From csanterre@merchantsoverseas.com Thu Jul 8 22:21:42 2004 From: Chris Santerre To: discuss@lists.surbl.org Subject: [SURBL-Discuss] {Spam?} Perfect example of URL Poison Date: Thu, 08 Jul 2004 16:21:45 -0400 Message-ID: <620A4FF9B83DD511B69900062939D037ABFD13@internal.merchantsoverseas.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3311190670612602288==" --===============3311190670612602288== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit I just wanted to share this example submitted today. (Thanks Dave!) Can you tell which domains to report? :) This is why scraping urls with scripts is no good. **********************************************

Up to 80% Savings on Xanax, Valium, Phentermine, Viagra HERE

For email removal, go here.

********************************************** Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered. Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --===============3311190670612602288==-- From schampeo@hesketh.com Thu Jul 8 22:30:18 2004 From: Steven Champeon To: discuss@lists.surbl.org Subject: {Spam?} Re: [SURBL-Discuss] {Spam?} Perfect example of URL Poison Date: Thu, 08 Jul 2004 16:29:34 -0400 Message-ID: <20040708202934.GH27275@hesketh.com> In-Reply-To: <620A4FF9B83DD511B69900062939D037ABFD13@internal.merchantsoverseas.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2158079934779211839==" --===============2158079934779211839== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit on Thu, Jul 08, 2004 at 04:21:45PM -0400, Chris Santerre wrote: > I just wanted to share this example submitted today. (Thanks Dave!) > > Can you tell which domains to report? :) Yeah, the ones with a '/' after the hostname. :) > This is why scraping urls with scripts is no good. Or not. :) > ********************************************** > >

> > > >
> Up to 80 href="http://www.hettie.org">% Savings on X href="http://www.brown.org" > >anax, Va href="http://www.triptych.org">lium, P href="http://www.anonymity.org">hentermine, V href="http://www.bind.org">iagra > HERE > >

> >

size=1>For > email re href="http://www.aviate.org">mov href="http://www.accede.org">a href="http://www.servitor.org">l, g href="http://www.beet.org">o href="http://opoloves.com/er/e.asp">here.

> > ********************************************** > > Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that > mattered. > > Chris Santerre > System Admin and SARE Ninja > http://www.rulesemporium.com > http://www.surbl.org > 'It is not the strongest of the species that survives, > not the most intelligent, but the one most responsive to change.' > Charles Darwin > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/ --===============2158079934779211839==-- From el.baby@gmail.com Thu Jul 8 22:31:55 2004 From: Mariano Absatz To: discuss@lists.surbl.org Subject: {Spam?} Re: [SURBL-Discuss] {Spam?} Perfect example of URL Poison Date: Thu, 08 Jul 2004 17:31:45 -0300 Message-ID: <3d8676e04070813313ee95d3e@mail.gmail.com> In-Reply-To: <620A4FF9B83DD511B69900062939D037ABFD13@internal.merchantsoverseas.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1745675843590258201==" --===============1745675843590258201== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit I always 'LOOK' at the actually displayed message within my mailer and THEN analyze the source... but looking at this, I'd tend to report opoloves.com and netuetion.com (supposing the faxd.gif has something visible in it). Please, people... by far the BEST thing about SURBL is its really, really, really low FP rate so you can be very comfortable scoring it high. I have them scored at 3.5 (except for 6dos) in a VERY conservative ISP and it's doing wonderfully. I can't offer right now 'cause I have no time at all, but I'd very much like that the SURBL lists keep being managed manually. It'd be great if we could, at some point, form a small group of volunteers with VERY good skills at spotting guilty URIs within spam and keep the lists much like clamav maintains its virus database... On Thu, 8 Jul 2004 16:21:45 -0400 , Chris Santerre wrote: > I just wanted to share this example submitted today. (Thanks Dave!) > > Can you tell which domains to report? :) > > This is why scraping urls with scripts is no good. > > ********************************************** > >

> > >
> Up to 80 href="http://www.hettie.org">% Savings on X href="http://www.brown.org" > >anax, Va href="http://www.triptych.org">lium, P href="http://www.anonymity.org">hentermine, V href="http://www.bind.org">iagra > HERE > >

> >

size=1>For > email re href="http://www.aviate.org">mov href="http://www.accede.org">a href="http://www.servitor.org">l, g href="http://www.beet.org">o href="http://opoloves.com/er/e.asp">here.

> > ********************************************** > > Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that > mattered. > -- Mariano Absatz - El Baby el (dot) baby (AT) gmail (dot) com el (punto) baby (ARROBA:@) gmail (punto) com --===============1745675843590258201==-- From bipsen-sender-6b92e3@andebakken.dk Sat Jul 10 11:19:53 2004 From: Brian Ipsen To: discuss@lists.surbl.org Subject: [SURBL-Discuss] {Spam?} RE: Perfect example of URL Poison Date: Sat, 10 Jul 2004 11:19:10 +0200 Message-ID: In-Reply-To: <620A4FF9B83DD511B69900062939D037ABFD13@internal.merchantsoverseas.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6000623188754180067==" --===============6000623188754180067== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi, Well - to make things easy, I guess it's just a matter of checking whether any text is present from the to the ... So won't trigger anything - but Some text will.... Just my 5 cents of input ;-) /Brian > I just wanted to share this example submitted today. (Thanks Dave!) > > Can you tell which domains to report? :) > > This is why scraping urls with scripts is no good. > > ********************************************** > >

size=1>For > email re href="http://www.aviate.org">mov href="http://www.accede.org">a href="http://www.servitor.org">l, g href="http://www.beet.org">o href="http://opoloves.com/er/e.asp">here.

shall not trigger , maybe shall not trigger - shall check !!! It seems to me very difficult to handle URL BLs without any manual handling. What you can do is to have some scripts to extract URLs and do many checks in order to present them in a easy way to handle it manually. This kind of example is presented this way by my scripts. # 461 1 7 0.292 4.167 14.286 : .. bangor.com # 461 1 7 0.292 4.167 14.286 : .. hankel.com # 461 18 7 5.250 75.000 257.143 : BL mainstreamsoft.biz # 461 1 7 0.292 4.167 14.286 : .. marmalade.com # 461 1 7 0.292 4.167 14.286 : .. monolith.com # 461 1 7 0.292 4.167 14.286 : .. sao.com # 461 1 7 0.292 4.167 14.286 : .. shiplap.com This is a short example - only seven URLs. Usually when the number of URLs is greater, you have two or three URLs to blaklist. >Just my 5 cents of input ;-) > Also my 0.5 cents... 8-) Joe >/Brian > -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins(a)ensmp.fr --===============3675420884772117553==-- From jeffc@surbl.org Thu Jul 15 08:11:29 2004 From: Jeff Chan To: discuss@lists.surbl.org Subject: Re: [SURBL-Discuss] {Spam?} RE: Perfect example of URL Poison Date: Wed, 14 Jul 2004 23:11:04 -0700 Message-ID: <1944011495.20040714231104@supranet.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5592705811497255809==" --===============5592705811497255809== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Saturday, July 10, 2004, 2:19:10 AM, Brian Ipsen wrote: > Well - to make things easy, I guess it's just a matter of checking whether > any text is present from the to the ... So HREF="http://domain.org/"> won't trigger anything - but HREF="http://domain.org/">Some text will.... > Just my 5 cents of input ;-) I believe is what SpamAssassin and SpamCop correctly ignore empty anchors. If not they should. Can't recall what Eric's SpamCopURI does, but ignoring unclickable URIs is probably a good way to defeat the kind of URI poisoning originally mentioned, and likely should generally be used by message parsers. Jeff C. --===============5592705811497255809==--