Discuss

discuss@lists.surbl.org

1 participants
1864 discussions

RE: [SURBL-Discuss] Spammer Anti-SURBL tactic
by Chris Santerre 08 Mar '05

08 Mar '05

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, March 08, 2005 2:22 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Spammer Anti-SURBL tactic > > >On Monday, March 7, 2005, 9:07:37 PM, Steven Champeon wrote: > >> Speaking of anti-SURBL tactics, I got this turdlet today (snippet >> of HTML email below): > >> <DIV>We are giving out Free Import / Export / Wholesales/ >Distributers / >> Retailers  Contact Database</DIV> >> <DIV> </DIV> >> <DIV>If You interested Pls get at Following URL</DIV> >> <DIV> </DIV> >> <DIV><A >onmouseover="window.status='http://www.impexp-data.com';return true;" >> onmouseout="window.status=' ';return true;" >> href="http://indigisys.com/chawla1/open.htm" target=_blank>Business = >> Database</A> </DIV> >> <DIV> </DIV> >> <DIV>Free Business / Marketing Tools ( Free SMS to All >over world Unl= >> imited ) </DIV> >> <DIV><A >> >onmouseover="window.status='http://www.impexp-data.com/sms';ret >urn true;" >> onmouseout="window.status=' ';return true;" >> href="http://indigisys.com/chawla1/open.htm" >target=_blank>FREE SMS = Tools >> </A></DIV> > >> It *looks* like whoever owns indigisys.com wants to hide the fact >> that they're actually indigisys.com by pretending to be >impexp-data.com, >> which doesn't exist. Does SURBL's lookup code catch this? > >SpamAssassin 2.64 running SpamCopURI seems to check both domains: > >debug: checking url: http://indigisys.com/chawla1/open.htm >debug: returning cached data : indigisys.com.multi.surbl.org >-> ARRAY(0x9351f4c) >debug: Receieved match prefix: 127.0.0 >debug: Receieved mask: 32 >debug: no match > >debug: checking url: http://www.impexp-data.com';return >debug: returning cached data : >impexp-data.com.multi.surbl.org -> ARRAY(0x9386f58) >debug: Receieved match prefix: 127.0.0 >debug: Receieved mask: 32 > >As does SpamAssassin 3.0.1: > >debug: URIDNSBL: query for indigisys.com took 0 seconds to >look up (multi.surbl.org.:indigisys.com) >debug: URIDNSBL: query for impexp-data.com took 0 seconds to >look up (multi.surbl.org.:impexp-data.com) > > >Those are the only SURBL applications I have easy access to, so I >don't know how others may handle them. SpamAssassin does the >right thing. :-) > Not only that, but the SARE rules look for this trick as well. Everytime they try to get around something, spammers end up painting themselves in a corner. --Chris

1 0

RFC: Updated list removal statement
by Jeff Chan 08 Mar '05

08 Mar '05

On a related note, I've updated the list removal statement on the SURBL web site to include: __ http://www.surbl.org/lists.html List Removal All of the data in SURBL lists come from external data sources. None of the SURBL lists come from data created here, so generally speaking to get a record off a list you should contact that data source as described earlier under each list. However, for the sc and ab lists you may send a removal request to whitelist at surbl dot org. Note: Before reporting false positives, please check that they are actually on SURBL lists. This can be done for example with a name resolution or by using the SURBL+ checker tool. There is an intermittent bug with SpamAssassin that appears to show FPs when none actually exist. (See SpamAssassin Bugzilla id=3997.) When sending a removal request, please include: 1. Full and complete contact information for your organization including street address and telephone numbers, 2. Information about your sending servers such as IP addresses, 3. A sample message with full, sent headers and full message body including URIs, 4. A brief description of your organization or a link to one, 5. Your organization's published mail practices, especially its published anti-spam policies, or links to them. If your organization does not publish and actually practice an anti-spam policy, it should. Please send your request from your organization's domain. Requests sent from Hotmail, Yahoo, gmail, etc. accounts may not be considered. __ How does this look to everyone? Too strict? Not strict enough? Too little info? Too much? Jeff C. -- "If it appears in hams, then don't list it."

1 0

RE: [SURBL-Discuss] Nice article on SURBL and note about weekends .....
by Chris Santerre 08 Mar '05

08 Mar '05

Wow this is even a better article! <http://etdeliverability.typepad.com/chips_deliverability_tips/2004/10/brand _names_und.html> Perhaps we should get in touch with the people of Pivotal Veracity?? Check out this paragraph: "How does this affect you? My friends at Pivotal Veracity who offer phenomenal new technology for tracking email deliveries to top ISP's recently completed a study on the topic of SURBL's and deliverability. They found that emails containing a blocked URL were blocked entirely at 5 of the 20 ISP's tested, while 7 ISP's moved the email to the bulk folder. Also, their tests showed that emails with blocked URL's were filtered to bulk or discarded at 50% of medium to larger enterprises. Pivotal Veracity's new product, eBrand Monitor (also offered via ExactTarget's Inbox Detective), helps companies detect blocking before it causes problems." For those keeping count, that leaves 8 ISPs that need a LART ;) I suspect this is why Jeff always yells at me to get our FP rate lower! But I love how the article ends. Clearly shows legit companies that they need to keep track of their affiliates, because they can and will hurt their brand. --Chris

2 1

Nice article on SURBL and note about weekends.....
by Chris Santerre 08 Mar '05

08 Mar '05

I was surfing for something else while waiting for two machines to reboot. Found this... http://daryl.learnhouston.com/?p=143 I like people who like us :) Also a side note: I know sometimes updates over the weekend run a little slower, I am still working on some ideas to speed that up on my end. But to try to counter act this a little, ANY, and I mean ANY and ALL domains submitted over the weekend, go thru a MUCH more rigourus research then the weekday. I figure if spammers are trying to take advantage of people being away for the weekend, then I'm going to look at those domains MUCH more closely. For instance, for the domains reported this weekend that fell into my bucket, I added about 35 times the amount from researching them all! Thats the price they pay for trying to be sneaky! ;) --Chris

2 1

Spammer Anti-SURBL tactic
by David B Funk 08 Mar '05

08 Mar '05

I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: <A href="http://garbage.sitename.tld"></A> The intention is clear, they want to fill up the 20 'slots' of the spamcop_uri_limit with their junk links so the real "payload" URL can slip past unchecked. That's playing a statistical game, there's a 1 in 20 chance of the "payload" getting picked by the randomizer but that means that 95% slip by. To add insult to injury, they're tossing in random "\r" (ASCII-CR) characters into the "payload" hostname to try to break spamassasin's URI parsing. Is it time to create rules to penalize large numbers of 'invisible' links? The one thing that has me worried is that people may just start cranking up the spamcop_uri_limit value to do a brute-force response to this trash (or have a simple-minded client that doesn't have that kind of limit). This will add an ever-increasing load on the SURBL dns servers. I'm already seeing a steady-state average of 130 queries/second against my two servers (with spikes in the 150~175) range. The trend has been a steady increase (passed the 100 Q/S mark last fall). -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

8 13

RE: [SURBL-Announce] Welcoming new public name server
by Chris Santerre 07 Mar '05

07 Mar '05

> >We'd like to welcome and thank the addition of a new public >SURBL name server g3.surbl.org administered by: > > Panagiotis Christias of National Technical University > of Athens in Greece > Ooopa! One more for the Uzo! Thanks guys! We really appreciate the servers! --Chris

1 0

updates on permuted-hits.out.txt??
by Alain 06 Mar '05

06 Mar '05

Hi I don't see changes inside : http://www.surbl.org/permuted-hits.out.txt Is there an update frequency or is it done manual? I think those are from before the WS/JP split. I also haven't seen results from after the the WS/JP split, has someone results (or did I miss these? Thanks in advance Alain

2 1

Re: [SPAM-TAG] SURBL missing this spam
by David B Funk 05 Mar '05

05 Mar '05

On Fri, 4 Mar 2005, Jeff Chan wrote: > On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote: > > On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote: > >> The URI is a little unusual, with a missing port number after the > >> colon: > >> > >> http://crazyrxl0wprices-MUNGED.com:/ > >> > >> Maybe that syntax is throwing off SA? > > > Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine, > > fwiw. > > > 3.0: > > debug: URIDNSBL: domains to query: > > > 3.1: > > debug: uridnsbl: domains to query: crazyrxl0wprices.com > > Thanks Theo, > Given that it's apparently fixed in 3.1 should we make a > bugzilla? Might it be worth reviewing that the expression or > code was specifically fixed to explain this (better) behavior? > Or would that be unnecessary? For those still running SA 2.6* + SpamCopURI-0.22 The following ONE character patch fixes this bug: *** SpamCopURI.pm-orig Thu Aug 5 14:58:59 2004 --- SpamCopURI.pm Fri Mar 4 21:22:37 2005 *************** *** 276,282 **** # URI doesn't always put the port in the right place # so we strip it off here ! $url{host} =~ s/:[0-9]+$// if $url{host}; # Cleanup for urls that come in with a dot in the front --- 276,282 ---- # URI doesn't always put the port in the right place # so we strip it off here ! $url{host} =~ s/:[0-9]*$// if $url{host}; # Cleanup for urls that come in with a dot in the front (IE just change that '+' to a '*' ;) -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

1 0

Re: [SPAM-TAG] SURBL missing this spam
by Bill Landry 05 Mar '05

05 Mar '05

----- Original Message ----- From: "Jeff Chan" <jeffc(a)surbl.org> > On Friday, March 4, 2005, 3:47:04 PM, martin smith wrote: > > I must have received this spam 12 times or more in the last 24 hours and > > even though its listed on the SURBL, spamassassin fails to match it against > > them. > > When I submit the spams to spamcop it parses the url everytime. > > SURBL seems to work on all other spams, just wondering if they have found a > > way to avoid spamassassin catching the URL. > > > Martin > > The URI is a little unusual, with a missing port number after the > colon: > > http://crazyrxl0wprices-MUNGED.com:/ > > Maybe that syntax is throwing off SA? Ah, good catch, I hadn't even noticed the trailing ":". Bill

1 0

Re: SURBL missing this spam
by Bill Landry 05 Mar '05

05 Mar '05

----- Original Message ----- From: "Bill Landry" <billl(a)pointshare.com> > > I must have received this spam 12 times or more in the last 24 hours and > > even though its listed on the SURBL, spamassassin fails to match it > against > > them. > > When I submit the spams to spamcop it parses the url everytime. > > SURBL seems to work on all other spams, just wondering if they have found > a > > way to avoid spamassassin catching the URL. > > > > Martin > > Hmmm, that does seem strange. Didn't get caught here, either. However: > > crazyrxl0wprices.com.multi.surbl.org. 2100 IN A 127.0.0.114 > > So http://crazyrxl0wprices.com is listed on several of the SURBL multi > lists. Let's see if this message gets flagged or not... Yep, caught by all SURBL multi lists that compound to equal 127.0.0.114: URIBL_AB_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL Don't know why the domain was not flagged on the message you forwarded to the SA list, it clearly showed up in the message source file. Bill

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss