Discuss

discuss@lists.surbl.org

1862 discussions

More spams with Zdnet redirector
by Rakesh 09 Apr '05

09 Apr '05

Guys Seems Zdnet doesn't bothers about its open redirectors as yet. This is a spam that I trapped just 5 mins back. Spammers are enjoying using these openredirectors. Can any one send a reminder to Zdnet of this redirector. The Spam ....... Hi, Wanna get up 4 times in one night, well we've got the answer for you, check us out at http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. -- Revolutions do not require corporate support.

11 28

Re: [SURBL-Discuss] More spams with Zdnet redirector
by List Mail User 09 Apr '05

09 Apr '05

>... > >On Friday, April 8, 2005, 9:09:51 AM, List User wrote: >> Here I agree completely with Chris. An open HTTP redirector is >> just the same as an open SMTP relay. Fifteen years ago SMTP relays were >> not only common, they were part of being a "helpful" citizen; Today, we >> all consider them invitations to abuse and organizations like SORBS exist >> to seek them out and blacklist them. Six years ago, a HTTP redirector was >> a similar concept - a friendly way to provide a service to others; In today's >> Internet environment, and open redirector is every bit as "evil" as an open >> SMTP relay - there is no way to prevent its abuse and it is a "screaming" >> invitation to all spammers - "use me, I'll help you!". Just as people seek >> out and blacklist SMTP relays, someone should for HTTP redirectors, If Chris >> makes such a list available, I will quickly adopt and use it (and recommend >> that everyone else does to). > >That's fine, but it's not the purpose of SURBLs, which is to list >domains only used in spams. > >Jeff C. >-- >"If it appears in hams, then don't list it." > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Jeff, I realize this is a SURBL list, and I do fully support the intentions and differing goals of all the different groups involved in fighting spam. It does seem that this type of situation does not clearly fit any of the SURBL lists. I was simply stating, that if Chris creates such an organization and list, I will use it - and that it might also be of some interest to of the other mailing list members too (I probably should have "Cc:"'s the SA list, now that I think about it). Also, I did "Cc:" shs(a)cnet.com - which did not bounce (at least yet), so hopefully he will become aware of how at least some of us feel. In fact, given the goals of SURBL as best I understand them, an attempt to recognize redirectors does seem the best fit for your group; Even though I would like *somebody* to "step up to the plate" with something more aggressive (like SORBS does for SMTP relays). At this point, the discussion has seemed to have progressed beyond being appropriate or proper for the SURBL list, though possibly it could be continued in some other forum(s). Thank you again for providing all the services that you and SURBL do, Paul Shupak track(a)plectere.com

2 1

RE: [SURBL-Discuss] More spams with Zdnet redirector
by List Mail User 08 Apr '05

08 Apr '05

>From discuss-bounces(a)lists.surbl.org Fri Apr 8 06:48:07 2005 >From: Chris Santerre <csanterre(a)MerchantsOverseas.com> >To: "'Jeff Chan'" <jeffc(a)surbl.org>, > "'SURBL Discussion list'" <discuss(a)lists.surbl.org> >Subject: RE: [SURBL-Discuss] More spams with Zdnet redirector >Date: Fri, 8 Apr 2005 09:47:20 -0400 >... > >>-----Original Message----- >>From: Jeff Chan [mailto:jeffc@surbl.org] >>Sent: Thursday, April 07, 2005 10:55 PM >>To: SURBL Discussion list >>Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector >> >> >>On Thursday, April 7, 2005, 12:45:51 PM, Patrik Nilsson wrote: >>> At 00:13 2005-04-07 -0700, Jeff Chan wrote: >>>>On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote: >>>> > Jeff, >>>> >>>> > So it seems that there is an obvious loophole in SURBL. >>As long as the >>>> > spammer uses a legitimate business running a redirector >>you will never >>>> black >>>> > list them (perhaps the spammer could even set up their >>own legitimate >>>> > redirector). This open redirector discussion for ZDNET >>has been open for >>>> > several weeks now, they have had more than ample warning. >>>> >>>> > Nick >>>> >>>>No, it's not a loophole. Programs like SpamAssassin and >>>>SpamCopURI correctly parse some redirection sites like >>>>g.msn.com and check the redirected-to site. >> >> >>> That workaround is part of the problem, not part of the solution. >> >>> If we encourage client implementations to work around the >>problem in that >>> way, we will always have: >> >>> 1. Clients that need to be updated with the latest >>redirectors, unless we >>> provide and encourage implementations to use a constantly >>updated online >>> source of redirectors. >> >>> 2. Major redirectors getting included in the special >>work-arounds, like >>> Google, and smaller ones not getting included. >> >>> If we believe that open redirectors are bad, we should not solve the >>> problem by working around a few major ones that we are >>currently aware of. >> >>> Patrik >> >>Our solution is to detect and check the big ones, and try >>to get all of them to not be open to spammers. >> >>What's your solution? Blacklisting all open redirectors? >>So no one should be able to mention them? > >Thats EXACTLY what the new gray list will do. > >--Chris >'If it appears in spam, list it' > >(I can't take credit for the above tagline. Another nut came up with it >before me!) >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Jeff and Chris, Here I agree completely with Chris. An open HTTP redirector is just the same as an open SMTP relay. Fifteen years ago SMTP relays were not only common, they were part of being a "helpful" citizen; Today, we all consider them invitations to abuse and organizations like SORBS exist to seek them out and blacklist them. Six years ago, a HTTP redirector was a similar concept - a friendly way to provide a service to others; In today's Internet environment, and open redirector is every bit as "evil" as an open SMTP relay - there is no way to prevent its abuse and it is a "screaming" invitation to all spammers - "use me, I'll help you!". Just as people seek out and blacklist SMTP relays, someone should for HTTP redirectors, If Chris makes such a list available, I will quickly adopt and use it (and recommend that everyone else does to). Unfortunately, the world has changed - what was being friendly is now being abusive; It is not a change for the better, it just *is*. Paul Shupak track(a)plectere.com

2 1

Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by List Mail User 08 Apr '05

08 Apr '05

>... > >Hi! > >> If they are legitimate, I certainly wouldn't want to buy any anti-virus >> or anti-spam software from these people! >> >> They are running an open relay: >> >> % telnet mailgate.gfi.com 25 >> Trying 80.85.99.13... >> Connected to mailgate.gfi.com. >> Escape character is '^]'. >> 220 mailgate.gfi.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Fri, 8 Apr 2005 07:43:44 +0200 >> helo plectere.com >> 250 mailgate.gfi.com Hello [64.32.188.109] >> mail from: <> >> 250 2.1.0 <>....Sender OK >> rcpt to: <test(a)plectere.com> >> 250 2.1.5 test(a)plectere.com >> quit >> 221 2.0.0 mailgate.gfi.com Service closing transmission channel >> Connection closed by foreign host. > >gfi.com, the same gfi.com thats selling mail security products? >One word: Amazing. > >550 5.7.1 Unable to relay for ... > >Just checked, and it seems they closed it allready. > >Bye, >Raymond. > Raymond, Very nice apology from David Vella late last night (or early this morning, depending on your point of view ): >... >Subject: RE: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago. >Date: Fri, 8 Apr 2005 09:06:25 +0200 >... >From: "David Vella" <david(a)gfi.com> >To: "SURBL Discussion list" <discuss(a)lists.surbl.org> >... >Hi, > >Sorry for this. I am the GFI MailEssentials/MailSecurity/MailArchiver >product manager and I am a list subscriber because I like the SURBL >concept. The reason of these emails seems to be because yesterday our >network administrator installed a new email relay server (named >passthrough) and I believe that he has mis-configured it. I sent him >all this info so that he will look into it. > >I will make sure that this is fixed immediately. > >regards, > >David Vella - GFI Software Ltd. - www.gfi.com >Messaging, Content Security & Network security software >GFI: FAXmaker - LANguard - MailSecurity - DownloadSecurity > >... >[snipped - mostly a copy of one of my mesages] Now we just have to help them off of the blacklists they got on last night (rfci.{whois,postmaster,abuse}) and they were already on L2 SPEWS. It seems that while the evidence for the "whois" listing, was correct, it was actually "insufficient" - San Gwann is not a "city", but it is a valid postal station in Malta (and I have learned, that similar situations also occur in some North African countries), so they can get off of the "rfci.whois" list with an email to rfci. They did bounce the postmaster@ and abuse@ messages, so they'll have to add/enable those accounts, then they can get off of those lists quickly too. As to SPEWS, well, someone will have to do the standard beg and plead and suffer abuse on NAMAE (I haven't checked why they were listed there to begin with, so I don't know exactly how much pleading and abuse will be required). Since you already have abuse@ and postmaster@ on the "Cc:" list, we'll quickly see if they still bounce. Paul Shupak track(a)plectere.com

1 0

RE: [SURBL-Discuss] More spams with Zdnet redirector
by Chris Santerre 08 Apr '05

08 Apr '05

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Thursday, April 07, 2005 10:55 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector > > >On Thursday, April 7, 2005, 12:45:51 PM, Patrik Nilsson wrote: >> At 00:13 2005-04-07 -0700, Jeff Chan wrote: >>>On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote: >>> > Jeff, >>> >>> > So it seems that there is an obvious loophole in SURBL. >As long as the >>> > spammer uses a legitimate business running a redirector >you will never >>> black >>> > list them (perhaps the spammer could even set up their >own legitimate >>> > redirector). This open redirector discussion for ZDNET >has been open for >>> > several weeks now, they have had more than ample warning. >>> >>> > Nick >>> >>>No, it's not a loophole. Programs like SpamAssassin and >>>SpamCopURI correctly parse some redirection sites like >>>g.msn.com and check the redirected-to site. > > >> That workaround is part of the problem, not part of the solution. > >> If we encourage client implementations to work around the >problem in that >> way, we will always have: > >> 1. Clients that need to be updated with the latest >redirectors, unless we >> provide and encourage implementations to use a constantly >updated online >> source of redirectors. > >> 2. Major redirectors getting included in the special >work-arounds, like >> Google, and smaller ones not getting included. > >> If we believe that open redirectors are bad, we should not solve the >> problem by working around a few major ones that we are >currently aware of. > >> Patrik > >Our solution is to detect and check the big ones, and try >to get all of them to not be open to spammers. > >What's your solution? Blacklisting all open redirectors? >So no one should be able to mention them? Thats EXACTLY what the new gray list will do. --Chris 'If it appears in spam, list it' (I can't take credit for the above tagline. Another nut came up with it before me!)

1 0

RE: [SURBL-Discuss] ZDNet spamity calamity
by Chris Santerre 08 Apr '05

08 Apr '05

>-----Original Message----- >From: SM [mailto:sm@resistor.net] >Sent: Friday, April 08, 2005 1:56 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] ZDNet spamity calamity > > >At 21:53 07-04-2005, List Mail User wrote: >>P.S. Despite feeling strongly about this, I'm not sure his >personal accounts >>and domains are the proper forum - if shs(a)cnet.com works, it >would seem to >>be "more" appropriate (i.e. this is a work issue, not a >personal or family > >It is inappropriate to use personal accounts and domains for such an >issue. Using such tactics can only antagonize the person. > >Regards, >-sm I completely agree with the above. As much as I want this resolved, I wouldn't use their personal emails. (Although I have done this with spammers!) Now..... LOL at the "Spamity Calamity" subject! I laugh everytime I see that and I think of Carl running thru the cubicles of AOL screaming it! :) --Chris

1 0

SpamAssassin DNS/SURBL bug possibly discovered, fixed
by Jeff Chan 08 Apr '05

08 Apr '05

See: http://bugzilla.spamassassin.org/show_bug.cgi?id=4249 http://bugzilla.spamassassin.org/show_bug.cgi?id=3997 It would be interesting to see if folks could try the patches added to the tickets, try a slow DNS resolution (longer than the timeout of 3 seconds) and see if they can duplicate/eliminate the error. Also if the hypothesis on 4249 is correct, then the problem of mixed up UDP packets may show up on a network analyzer, tcpdump, etc. Jeff C. -- "If it appears in hams, then don't list it."

2 1

Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by List Mail User 08 Apr '05

08 Apr '05

>... > >List Mail User wrote: > > P.S. I refused it, so I don't know what it was. I do know the >> domain registration is false; There is no city named "San Gwann" >> in the country of Malta. > >http://www.holidays-malta.com/locality_info/san_gwann.htm > > Apparently not a "city" but a recognized "village"; I guess it's like living in unincorparated parts of LA. Note the company claims to be "GFI Software Ltd" and sell anti-spam, anit-virus and email products. Did anyone actually receive the email? Was it just directed at me? Another batch of attempts just occurred: Apr 7 22:22:26 mailhub postfix/qmgr[14119]: D6A9C6A44: removed Apr 7 22:22:31 mailhub postfix/smtpd[24110]: connect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:32 mailhub postfix/smtpd[24110]: NOQUEUE: reject: RCPT from mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo command rejected: Host not found; from=<discuss-bounces(a)lists.surbl.org> to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 22:22:33 mailhub postfix/smtpd[24110]: lost connection after RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:33 mailhub postfix/smtpd[24110]: disconnect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:33 mailhub postfix/smtpd[24110]: connect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:34 mailhub postfix/smtpd[24110]: NOQUEUE: reject: RCPT from mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo command rejected: Host not found; from=<discuss-bounces(a)lists.surbl.org> to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 22:22:34 mailhub postfix/smtpd[24110]: lost connection after RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:34 mailhub postfix/smtpd[24110]: disconnect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:34 mailhub postfix/smtpd[24110]: connect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:35 mailhub postfix/smtpd[24110]: NOQUEUE: reject: RCPT from mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo command rejected: Host not found; from=<discuss-bounces(a)lists.surbl.org> to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 22:22:36 mailhub postfix/smtpd[24110]: lost connection after RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:36 mailhub postfix/smtpd[24110]: disconnect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:36 mailhub postfix/smtpd[24110]: connect from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:37 mailhub postfix/smtpd[24110]: NOQUEUE: reject: RCPT from mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo command rejected: Host not found; from=<discuss-bounces(a)lists.surbl.org> to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 22:22:37 mailhub postfix/smtpd[24110]: lost connection after RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:37 mailhub postfix/smtpd[24110]: disconnect from mailgate.gfi.com[80.85.99.13] If they are legitimate, I certainly wouldn't want to buy any anti-virus or anti-spam software from these people! They are running an open relay: % telnet mailgate.gfi.com 25 Trying 80.85.99.13... Connected to mailgate.gfi.com. Escape character is '^]'. 220 mailgate.gfi.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Fri, 8 Apr 2005 07:43:44 +0200 helo plectere.com 250 mailgate.gfi.com Hello [64.32.188.109] mail from: <> 250 2.1.0 <>....Sender OK rcpt to: <test(a)plectere.com> 250 2.1.5 test(a)plectere.com quit 221 2.0.0 mailgate.gfi.com Service closing transmission channel Connection closed by foreign host. Paul Shupak track(a)plectere.com

3 2

RE: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by David Vella 08 Apr '05

08 Apr '05

Hi, Sorry for this. I am the GFI MailEssentials/MailSecurity/MailArchiver product manager and I am a list subscriber because I like the SURBL concept. The reason of these emails seems to be because yesterday our network administrator installed a new email relay server (named passthrough) and I believe that he has mis-configured it. I sent him all this info so that he will look into it. I will make sure that this is fixed immediately. regards, David Vella - GFI Software Ltd. - www.gfi.com Messaging, Content Security & Network security software GFI: FAXmaker - LANguard - MailSecurity - DownloadSecurity -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of List Mail User Sent: Friday, April 08, 2005 8:41 AM To: discuss(a)lists.surbl.org; jeffc(a)surbl.org Cc: track(a)plectere.com Subject: Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago. Called and left a polite message on voice mail - not open until tomorrow - Also, the US op. is a sales and tech support location only. It seem almost certain, that they didn't forge your email - but they are operating an open relay and using an illegal hostname for the HELO argument; Good reasons to believe the product is likely fundamentally flawed. Hell, the relay uses the name "passthrough" - certainly looks to be done on purpose. Maybe someone should LART zdnet using the gfi.com relay and point out the equivalence to them that way:) Paul Shupak track(a)plectere.com _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com

1 0

Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by List Mail User 08 Apr '05

08 Apr '05

Called and left a polite message on voice mail - not open until tomorrow - Also, the US op. is a sales and tech support location only. It seem almost certain, that they didn't forge your email - but they are operating an open relay and using an illegal hostname for the HELO argument; Good reasons to believe the product is likely fundamentally flawed. Hell, the relay uses the name "passthrough" - certainly looks to be done on purpose. Maybe someone should LART zdnet using the gfi.com relay and point out the equivalence to them that way:) Paul Shupak track(a)plectere.com

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss