Discuss May 2005

discuss@lists.surbl.org

34 participants
64 discussions

Re: [SURBL-Discuss] Re: registrar boundary inconsistencies
by List Mail User 06 May '05

06 May '05

>From discuss-bounces(a)lists.surbl.org Thu May 5 11:47:09 2005 >To: John Gardiner Myers <jgmyers(a)proofpoint.com> >In-Reply-To: <427A6488.8020603(a)proofpoint.com> >From: jm(a)jmason.org (Justin Mason) >... >Cc: Chris Santerre <csanterre(a)MerchantsOverseas.com>, quinlan(a)pathname.com, > dev(a)spamassassin.apache.org, discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] Re: registrar boundary inconsistencies >... > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >John Gardiner Myers writes: >> Daniel Quinlan wrote: >> >> > We can't just add them willy-nilly. >> >> Why not? Treat them like .us -- do two queries. > >we don't currently do that. but that may be a good option, actually! >allow url_to_domain to return >1 datum, and query all of them. > >In the case of .us, and these private registrars, return 2 >domains, "foo.eu.org" and "eu.org", or "foo.state.us" and >"bar.foo.state.us". > >- --j. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.5 (GNU/Linux) >Comment: Exmh CVS > >iD4DBQFCemjHMJF5cimLx9ARAsWsAJ91vAjk0Mn7J7M+TbFUKxn3b1bDOwCWKbuw >b/NvALdeCXRn600SsZ4trw== >=6YpK >-----END PGP SIGNATURE----- > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Anybody look at bloomington.in. us recently? Care to guess who registered it. (Hint: It seem only to be used to get SpamCop reports for certain IP ranges in China.) Paul Shupak track(a)plectere.com P.S. Unfortunately the sets of spammers and registrars are not disjoint (and the set of large scale spammers seems almost to be a subset of the set of registrar resellers).

2 1

RE: registrar boundary inconsistencies
by Chris Santerre 05 May '05

05 May '05

>-----Original Message----- >From: Daniel Quinlan [mailto:quinlan@pathname.com] >Sent: Thursday, May 05, 2005 2:07 PM >To: Chris Santerre >Cc: 'quinlan(a)pathname.com'; discuss(a)lists.surbl.org; jeffc(a)surbl.org; >dev(a)spamassassin.apache.org >Subject: RE: registrar boundary inconsistencies > > >Chris Santerre <csanterre(a)MerchantsOverseas.com> writes: > >> I vote for changing the domain code to recognise these >domains. Blacklisting >> the entire domain can have too many problems. Removing the >whole thing would >> let spammers game these domains. > >Well, that's easy to SAY, but we need to know: > > - which are really registrars (so some hosts will be bad and some > will not be) > - which are just spammers using different hostnames on their domain > >We can't just add them willy-nilly. > >Daniel Oh I completely agree. Will leave the willy nilly stuff to those crazy ninjas! :) But yeah, thats what I meant about needing updating for new legit regitrars and clean hosting. Its one of those things that can't really remain too static. --Chris

1 0

Brief problem with ab.surbl.org
by Jeff Chan 05 May '05

05 May '05

FWIW there was a brief error where .com got into ab.surbl.org and that caused it to hit all .com domains. This problem lasted an hour or two today and happened between around 01:00 to 0:300 UTC on 5 May 2005. Andy's fixed the data side of AB, and I've added dotted and non-dotted versions of all gtlds and cctlds to the SURBL whitelist to prevent these from getting listed. Source for the cctld list is the standard ARIN page: http://www.iana.org/cctld/cctld-whois.htm Cheers, Jeff C. -- Don't harm innocent bystanders.

1 0

registrar boundary inconsistencies
by Daniel Quinlan 05 May '05

05 May '05

I ran SURBL (well, a copy a few weeks old) through the split_domains() function in SpamAssassin to see which listings contained both a host+domain rather than just domain from the perspective of SpamAssassin. Those listings would be missed by the URIBL module. These are reversed for easier reading, but basically, it works like this: if this is listed: com.50megs.brisisbri com.50megs.cddvdmp3 com.50megs.slashbackman were these then in SURBL: brisisbri.50megs.com cddvdmp3.50megs.com slashbackman.50megs.com However, the URIDNSBL plugin would catch none of those unless 50megs.com was listed (it's not) since 50megs.com is the domain as far as SpamAssassin is concerned. However, it would catch them if 50megs.com was in SURBL in addition or instead of those hostname.domain combinations. Here is the data. We (SURBL or SpamAssassin) need to do one of these actions for each of these listings and SURBL probably has more to say about it (initially, at least) since it's your database. - change the domain code in SA to consider the domain a registry like eu.org or demon.co.uk (let us know and we'll change our code as long as it makes sense ;-). This means we don't expect blacklist the entire "registry". - SURBL (or your data provider) blacklists the entire domain - remove the hostname.domain listings ... why bother if nothing's going to hit them Daniel ------- start of cut text -------------- br.adm.etiquetabordada br.adm.hbl br.adm.max br.adm.mensagemonline br.adm.mundial br.adm.ondec-sp br.adm.wfh1000 br.pro.additionalservices br.pro.adorationsofallinvoled br.pro.allourchoices br.pro.applieapplestosciene br.pro.bojengles br.pro.clemts br.pro.considerothers br.pro.crazyarrra br.pro.e-server br.pro.exodus br.pro.havealook br.pro.ifnotnowwhen br.pro.interarmaenimsilentleges br.pro.keepthepeaceprocess br.pro.keepyourheadup br.pro.krisenmj br.pro.mastrmnd br.pro.muchmorefor-you br.pro.raisetheblackflag br.pro.saveourselves br.pro.solarityinfstr br.pro.strcturedsizeappl br.pro.thisisthetime br.pro.trabalho br.pro.wwolf359 br.pro.xerion com.50megs.brisisbri com.50megs.cddvdmp3 com.50megs.slashbackman com.netfirms.chasyfogin com.netfirms.chrterone com.netfirms.citl5d8rdsir com.netfirms.desynecyx com.netfirms.ebfeesycom com.netfirms.gsternal com.netfirms.minakis30 com.netfirms.ww2-serv-wm com.port5.1stsource com.port5.e-suntrust com.proxymyworld com.proxymyworld.charterone com.proxymyworld.citifinancial com.proxymyworld.citizensbank com.proxymyworld.regionsnet com.tripod.billebay com.tripod.paypalzzzz ee.pri.highlight ee.pri.zammy kg.pe kg.pe.ebaycom kg.pe.halifax-online kr.es kr.es.bos kr.es.cabs kr.es.wbong net.cjb.account-overdue net.cjb.cgi4-awconfirmisapidll-38u3428 net.cjb.dh7wznrj net.cjb.updateyourpaypai net.ebay-online net.ebay-online.information net.ebay-online.verify net.ohaime.bankofoklahoma net.ohaime.charterone net.ohaime.lasallebank net.userset.uk.co.barclays net.userset.uk.co.halifax-online net.userset.uk.co.nationwide nr.co.hahano nr.co.moot ro.go ro.go.accshert ro.go.citicards1 ro.go.luca2003 ro.home.hai-saruta-ma ro.home.login543644 ro.home.rranostand ro.home.xyxca ru.da.49 ru.da.5120 ru.da.aavm59jk ru.da.gvqw30fsg ru.nm.berawepoy ru.nm.lo409fds ru.nm.m5nu728f ru.nm.saoretwas st.cn.adult-portal st.cn.boysarchive st.cn.gowdot st.cn.kindyraod st.cn.underageworld st.hk.7now st.hk.adult-portal st.hk.adultworld st.hk.animeangels st.hk.boys-portal st.hk.comics-evolution st.hk.hotgirlsphotos st.hk.lollyedition7 st.hk.mydreamlo st.hk.ppvcd st.hk.uderageworld st.hk.ummmyea st.hk.undersites st.hk.underworld st.hk.undworld st.hk.x-adult st.sg.adult-portal st.sg.adultworld st.sg.comics-evolution st.sg.factoryb st.sg.felcorp st.sg.jklos st.sg.lolmag4 st.sg.ptz-portal st.sg.undworld st.sg.uworld st.tw.adult-portal st.tw.adultworld st.tw.redvids2 st.ye.hegre st.ye.lesbian us.onlinehome.s110082232 us.onlinehome.s117107589 us.onlinehome.s118791939 ------- end ---------------------------- -- Daniel Quinlan http://www.pathname.com/~quinlan/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss May 2005