inconsistencies
>...
>
>-----BEGIN PGP …
[View More]SIGNED MESSAGE-----
>Hash: SHA1
>
>
>John Gardiner Myers writes:
>> Daniel Quinlan wrote:
>>
>> > We can't just add them willy-nilly.
>>
>> Why not? Treat them like .us -- do two queries.
>
>we don't currently do that. but that may be a good option, actually!
>allow url_to_domain to return >1 datum, and query all of them.
>
>In the case of .us, and these private registrars, return 2
>domains, "foo.eu.org" and "eu.org", or "foo.state.us" and
>"bar.foo.state.us".
>
>- --j.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.5 (GNU/Linux)
>Comment: Exmh CVS
>
>iD4DBQFCemjHMJF5cimLx9ARAsWsAJ91vAjk0Mn7J7M+TbFUKxn3b1bDOwCWKbuw
>b/NvALdeCXRn600SsZ4trw==
>=6YpK
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
Anybody look at bloomington.in. us recently? Care to guess who
registered it. (Hint: It seem only to be used to get SpamCop reports for
certain IP ranges in China.)
Paul Shupak
track(a)plectere.com
P.S. Unfortunately the sets of spammers and registrars are not disjoint
(and the set of large scale spammers seems almost to be a subset of the
set of registrar resellers).
[View Less]
>-----Original Message-----
>From: Daniel Quinlan [mailto:quinlan@pathname.com]
>Sent: Thursday, May 05, 2005 2:07 PM
>To: Chris Santerre
>Cc: 'quinlan(a)pathname.com'; discuss(a)lists.surbl.org; jeffc(a)surbl.org;
>dev(a)spamassassin.apache.org
>Subject: RE: registrar boundary inconsistencies
>
>
>Chris Santerre <csanterre(a)MerchantsOverseas.com> writes:
>
>> I vote for changing the domain code to recognise these
>domains. Blacklisting
>> …
[View More]the entire domain can have too many problems. Removing the
>whole thing would
>> let spammers game these domains.
>
>Well, that's easy to SAY, but we need to know:
>
> - which are really registrars (so some hosts will be bad and some
> will not be)
> - which are just spammers using different hostnames on their domain
>
>We can't just add them willy-nilly.
>
>Daniel
Oh I completely agree. Will leave the willy nilly stuff to those crazy
ninjas! :)
But yeah, thats what I meant about needing updating for new legit regitrars
and clean hosting. Its one of those things that can't really remain too
static.
--Chris
[View Less]
FWIW there was a brief error where .com got into ab.surbl.org and
that caused it to hit all .com domains. This problem lasted an
hour or two today and happened between around 01:00 to 0:300 UTC
on 5 May 2005. Andy's fixed the data side of AB, and I've added
dotted and non-dotted versions of all gtlds and cctlds to the
SURBL whitelist to prevent these from getting listed. Source for
the cctld list is the standard ARIN page:
http://www.iana.org/cctld/cctld-whois.htm
Cheers,
Jeff C.
--
…
[View More]Don't harm innocent bystanders.
[View Less]
I ran SURBL (well, a copy a few weeks old) through the split_domains()
function in SpamAssassin to see which listings contained both a
host+domain rather than just domain from the perspective of
SpamAssassin. Those listings would be missed by the URIBL module.
These are reversed for easier reading, but basically, it works like this:
if this is listed:
com.50megs.brisisbri
com.50megs.cddvdmp3
com.50megs.slashbackman
were these then in SURBL:
brisisbri.50megs.comcddvdmp3.50megs.…
[View More]comslashbackman.50megs.com
However, the URIDNSBL plugin would catch none of those unless 50megs.com
was listed (it's not) since 50megs.com is the domain as far as
SpamAssassin is concerned. However, it would catch them if 50megs.com
was in SURBL in addition or instead of those hostname.domain
combinations.
Here is the data. We (SURBL or SpamAssassin) need to do one of these
actions for each of these listings and SURBL probably has more to say
about it (initially, at least) since it's your database.
- change the domain code in SA to consider the domain a registry like
eu.org or demon.co.uk (let us know and we'll change our code as long
as it makes sense ;-). This means we don't expect blacklist the
entire "registry".
- SURBL (or your data provider) blacklists the entire domain
- remove the hostname.domain listings ... why bother if nothing's
going to hit them
Daniel
------- start of cut text --------------
br.adm.etiquetabordada
br.adm.hbl
br.adm.max
br.adm.mensagemonline
br.adm.mundial
br.adm.ondec-sp
br.adm.wfh1000
br.pro.additionalservices
br.pro.adorationsofallinvoled
br.pro.allourchoices
br.pro.applieapplestosciene
br.pro.bojengles
br.pro.clemts
br.pro.considerothers
br.pro.crazyarrra
br.pro.e-server
br.pro.exodus
br.pro.havealook
br.pro.ifnotnowwhen
br.pro.interarmaenimsilentleges
br.pro.keepthepeaceprocess
br.pro.keepyourheadup
br.pro.krisenmj
br.pro.mastrmnd
br.pro.muchmorefor-you
br.pro.raisetheblackflag
br.pro.saveourselves
br.pro.solarityinfstr
br.pro.strcturedsizeappl
br.pro.thisisthetime
br.pro.trabalho
br.pro.wwolf359
br.pro.xerion
com.50megs.brisisbri
com.50megs.cddvdmp3
com.50megs.slashbackman
com.netfirms.chasyfogin
com.netfirms.chrterone
com.netfirms.citl5d8rdsir
com.netfirms.desynecyx
com.netfirms.ebfeesycom
com.netfirms.gsternal
com.netfirms.minakis30
com.netfirms.ww2-serv-wm
com.port5.1stsource
com.port5.e-suntrust
com.proxymyworld
com.proxymyworld.charterone
com.proxymyworld.citifinancial
com.proxymyworld.citizensbank
com.proxymyworld.regionsnet
com.tripod.billebay
com.tripod.paypalzzzz
ee.pri.highlight
ee.pri.zammy
kg.pe
kg.pe.ebaycom
kg.pe.halifax-online
kr.es
kr.es.bos
kr.es.cabs
kr.es.wbong
net.cjb.account-overdue
net.cjb.cgi4-awconfirmisapidll-38u3428
net.cjb.dh7wznrj
net.cjb.updateyourpaypai
net.ebay-online
net.ebay-online.information
net.ebay-online.verify
net.ohaime.bankofoklahoma
net.ohaime.charterone
net.ohaime.lasallebank
net.userset.uk.co.barclays
net.userset.uk.co.halifax-online
net.userset.uk.co.nationwide
nr.co.hahano
nr.co.moot
ro.go
ro.go.accshert
ro.go.citicards1
ro.go.luca2003
ro.home.hai-saruta-ma
ro.home.login543644
ro.home.rranostand
ro.home.xyxca
ru.da.49
ru.da.5120
ru.da.aavm59jk
ru.da.gvqw30fsg
ru.nm.berawepoy
ru.nm.lo409fds
ru.nm.m5nu728f
ru.nm.saoretwas
st.cn.adult-portal
st.cn.boysarchive
st.cn.gowdot
st.cn.kindyraod
st.cn.underageworld
st.hk.7now
st.hk.adult-portal
st.hk.adultworld
st.hk.animeangels
st.hk.boys-portal
st.hk.comics-evolution
st.hk.hotgirlsphotos
st.hk.lollyedition7
st.hk.mydreamlo
st.hk.ppvcd
st.hk.uderageworld
st.hk.ummmyea
st.hk.undersites
st.hk.underworld
st.hk.undworld
st.hk.x-adult
st.sg.adult-portal
st.sg.adultworld
st.sg.comics-evolution
st.sg.factoryb
st.sg.felcorp
st.sg.jklos
st.sg.lolmag4
st.sg.ptz-portal
st.sg.undworld
st.sg.uworld
st.tw.adult-portal
st.tw.adultworld
st.tw.redvids2
st.ye.hegre
st.ye.lesbian
us.onlinehome.s110082232
us.onlinehome.s117107589
us.onlinehome.s118791939
------- end ----------------------------
--
Daniel Quinlan
http://www.pathname.com/~quinlan/
[View Less]