Discuss August 2006

discuss@lists.surbl.org

18 participants
12 discussions

Re: [SURBL-Discuss] Logo competition
by Jeff Chan 04 Oct '06

04 Oct '06

On Thursday, August 17, 2006, 9:12:51 PM, Steve Sobol wrote: > Jeff Chan wrote: >>> http://stevesobol.com/content/surbllogo.jpg >> >>> This is just a preliminary, I-did-this-in-five-minutes concept. >> >> It's good. (Red circle and slash = "no" and url://) >> >> Can you make one with spam:// ? > Absolutely not, but see > http://stevesobol.com/content/surbllogo2.jpg > (Ok, I was just kidding, of course I can do it!) > If that looks OK to you, I'll take that concept and come up > with a final product. Hi Steve, Looks great; thanks much! If I could request a modification, it would be for bolder type and thicker lines if possible. Also I'd probably make the text black, as in blackhat. Cheers, Jeff C. -- Don't harm innocent bystanders.

2 1

Re: [SURBL-Announce] surblhost is a C command line program to query SURBLs
by Jose Marcio Martins da Cruz 18 Aug '06

18 Aug '06

Hi, Jeff Chan wrote: > Christian Stigen Larsen reports: > > "I've made a simple C commandline program to query multi.surbl.org > > I'd be very happy to receive comments. The program is available > from http://surblhost.sourceforge.net (source only)." I'm sending a little patch attached (configure.ac). It's needed to correct three small things : - under solaris, this program shall also be linked against libnsl and libsocket - you've hardcoded CFLAGS and LDFLAGS (-Wall) specific to gcc compiler. So, your program can't be build using other compilers. These flags are usually used as environnement variables. Things like : env CFLAGS="-Wall" ./configure - functions shall be checked after libraries, as some of them depend on libraries. E.g., on my system, your configure script couldn't detect the existence of gethostbyname as this function is defined at libresolv, and as configure hadn't yet checked the library, the function wasn't found. About the program itself, you hardcoded tlds and whitelists inside your program. So, if these lists change, your program shall be recompiled. IMHO, it's better to put them in some place (/usr/local/share/...). The other comment regards the programming language. I program most things I need in C, and I digged into your source - it's well coded. But, IMHO, this is a kind of program easier to do in perl, mainly in the way you want to handle input parameters and print results. And... it's a nice tool - thanks. Jose-Marcio -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins@ensmp.fr

2 2

Logo competition
by Jeff Chan 18 Aug '06

18 Aug '06

Do we have any artists here, or access to artists who would like to try to design a logo for the SURBL project? Jeff C. -- Don't harm innocent bystanders.

2 5

Java SURBL client
by Jörg Zieren 16 Aug '06

16 Aug '06

Dear all, this may be of interest to some: The current version of Camel's Eye, a GPL'd client-side Java POP3/SMTP proxy, has support for SURBL (and others). More info is available on http://zieren.de/ce -Jörg -- Jörg Zieren http://www.zieren.de +49 170 7516134 For a list of common abbreviations, see http://www.zieren.de/abk.html Please do not communicate my address to *any* website/service/company

1 0

Program comments: surblhost
by Christian Stigen Larsen 16 Aug '06

16 Aug '06

Hi, I've made a simple C commandline program to query multi.surbl.org I'd be very happy to receive comments. The program is available from http://surblhost.sourceforge.net (source only). Thanks! -- Christian Stigen Larsen, http://csl.sublevel3.org

2 3

Re: Spam in progress bit ...
by opencomputing＠gmail.com 11 Aug '06

11 Aug '06

>>The idea was that data mining in surbl logs (or other RBL / URI services >>by a large number of servers) might enhance accuracy by allowing >>accurate realtime detection of spams in progress. I might be wrong, or >>maybe it's not surbl's role to do such analysis. >> >> > >We allready do.... > > Does that mean that you use this query patterns for a particular URI to delist it, if it is never queried too often from geographically diverse IPs? Or something similar? Also, do you use the site/URI related info like its contents, how often the SSL gets changed, info like whether the site SSL pretends to be for paypal.com while signed by some russian authority or korean one etc? I assume at least the PH list uses this criteria. Using this technique for other lists also could help to find whether the URI is spammy. -- cheers, Skar.

1 0

Spam in progress bit ...
by Eric Montréal 10 Aug '06

10 Aug '06

Just an idea, I don't know if this have ever been discussed. In the course of operating the surbl lists the realtime amount of requests for each listed domain (and each not listed domain as well) and the IP of servers using surbl to do the tests is known. I don't have the data, but I suppose a spam run in progress should be easy to identify by the high number of requests for the spamvertized domain in a short period of time coming from a large number of geographically diverse mail servers. Using that data, it should be possible to add an activity bit triggered when activity for the queried domain crosses a predefined threshold (the exact recipe would need extensive tweaking). If such an activity bit is present, it should be possible to slightly lower the score for the other tests, using it as a 'score booster'. That way, the effect of a false positive, or a site generating so few tests they don't constitute a 'real' spam run would be lower, but detection score for an actively spamvertized site would increase. also, since most legitimate mailing lists are to recipients in close geographic proximity, the geographic diversity of such lists should be very different when compared to a typical spam run. Such location pattern analysis could also be used (internally) as a warning for possible false positives. One step further, a 'spammy' query pattern on an unlisted domain might signal it should be investigated/listed. Does it make sense ?

6 7

Re: Spam in progress bit ...
by opencomputing＠gmail.com 10 Aug '06

10 Aug '06

>When was the last time Microsoft got listed in surbl ? > >Smaller lists might end up being sent from a false positive domain and >the idea is that surbl test pattern >(queries/minutes, burst/continuous, historical comparisons, geolocation >and perhaps other metrics) should >allow to differentiate between such a list and a spam run. > > Spammers could add some fake URIs like yahoo.com, gmail.com, microsoft.com to their spam runs so that their mails get a hammy score(if surbl gives a negative score using some whitelisted URIs). Also, spammers could use a badly configured good intentioned mailing list like sourceforge.net or through services like yahoo.com, gmail.com etc could reduce the accuracy. Having a grey +ve score for URIs queried from MTAs with patterns matching a spam run is a nice idea though. -- Skar.

4 3

TLD "fakeouts" - in, at, it, is, to, so
by Rob McEwen (PowerView Systems) 10 Aug '06

10 Aug '06

I've noticed more and more that whenever a fully qualified domain ends in a two letter combo that is actually an english word, this create a problem because often people will start a new sentence with one of these short words and forget to put a space after the last period and before the new "sentence.Like" this! (is that example, if "like" were a TLD, then "sentence.Like" might get picked up by a spam filter for SURBL checking. The problem here is that MANY domains, for example, that end in ".to" are listed in SURBL. I don't want my solution to be merely to only check domains within e-mails which start with "http://" because this would miss many spams. But the only solution I can think of at the moment is ignore any potential domains within the message that end in these particular TLDs unless the "http://" is really there. Any suggestions? Rob McEwen PowerView Systems rob(a)PowerViewSystems.com

3 2

dns2.registerly.com listed on Spamhaus
by Joe Wein 09 Aug '06

09 Aug '06

I noticed today that the IP range for one of the default name servers for registerfly domains is now listed on SBL http://www.spamhaus.org/sbl/sbl.lasso?query=SBL45242 This includes dns2.registerfly.com but not dns1.registerfly.com. If any of you use SBL listings of name servers for making decisions whether to blacklist suspect domains, be careful not to cause false positives! In any case I hope registerfly will get the message soon and kick off the spammers who've been registering masses of domains through them which are spammed via botnets. Joe Wein -- joewein.de LLC 6-30 Sumiyoshidai, Aoba-ku, Yokohama, 227-0035, Japan E-Mail: joewein(a)pobox.com WWW: http://www.joewein.net

4 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss August 2006