Discuss

discuss@lists.surbl.org

1 participants
1864 discussions

possible blacklist source
by Daniel Quinlan 27 Oct '04

27 Oct '04

Catherine Hampton's SpamBouncer has a zillion blacklisted domains: http://www.spambouncer.org/webdev/downloads/beta.shtml 1. download sb-new.tar.gz 2. mkdir sb; cd sb; tar xfz ../sb-new.tar.gz 3. perl -lne 'print "$1.$2" if /\)([\w-]+?)$.*?$([a-z]{2,4}?)\(/' *.rc \ | sort | uniq -c | sort -nr I suspect Catherine has a list in raw format (for all I know, there are some whitelisted domains somewhere in there). Merging it with WS might make sense. Catherine is probably a bit (*cough*) more aggressive than you. Also, many domains are listed more than once. I'm guessing that they're worse in some way. Or something. ;-) Daniel -- Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin http://www.pathname.com/~quinlan/ http://www.apachecon.com/ sessions & more)

4 3

Spamassassin and SpamCopURI
by Frank Tore Johansen 27 Oct '04

27 Oct '04

Hi, I'm in the progress of upgrading SA from 2.63 to 2.64 and SpamCopURI from 0.19 to 0.22. During make test of SA I get these during each t/rule_tests: t/rule_tests................ok 61/62Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/local.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 6, near "} }" I am aware that there was a discussion on the surbl list about this a few months ago, where someone said it could be caused by two Conf.pm's. However, I only have the one in /local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm and the two in the 2.64 distribution: the original ./lib/Mail/SpamAssassin/Conf.pm and the make-generated ./blib/lib/Mail/SpamAssassin/Conf.pm The errors didn't go away after installing SpamCopURI 0.22. I still haven't dared install SA. This is the relevant entry in local.cf: # Domain blacklists uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe WS_URI_RBL URI's domain appears in sa-blacklist tflags WS_URI_RBL net score WS_URI_RBL 3.0 And this is from spamcop_uri.cf: uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2') describe SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org tflags SPAMCOP_URI_RBL net score SPAMCOP_URI_RBL 3.0 So, what is causing the test errors? Can I safely ignore them, or will my RBL's stop working if I upgrade? I had hoped for a quick upgrade from 2.63 to 2.64 due to warnings about DOS (and the last few days our mailserver actually went out of memory twice, so it could be that spammers have started actually using this DOS)... -Frank.

3 5

RE: [SURBL-Discuss] Possible False Positive
by Chris Santerre 26 Oct '04

26 Oct '04

Agreed. And Whitelisted. :P >-----Original Message----- >From: Fred [mailto:tech2@i-is.com] >Sent: Tuesday, October 26, 2004 1:10 PM >To: SURBL Discussion list >Subject: [SURBL-Discuss] Possible False Positive > > >cokesbury.com >0 Nanas >Domain registered since 1998 (6 yrs). > >Whois Results for cokesbury.com >Registrant: >United Methodist Publishing House (COKESBURY3-DOM) > 201 8th Ave S > Nashville, TN 37202 > US > Domain Name: COKESBURY.COM > Administrative Contact, Technical Contact: > umph, domains (38034410P) domains(a)umpublishing.org > 201 8th ave. south > Nashville, TN 37202 > US > 615-749-6106 > Record expires on 27-Aug-2006. > Record created on 28-Aug-1998. > Database last updated on 26-Oct-2004 13:00:52 EDT. > Domain servers in listed order: > NS.UMPUBLISHING.ORG 67.106.203.110 > NS1.UMPUBLISHING.ORG 67.106.203.98 > > >Frederic Tarasevicius >Internet Information Services, Inc. >http://www.i-is.com/ >810-794-4400 >mailto:info@i-is.com > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

Possible False Positive
by Fred 26 Oct '04

26 Oct '04

cokesbury.com 0 Nanas Domain registered since 1998 (6 yrs). Whois Results for cokesbury.com Registrant: United Methodist Publishing House (COKESBURY3-DOM) 201 8th Ave S Nashville, TN 37202 US Domain Name: COKESBURY.COM Administrative Contact, Technical Contact: umph, domains (38034410P) domains(a)umpublishing.org 201 8th ave. south Nashville, TN 37202 US 615-749-6106 Record expires on 27-Aug-2006. Record created on 28-Aug-1998. Database last updated on 26-Oct-2004 13:00:52 EDT. Domain servers in listed order: NS.UMPUBLISHING.ORG 67.106.203.110 NS1.UMPUBLISHING.ORG 67.106.203.98 Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:info@i-is.com

1 0

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 26 Oct '04

26 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 5:01 PM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Monday, October 25, 2004, 1:23:32 PM, Chris Santerre wrote: >>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>If we're thinking about setting up a blog list (as we were >>>earlier), then it might be useful to test the data before using >>>it, don't you agree? >>> >>>I don't see how dumping lists with arbitrary FPs onto UC helps >>>either UC or SURBLs. In fact it's one of the bad things we >>>predicted: that a grey list would become a dumping ground with >>>some FPs and some domains that belong on a blocklist, all sitting >>>there underclassified, unchecked or ignored. > >> They are NOT going unchecked. UC is still in beta form right >now. So we are >> testing. Most people have no clue where the server is as it >is NOT part of >> SURBL, so UC.SURBL.ORG doesn't work. Not a dumping ground at >all. It will be >> as active as WS. > >> I fully intend to mirror most of what goes into WS into UC. >UC will simply >> have a different policy. Grey domains need to be considered. >UC will do >> that. You said yourself earlier you didn't want to be any >part of a list >> that handled grey domains. That it would waste time. So you >don't have to >> worry about UC. > >> UC will get as much attention to detail as I put into WS. I >just won't >> delete grey domains, like I do now. I will instead list then in UC. > >How about a blog spam SURBL? Or is all blog spam grey? You want a seperate list for blog spammers? Have at it. I'll add what I can to it. --Chris

3 6

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 26 Oct '04

26 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 3:08 PM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Monday, October 25, 2004, 8:18:34 AM, Chris Santerre wrote: >>>>> Fine. Removed. A known blog spammer host gets one FP and we >>>remove then all. >>>>> Done. >>> >>>> Chris, >>>> Instead of withdrawing the list can you give us a chance to >>>> review it? >>> >>>Chris, >>>If you put the file back up with a non-used name, I can turn it >>>into a test SURBL for people to try. After testing and debugging >>>we could look at adding it to a list. The broader the testing, >>>the better the results. >>> >>>I usually put up new lists for people to test as widely as >>>possible before turning them live. > >> No need. Moved to UC list. > >Might it be better to set up the blog spam domains as a separate >list inside multi, but testing them first? We would still want >to find a way to minimize collateral damage and keep otherwise >legitimate domains off a blog list. > Legitimate domains like greatnow.com? http://www.blackjack.greatnow.com http://www.viaga-viagra.greatnow.com http://www.debtconsolidation.greatnow.com http://generic-cialis.greatnow.com http://www.ed.greatnow.com/ http://www.bulk-email.greatnow.com http://www.bonds.greatnow.com http://www.1-dating.greatnow.com http://www.credit-card.greatnow.com http://www.car-insurance.greatnow.com We got the UC list covered. It isn't in the SURBL group. You don't have to worry about it. --Chris

6 10

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 25 Oct '04

25 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 4:05 PM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Monday, October 25, 2004, 12:55:07 PM, Chris Santerre wrote: >>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>Might it be better to set up the blog spam domains as a separate >>>list inside multi, but testing them first? We would still want >>>to find a way to minimize collateral damage and keep otherwise >>>legitimate domains off a blog list. >>> > >> Legitimate domains like greatnow.com? > >> http://www.blackjack.greatnow.com >> http://www.viaga-viagra.greatnow.com >> http://www.debtconsolidation.greatnow.com >> http://generic-cialis.greatnow.com >> http://www.ed.greatnow.com/ >> http://www.bulk-email.greatnow.com >> http://www.bonds.greatnow.com >> http://www.1-dating.greatnow.com >> http://www.credit-card.greatnow.com >> http://www.car-insurance.greatnow.com > >Probably every free hosting site has abuse, but most have far >more legitimate uses than abusive ones. greatnow may be an >exception. I did find a ton of blog spam for it on google, as >you suggested. The real question is how much legitimate use they >have. I did apparently find some, but it doesn't mean they're a >whitehat. They could be a blackhat with a few incidental or >unintentional legitimate users. :-( > >The question deserves some research. The reason I brought them >up is because some had an apparent legitimate use for >greatnow.com. That's usually a reason to not list them. > >> We got the UC list covered. It isn't in the SURBL group. You >don't have to >> worry about it. > >> --Chris > >If we're thinking about setting up a blog list (as we were >earlier), then it might be useful to test the data before using >it, don't you agree? > >I don't see how dumping lists with arbitrary FPs onto UC helps >either UC or SURBLs. In fact it's one of the bad things we >predicted: that a grey list would become a dumping ground with >some FPs and some domains that belong on a blocklist, all sitting >there underclassified, unchecked or ignored. They are NOT going unchecked. UC is still in beta form right now. So we are testing. Most people have no clue where the server is as it is NOT part of SURBL, so UC.SURBL.ORG doesn't work. Not a dumping ground at all. It will be as active as WS. I fully intend to mirror most of what goes into WS into UC. UC will simply have a different policy. Grey domains need to be considered. UC will do that. You said yourself earlier you didn't want to be any part of a list that handled grey domains. That it would waste time. So you don't have to worry about UC. UC will get as much attention to detail as I put into WS. I just won't delete grey domains, like I do now. I will instead list then in UC. I predict UC won't be ready for prime time for a few weeks at least. And it will be its own animal, not part of the SURBL group. It is also a group effort. As working on this myself would drive me crazier then I am. --Chris

2 1

RE: [SURBL-Discuss] free host: greatnow.com
by Chris Santerre 25 Oct '04

25 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, October 25, 2004 12:50 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] free host: greatnow.com > > >On Friday, October 22, 2004, 3:57:47 PM, Jeff Chan wrote: >> On Friday, October 22, 2004, 11:28:13 AM, Chris Santerre wrote: >>>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>>This was the most recent discussion I could find. It doesn't >>>>seem to mention actually using the jayallen data in WS, though I >>>>might have missed a message: > >>> Fine. Removed. A known blog spammer host gets one FP and we >remove then all. >>> Done. > >> Chris, >> Instead of withdrawing the list can you give us a chance to >> review it? > >Chris, >If you put the file back up with a non-used name, I can turn it >into a test SURBL for people to try. After testing and debugging >we could look at adding it to a list. The broader the testing, >the better the results. > >I usually put up new lists for people to test as widely as >possible before turning them live. No need. Moved to UC list. --Chris

2 1

Nice policy! Adding to UC not WS.
by Chris Santerre 25 Oct '04

25 Oct '04

I have an SURBL submission from a VERY reputible person. With a very good explanation as to how the email address spam'd should NEVER have gotten this email. Now according to WS policy it would NOT be listed because it may have legit uses. Therefore I'm adding it to UC not WS. zatz.com is the domain. http://zatzhq.zatz.com/privacy Pretty much says it will do whatever it wants with your address. Which in this case was harvested, not OptIn. And After trying to unsub the address, the spam floodgates opened for it. Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

2 1

RE: [SURBL-Discuss] Surbl Headers?
by Thomas Kinghorn 25 Oct '04

25 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Surbl Headers? >where OB_URI_RBL is the default name of a SURBL rule. Will >that work for you? If not you may be able to use exim or some >other mail processing utility to look for headers like that and >add other headers more to your liking. >Jeff C. Thanks Jeff. I am looking along the lines at, for example, X-SURBL-TAG: URL:http://www.blahblah.tld found in XX.surbl.org. Will look at exim for this. Many thanks for the pointer. Regards Tom

4 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss