Judging by recent spamassassin-users mailing list messages, Verizon is
hijacking DNS responses that seem to be invalid and replacing them
with their own responses (in oder to drive traffic to their search
sites). Naturally this breaks SURBL lookups. If you are using
Verizon's nameservers and are getting false positives, you may want to
check into this.
Here's one reference:
http://www.freedom-to-tinker.com/?p=1227
Jeff C.
Does anyone have any comments on adding the malware domains at:
http://www.malwaredomains.com/
to the SURBL phising list, with significant filtering to exclude
possible false positives? The actual list would be the third field
of:
http://www.malwaredomains.com/files/domains.txt
The data includes malware and phishing sites.
Cheers,
Jeff C.
AUTOMATED REPLY
------------------------------
NCISP has taken over all support related to previous Aginet ISP services. Please contact them directly at support(a)ncisp.net if you are looking for support.
Scott Wolf
Question for admins
Is it ok if I run a list of 45k IP's I am researching, against SURBL list please ? I didn't want to do it without permission in case you suddenly thought I have become a MUCH larger company !!
Many thanks
Phil
_____________________________________________
Website Hosting from only £5.00 per month.
www.medwayhosting.com - +44 (0)1634 856965
_____________________________________________
Digital & Traditional Printing, and much more
www.medwayprint.com - +44 (0)1634 281199
_____________________________________________
As we know, the storm malware is responsible for a large number of compromised
computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large
number of storm e-card-advertised URI IP addresses are available from the XS
data source but are not currently being listed on XS. (Those IPs, of course
are all or mostly bot-hosted web sites with malware loaders to further spread
storm by compromising more computers and growing the botnets by infecting
anyone who visits the sites.)
Shall we:
1. Blacklist those on XS
2. Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if
#1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including
non-storm domain names and other URI hosts. This would only be a first step.
It's also worth noting that we don't intend XS to be a malware list; we're
still focussed on unsolicited messages and that is the aspect that arguably
makes the storm IPs appropriate for inclusion: their appearance in huge amounts
of bot-sent unsolicited messages. It just happens that the messages are
primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS.
Some are probably going onto JP and PH also. But the XS collection would
probably be more comprehensive than the others for now.
Comments?
Jeff C.
http://lists.surbl.org/ seems to be down for me, can anyone else reach it?
--
Kindest regards
Paul Freeman,
NOC4 Limited
+44(0)1844 318 083 (Direct)
+44(0)1844 318 104 (Fax)
------------------------------------------------------------------------
*Confidential Information.*
This e-mail and any attachments (“the message”) contains information
from noc4, which may be privileged and/or confidential. The message is
intended for use only by the organisation(s) or individual(s) named
above (“the recipient”). If you are not the intended recipient, please
be aware that any form of disclosure, copying, distribution or use of
the contents of the message is strictly prohibited. If you have received
the message in error, please notify us by telephone or e-mail as
detailed at the bottom of this message immediately. Activity and use of
the noc4 e-mail system is monitored and recorded to secure its effective
operation and for other lawful business purposes.
The opinions and beliefs expressed in this email may not necessarily be
those of NOC4 Limited.
NOC4 Limited
2 Manor Farm Cottages, Rycote Lane, Thame, OX9 2HF
Registered in England and Wales, Company No. 05356870
VAT Registration No. GB 807 9233 20
*T* +44(0)1844 318 084
*F* +44(0)1844 318 104
*E* * * *sales(a)noc4.net <mailto:sales@noc4.net>*
*support(a)noc4.net <mailto:support@noc4.net>*
*accounts(a)noc4.net <mailto:accounts@noc4.net>*
* *
How can I tell when a specific URL was entered into SURBL? Is there an
RSS news feed or DNS text record or something that tells this?
My scenario: my tech-savvy user gets an email advertising spammer.com
and says "I did 'host spammer.com.multi.surbl.org' and SURBL's
blocking this domain-- why did it get through?".
I want to answer (accurately) "spammer.com is in SURBL *now*, but it
wasn't when you received the mail-- spammer.com was entered into SURBL
at xxxx, while the email you forwarded came in earlier, at yyy".
Any way to do this? We seem to get a lot of spam that slips by SURBL,
but shows up in multi.surbl.org shortly thereafter (I realize that
someone has to receive the spam before a URL can added to SURBL...)
Another interesting use would be figuring out how long to quarantine
possible spam-- in most cases, holding suspicious emails for just 12
hours would vastly reduce the amount of spam we get.
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
Hello!
I got (false?) positive answers to all IP addresses resolved by the multi.surbl.com.
The returned address is 72.52.9.9.
Is there any known problem with the service?
# host 4.3.2.1.multi.surbl.com4.3.2.1.multi.surbl.com has address 72.52.9.9
# rblcheck -t -s multi.surbl.com 1.2.3.4
checking 1.2.3.4
1.2.3.4 RBL filtered by multi.surbl.com
Yours sincerely,
Zoltan Hajdu
System Administrator
Jasmin Media Group Ltd.
Phil,
I removed it from SURBL. (it may take a few minutes to propogate)
BTW - in the future, please sent any such requests to "whitelist <AT> surbl.org"
Thanks for your help!
Rob McEwen
PowerView Systems
rob(a)PowerViewSystems.com
-----Original message-----
From: "Phil \(Medway Hosting\)" phil(a)medwayhosting.com
Date: Sat, 28 Apr 2007 08:31:00 -0400
To: "SURBL Discussion" discuss(a)lists.surbl.org
Subject: [SURBL-Discuss] webfusion.co.uk
Hi there
I was just wondering about the listing of webfusion.co.uk on SC and OB.
webfusion.co.uk are a rather large hosting company and their domain name appears on most emails sent out by 123-reg.co.uk who are one of the largest UK domain registrars. This listing is causing domain renewal notices etc to be rejected. I have now whitelisted them locally, but I was wondering if they really ARE spamming or is this an FP?
Many thanks
Phil
_____________________________________________
Website Hosting from only £5.00 per month.
www.medwayhosting.com - +44 (0)1634 856965
_____________________________________________
Digital & Traditional Printing, and much more
www.medwayprint.com - +44 (0)1634 281199
_____________________________________________
_______________________________________________
Discuss mailing list
Discuss(a)lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss