Discuss

discuss@lists.surbl.org

1 participants
1864 discussions

21 Feb '05

Hello SURBL Team, Please review linkshield(dot)com. It's a URL cloaking service but no abuse policy, etc. It may have legit uses but their service may actually benefits spammers. Just wanted to get everyone's opinion :-) -RD

3 4

Blind CC's
by Doc Schneider 21 Feb '05

21 Feb '05

I'm asking here because I know some of you probably can figure this one out. My Wife owns raogk.org (Random Acts Of Genealogical Kindness) and has a person who is having e-mail issues. A bit of background. I designed the full backend of this site which once you figure out the country,state,county of where you're wanting information you click on the volunteers name and a form pops up which allows you to enter your name/e-mail and what you want this person to lookup. And once it is sent it sends you a BCC of what you asked. Anyway, this one person is using MSN. And is not getting his BCC's we've had him do a complete search through his Outlook Express for the subject of these. Nada. And we've had no complaints from anyone else using MSN, so doubt it is the issue. Could this person be running something like an e-mail filter which is eatting his BCCs? Any of you heard of this? We're not sure what is running on this persons computer, so unknown if or what could be causing this. I'm out of ideas. We have the headers from some test messages we had this person do. Funny thing is they're getting all the other @raogk.org e-mail. Please include the raogk-admin(a)raogk.org address if you reply. Thanks, -Doc

2 1

Fw: Account Verification
by Kevin A. McGrail 21 Feb '05

21 Feb '05

This is a follow-up to my initial discovery that eBay has it's own redirector and this redirector was now showing up in Phishing scams. Despite my adamant, fervent & rabid inquiries, eBay has done nothing. With the rise of the use of the redirector on eBay and this more obscure url now being used, I believe even more phish-aware users would be caught: http://cgi4-munged.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDoma… Anyone who knows anyone at eBay that understands security should email them and tell them to turn this redirector OFF. In the meantime, here's an SA Rule to help catch it which I would appreciate feedback about: # This rule is to mark emails using the exploit of the eBay redirector uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i describe KAM_EBAYREDIR Attempted use of eBay redirector - high probability of fraud score KAM_EBAYREDIR 7.0 More posted at: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf Regards, KAM

2 2

RE: [SURBL-Discuss] Is something wrong with SURBL-checker?
by Chris Santerre 18 Feb '05

18 Feb '05

> >Jeff Chan wrote: > >> I'm not getting matches either. Let's ask Dallas to please look >> into it for us. > >Alright! I noticed spam got hits from SURBL-lists anyway (as >you pointed >out in your other message). > >I'll wait report my spam-mails until the problems are solved. > I sent the Ninja in charge an email. We recently did an update that may have messed up the public one. --Chris

2 1

RE: [SURBL-Discuss] Fw: TKO Notice: Urgent Fraud Investigation
by Matthew.van.Eerde＠hbinc.com 17 Feb '05

17 Feb '05

Rob McEwen wrote: >> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&Doma >> inUrl=http://mymt.co.kr/.cgi-bin/eBaySuspension/signin.ebay.com/aw->cgi/sec > ure/eBayISAPI.dllSignIn-ssPageName->hhsin.php?MfcISAPICommand=SignInFPP&Usin > gSSL=1&email= > >> Erm, it's called a redirector. Did you try the >> URL? ebay's site redirects >> to the URL in the DomainURL parameter. > > Whatever you call it, it's bad news for any parser which might not > grab and extract the referenced URL for SURBL checking. > > Also, this leads to additional questions: > > (1) Are there legitimate "business purposes" for ebay to have such a > redirector in the first place? To a certain limited extent, yes > (2) If so, are there legitimate reasons for such a redirector to EVER > show up in legitimate e-mails? To that extent, yes > (3) If not, does anyone know of a "clearinghouse" page where ALL such > types of redirectors are listed so that rules could be built to block > e-mails containing these (using rules-based blocking)? Also, are > there already SA rules for such? > > Rob McEwen eBay should certainly realize that they are imparting a degree of authority to URLs that are redirected in this manner. They may even be liable for damages. Best practices probably dictate that they keep a list of URLs that are legitimate redirection destinations, and limit redirection to those URLs - on attempts to feed the redirector any other URL, they should pop up big ugly error messages saying "someone's trying to phish you (or maybe we forgot to update our list)" Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

1 0

Is something wrong with SURBL-checker?
by Martin 15 Feb '05

15 Feb '05

Hi, Is there something wrong with the SURBL-checker at http://www.rulesemporium.com/cgi-bin/uribl.cgi ? I get no matches of any domains i'm testing. Even with spam-domains that hits the multi-list isn't listed as blocked. Is this problem related to the "FP-rate" thread? / Martin

2 3

RE: [SURBL-Discuss] FP rate?
by Chris Santerre 14 Feb '05

14 Feb '05

>-----Original Message----- >From: Fred [mailto:tech2@i-is.com] >Sent: Monday, February 14, 2005 1:26 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] FP rate? > > >Chris Santerre wrote: >> Can we trust the FP rate with the current bug in SA? > >Not taking sides but it might be a bug in Net::DNS, the SA >devs have not >exactly tied down what was causing this issue. There was talk >of re-write >in the way they use Net::DNS to possibly fix this issue but >I'm pretty sure >this was not SA specific. > >http://bugzilla.spamassassin.org/show_bug.cgi?id=3997 > Oh I agree. I don't know what is causing it, but I know it must be throwing off the reported FP rate. Although proably for all the URIRBLs. I'd love to get a monthly report from DQ on his rates. But I know he is busy. --Chris

4 3

RE: [SURBL-Discuss] FP rate?
by Chris Santerre 14 Feb '05

14 Feb '05

Can we trust the FP rate with the current bug in SA? -_Chris

2 1

Re: [SURBL-Discuss] ANN: new surbl client (still beta)
by Jeff Chan 14 Feb '05

14 Feb '05

On Saturday, February 12, 2005, 3:36:11 AM, Alain Alain wrote: > Hi Jeff >> On Saturday, February 12, 2005, 2:34:20 AM, Alain Alain wrote: >> >> Generally speaking it may be better to apply this kind of >> >> filtering at the server level since there are economies of scale, >> >> especially in terms of things like DNS lookups and caching. If >> >> we suddenly get 100k more DNS clients, that could tax the name >> >> servers somewhat. If those same 100k users were using 100 >> >> servers instead, the DNS loading would be quite a bit less. In >> >> that sense centralization is desirable. >> >> > Mmmm isn't the dns server from the ISP caching the dns requests? I >> > would think it doesn't make a big difference (except when a server is >> > rsync'ing). The difference could be that end users check their e-mail >> > not when arriving on the MTA, but later. >> >> One difference is that the ISP's mail server may see many of the >> same spams within a short period of time, and the lookups would >> probably tend to be cached over that time span. Individual users >> may POP or IMAP their messages at any random time, so the DNS >> cache hit rate may be lower for them. > This will only the case for spam e-mail, not for domains inside ham e-mail. But most well-written applications, e.g. SpamAssassin, are already ignoring most ham URIs due to local whitelisting, so it's spam URI domain caching that's the main issue. >> I think we're agreeing, but I've never tried to quantify the >> difference between these. We can propose that there's some >> difference but how much is unknown. I would suggest a pretty >> strong cache effect for mail servers however. > But the good news is : The more users, the more caching. So the > burden on the nameservers will grow slower. The SURBL zone files have a minimal 15 minute TTL, so in order for ISP resolver hits to be cached, the queries will need to occur within some 15 minutes, which seems less likely at MUA download time than at MTA processing time. MTAs probably see similar spam over a short period of time whereas MUA clients can download at any later time. In this case, I don't think your argument applies. For something like caching yahoo domains, or any with "normal" longer TTLs, it probably applies more strongly. Jeff C. -- "If it appears in hams, then don't list it."

2 2

Re: [SURBL-Discuss] FP rate?
by Alain 13 Feb '05

13 Feb '05

Hi Jeff > >> > I know that not all FP's are reported and there are > >> > probably no exact numbers, but it should give a good idea. Or am I > >> > wrong? > >> > >> The FP reports are probably too few overall to be meaningful in > >> terms of differentiating performance between lists. There just > >> aren't that many, maybe a few a day on average. > >> > > > Yes, but I wasn't thinking on differentiating between the lists, there > > are other results for. What I was thinking on was the number of FP's > > that exists on more than one list. This is very usefull information > > when combining lists. If almost no FP's do occur on more than one > > list (at the same time) requiring appearance on at least 2 lists > > would be a very safe one. > > Good point. Anecdotally, FPs don't tend to appear on multiple > lists very often, at least the FPs we've seen reported. This is > unmeasured, just a subjective opinion. If we had some of the > list data in combined form as I had proposed then we could test > it better. I suppose I could just do it. ;-) > I f the reported one's are very rare, this would probably even more the case for the not reported one's. If there's a FP the chance for being reported will grow if on more than one list. Mmm the combined lists just have to be available to someone with a big ham corpus, to test it. Personaly knowing the results for "at least 2" or "at least 3" , would be nice. It also would be nice to know how those combination would result inside : http://www.surbl.org/permuted-hits.out.txt Alain

3 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss