From johnml@michaweb.net Tue Apr 13 11:08:09 2004
From: John Fawcett <johnml@michaweb.net>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] Redirects and obfuscated urls
Date: Tue, 13 Apr 2004 11:07:58 +0200
Message-ID: <005601c42136$d3a31f10$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6783566759533024876=="

--===============6783566759533024876==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

I saw a post on NANAE over the weekend about surbl
and it looks like one of the best ideas I've seen.

Almost every spam mail I get contains a spamvertized
domain, so with good data this method has the potential to
block nearly 100% of spam.

Spamvertized domains are an essential resource for
spammers and are usually longer lived then the
abused servers used to send out spam runs.

I've set up SpamAssassin and SpamCopURI.
I've checked the emails which are not being picked
up by surbl and there is a recurring pattern:
1) Redirects
2) Obfuscated urls

For example, this was not picked up.
<a
href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s
hopinternetbuy.biz/%75n%73ub.html target=_blank>

shopinternetbuy.biz is in sc.surbl.org.

The logic of the parsing engine needs to be
enhanced to deal with these cases. This is
probably only the start, because spammers
will find other ways to get around surbl
once it starts being used widely.

I'd offer to look at it, but I wouldn't
know where to start with perl.

John





--===============6783566759533024876==--


From jeffc@surbl.org Tue Apr 13 11:36:12 2004
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Redirects and obfuscated urls
Date: Tue, 13 Apr 2004 02:36:09 -0700
Message-ID: <334491369.20040413023609@supranet.net>
In-Reply-To: <005601c42136$d3a31f10$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7006556460746067921=="

--===============7006556460746067921==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Tuesday, April 13, 2004, 2:07:58 AM, John Fawcett wrote:
> I saw a post on NANAE over the weekend about surbl
> and it looks like one of the best ideas I've seen.

:blush:  Thanks, as I recently mentioned off list we
can hope it's one of those ideas that's obvious
afterwards.  Actually many people wanted to do
something like this.  It's been a thrill to actually
do it and see it work pretty well so far. The support
from everyone has been fantastic too.

> Almost every spam mail I get contains a spamvertized
> domain, so with good data this method has the potential to
> block nearly 100% of spam.

> Spamvertized domains are an essential resource for
> spammers and are usually longer lived then the
> abused servers used to send out spam runs.

Indeed.  sc.surbl.org hit rates are running about 60%.
We hope to increase that significantly in the next
version of the data engine.  The general strategy is
mentioned in the thread:

  http://lists.surbl.org/pipermail/discuss/2004-April/000002.html

> I've set up SpamAssassin and SpamCopURI.
> I've checked the emails which are not being picked
> up by surbl and there is a recurring pattern:
> 1) Redirects
> 2) Obfuscated urls

> For example, this was not picked up.
> <a
> href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s
> hopinternetbuy.biz/%75n%73ub.html target=_blank>

> shopinternetbuy.biz is in sc.surbl.org.

> The logic of the parsing engine needs to be
> enhanced to deal with these cases. This is
> probably only the start, because spammers
> will find other ways to get around surbl
> once it starts being used widely.

Yes, we had been making similar noises on the
spamassassin-developers list and we have opened a bugzilla about
a redirect handling feature for SpamAssassin 3.0 URIBL at:

  http://bugzilla.spamassassin.org/show_bug.cgi?id=3261

Jeff C.

--===============7006556460746067921==--


From johnml@michaweb.net Tue Apr 13 12:11:56 2004
From: John Fawcett <johnml@michaweb.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Redirects and obfuscated urls
Date: Tue, 13 Apr 2004 12:11:41 +0200
Message-ID: <00b701c4213f$bd9e7030$2001a8c0@michaweb.net>
In-Reply-To: <334491369.20040413023609@supranet.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5577176671681395811=="

--===============5577176671681395811==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit


> From: Jeff Chan
> Yes, we had been making similar noises on the
> spamassassin-developers list and we have opened a bugzilla about
> a redirect handling feature for SpamAssassin 3.0 URIBL at:
> 
>   http://bugzilla.spamassassin.org/show_bug.cgi?id=3261
> 
> Jeff C.

I added a note about the obfuscated urls that
begin with %68ttp instead of http.

John

--===============5577176671681395811==--


From jeffc@surbl.org Tue Apr 13 12:23:09 2004
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Redirects and obfuscated urls
Date: Tue, 13 Apr 2004 03:23:00 -0700
Message-ID: <1149936126.20040413032300@supranet.net>
In-Reply-To: <00b701c4213f$bd9e7030$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2095757370734114755=="

--===============2095757370734114755==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Tuesday, April 13, 2004, 3:11:41 AM, John Fawcett wrote:
>> From: Jeff Chan
>> Yes, we had been making similar noises on the
>> spamassassin-developers list and we have opened a bugzilla about
>> a redirect handling feature for SpamAssassin 3.0 URIBL at:
>> 
>>   http://bugzilla.spamassassin.org/show_bug.cgi?id=3261
>> 
>> Jeff C.

> I added a note about the obfuscated urls that
> begin with %68ttp instead of http.

And I added a somewhat confused follow up ;-) that some browsers
assume http as a protocol and .com as a tld if unspecified
in a URI context.

Jeff C.

--===============2095757370734114755==--