- Discuss - Mailman 3

Re: Discuss Digest, Vol 32, Issue 9
by Chuck Roeske 24 Nov '06

24 Nov '06

I will be out of the office until December 4th. If you need assistance please contact the PDC at (847) 540-7036. Thank you. Chuck Roeske Network Manager Lake Zurich CUSD 95

2 1

Zone file snapshot?
by Kelly Jones 24 Nov '06

24 Nov '06

Does anyone have a recent snapshot of multi.surbl.org's zone file that they could email me? I don't need SURBL's rsync service or rbldnsd, just a recent snapshot.

2 3

Why are subdomains not blacklisted?
by Kelly Jones 24 Nov '06

24 Nov '06

I received two separate spams advertising "uztiuqhcsgdnhsx.kennevur.com" and "678.com.plaweresoft.com" as the domains. multi.surbl.org lists the domains as blacklisted: > host kennevur.com.multi.surbl.org kennevur.com.multi.surbl.org has address 127.0.0.86 > host plaweresoft.com.multi.surbl.org plaweresoft.com.multi.surbl.org has address 127.0.0.118 but not the subdomains: > host uztiuqhcsgdnhsx.kennevur.com.multi.surbl.org Host uztiuqhcsgdnhsx.kennevur.com.multi.surbl.org not found: 3(NXDOMAIN) > host 678.com.plaweresoft.com.multi.surbl.org Host 678.com.plaweresoft.com.multi.surbl.org not found: 3(NXDOMAIN) Why? Wouldn't it be easy/sensible to wildcard the blacklist to include these?

2 1

Re: [SURBL-Discuss] Why are subdomains not blacklisted?
by Rob McEwen (PowerView Systems) 24 Nov '06

24 Nov '06

Kelly, There is a long (2-3 paragraph) answer for the general question "Why are subdomains not blacklisted?", but the short answer is that it is the responsibility of the program or spam filter making use of SURBL to remove the extra levels and check "kennevur.com" against SURBL instead of "uztiuqhcsgdnhsx.kennevur.com" In this situation, a good filter will not bother checking the longer version but would know to extract just the domain name for checking. Rob McEwen PowerView Systems rob(a)PowerViewSystems.com (478) 475-9032 -----Original message----- From: "Kelly Jones" kelly.terry.jones(a)gmail.com Date: Thu, 23 Nov 2006 17:43:09 -0500 To: discuss(a)lists.surbl.org Subject: [SURBL-Discuss] Why are subdomains not blacklisted? > I received two separate spams advertising > "uztiuqhcsgdnhsx.kennevur.com" and "678.com.plaweresoft.com" as the > domains. > > multi.surbl.org lists the domains as blacklisted: > > > host kennevur.com.multi.surbl.org > kennevur.com.multi.surbl.org has address 127.0.0.86 > > > host plaweresoft.com.multi.surbl.org > plaweresoft.com.multi.surbl.org has address 127.0.0.118 > > but not the subdomains: > > > host uztiuqhcsgdnhsx.kennevur.com.multi.surbl.org > Host uztiuqhcsgdnhsx.kennevur.com.multi.surbl.org not found: 3(NXDOMAIN) > > > host 678.com.plaweresoft.com.multi.surbl.org > Host 678.com.plaweresoft.com.multi.surbl.org not found: 3(NXDOMAIN) > > Why? Wouldn't it be easy/sensible to wildcard the blacklist to include > these? > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss >

1 0

Rob Menschel: Please contact me off list....
by Larry Rosenman 19 Nov '06

19 Nov '06

RMsa(a)menschel.net SMTP error from remote mail server after end of data: host mx.junkemailfilter.com [69.50.231.5]: 550-REJECTED - Sender Verify Failed - The email server for the domain 550-[lerctr.org] tells junkemailfilter.com that the sender's email address 550 [ler(a)lerctr.org] is not a valid. Your mailserver is making an INCORRECT statement. Thanks. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler(a)lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893

3 3

Guestbook spam
by Veterans Internet Service 15 Nov '06

15 Nov '06

I would like to use surbl to scan the fields of our guestbook service and then deny entries based on the results. I am currently using perl and MySQL for the service and was wondering if there are any perl modules that can be used for my purposes. Chris

7 16

Re: Guestbook spam
by Gerhard W. Recher (rbl) 08 Nov '06

08 Nov '06

hi folks, i setup a test service realizing the trackback Protocol as defined by: http://www.sixapart.com/pronet/docs/trackback_spec This service is currently under development, and free, but in near future it will be a service for registered users only. We have some customers working already with this "trackback-Proxy" each getting rid of 400+ blogspams leaving some 2 or 3 comments for a real review. They are happy.... simply post or get data to following url: http://support.clean-mx.de/clean-mx/trackback.php and supply data either in Parameters or in Post format. like: http://support.clean-mx.de//clean-mx/trackback.php?url=http%3A%2F%2Fverizon… you will get a xml response like: <?xml version="1.0" encoding="iso-8859-1"?> <response> <error>1</error> <message>Blog-entry denied(blackrecipient): E-mail->tommy(a)hotmail.com see http://www.clean-mx.de/blogspam Query: 1.3660 Seconds</message> <message> id-> </message> <message> title-> verizon%20wireless%20cellphones </message> <message> author-> verizon%20wireless%20cellphones </message> <message> e-mail-> tommy%40hotmail.com </message> <message> blog_name->verizon%20wireless%20cellphones </message> <message> url-> http%3A%2F%2Fverizon-wireless-cellphones.unfbgcu.com </message> <message> excerpt-> verizon%20wireless%20cellphones </message> </response> Yours Gerhard

2 2

multi.surbl.org not i DNS
by Uffe Bager 25 Oct '06

25 Oct '06

I'm unable to resolve multi.surbl.org, it this a general problem? Uffe

2 1

Re: [SURBL-Discuss] www.citylimits.org
by Jeff Chan 25 Oct '06

25 Oct '06

On Tuesday, October 24, 2006, 11:39:31 AM, Joseph Brennan wrote: > www.citylimits.org is in the ws list. > It is a nonprofit organization, and they tell me people here at Columbia > have asked why they have not got their mail. > What was this listing based on? A quick web and newsgroup search got me > nothing about this domain and spam. > Joseph Brennan > Columbia University Information Technology Thanks. Looks possibly legit so, removing it. Please note that false positive reports generally should be sent to whitelist at surbl. org. Jeff C. -- Don't harm innocent bystanders.

1 0

www.citylimits.org
by Joseph Brennan 24 Oct '06

24 Oct '06

www.citylimits.org is in the ws list. It is a nonprofit organization, and they tell me people here at Columbia have asked why they have not got their mail. What was this listing based on? A quick web and newsgroup search got me nothing about this domain and spam. Joseph Brennan Columbia University Information Technology

1 0

Re: [SURBL-Discuss] Logo competition
by Jeff Chan 18 Oct '06

18 Oct '06

On Tuesday, October 3, 2006, 9:26:43 PM, Steve Sobol wrote: > Are you guys still looking for a logo? I've been pretty busy :( Yep. Can you make your logo with thicker lines and text? Jeff C. -- Don't harm innocent bystanders.

2 1

FP in PH and AB SURBL - www.4emi.com
by Russ Ringer 18 Oct '06

18 Oct '06

www.4emi.com is coming up as listed in PH and AB SURBL. EMI Solutions is a legitimate supplier we use in manufacturing aircraft electronics and should not be listed in either PH or AB. Funny thing is I can't find the listing on abusebutler or castlecops. This server is running SpamAssassin version 3.0.3

2 2

Google toolbar's whitelist
by jm＠jmason.org 10 Oct '06

10 Oct '06

I'm sure someone will find this useful: http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:-1 found via http://blog.outer-court.com/forum/67024.html , --j.

1 0

Re: [SURBL-Discuss] Logo competition
by Jeff Chan 04 Oct '06

04 Oct '06

On Thursday, August 17, 2006, 9:12:51 PM, Steve Sobol wrote: > Jeff Chan wrote: >>> http://stevesobol.com/content/surbllogo.jpg >> >>> This is just a preliminary, I-did-this-in-five-minutes concept. >> >> It's good. (Red circle and slash = "no" and url://) >> >> Can you make one with spam:// ? > Absolutely not, but see > http://stevesobol.com/content/surbllogo2.jpg > (Ok, I was just kidding, of course I can do it!) > If that looks OK to you, I'll take that concept and come up > with a final product. Hi Steve, Looks great; thanks much! If I could request a modification, it would be for bolder type and thicker lines if possible. Also I'd probably make the text black, as in blackhat. Cheers, Jeff C. -- Don't harm innocent bystanders.

2 1

Yahoo redirector?
by Joseph Brennan 03 Oct '06

03 Oct '06

What's going on here? Numerous examples of porn spam sent Sunday have all different hostnames that resolve to the same few IP addresses, apparently by round robin: $ host takinoivanober.com takinoivanober.com has address 68.142.212.127 takinoivanober.com has address 68.142.212.128 takinoivanober.com has address 68.142.212.129 takinoivanober.com has address 68.142.212.130 takinoivanober.com has address 68.142.212.135 takinoivanober.com has address 68.142.212.126 $ host zascehjukalsderr.com zascehjukalsderr.com has address 68.142.212.130 zascehjukalsderr.com has address 68.142.212.135 zascehjukalsderr.com has address 68.142.212.126 zascehjukalsderr.com has address 68.142.212.127 zascehjukalsderr.com has address 68.142.212.128 zascehjukalsderr.com has address 68.142.212.129 $ host sex368yzx.com sex368yzx.com has address 68.142.212.129 sex368yzx.com has address 68.142.212.130 sex368yzx.com has address 68.142.212.135 sex368yzx.com has address 68.142.212.136 sex368yzx.com has address 68.142.212.137 sex368yzx.com has address 68.142.212.128 Reverse DNS resolves to Yahoo, only: $ host 68.142.212.130 130.212.142.68.in-addr.arpa domain name pointer p10w14.geo.mud.yahoo.com. $ host 68.142.212.127 127.212.142.68.in-addr.arpa domain name pointer p10w11.geo.mud.yahoo.com. $ host 68.142.212.128 128.212.142.68.in-addr.arpa domain name pointer p10w12.geo.mud.yahoo.com. The range 68.142.192 through 68.142.255 is all Inktomi, contact address network-abuse(a)cc.yahoo-inc.com, so it really is Yahoo. The interesting bit is that connecting by IP address or yahoo hostname gets a "Error 400 - Bad Request", but connecting by the spammer hostname gets a web page. I'd be especially interested in a generalized way of catching this. Joseph Brennan Columbia University Information Technology

4 5

Re: [SURBL-Discuss] Exim / SURBL
by Robert Temple 30 Sep '06

30 Sep '06

> > On 29/09/06, Jeff Chan <jeffc(a)surbl.org> wrote: > > On Friday, September 29, 2006, 8:18:33 AM, Peter Bowyer wrote: > > > On 29/09/06, Robert Temple <rtscruiser(a)gmail.com> wrote: > > >> Sorry for the newbie quesiton. I did more research on the SURBL site > and > > >> found out you can't use it as a stand alone app. Re-enabled > Spamassassin :( > > >> and now it is working perfectly. > > > > > Robert > > > > > I believe you mentioned you were using Exim - there is a method of > > > directly integrating URIBL/SURBL - which is (actively) maintained by > > > Erik Mugele. > > > > > http://www.teuton.org/~ejm/exim_surbl/ > > > > > Peter > > > > Hi Peter, > > The site Robert mentioned: > > > > http://forums.ev1servers.net/showthread.php?t=57896 > > > > is about using Erik Mugele's perl program (with Exim?) in the ev1 > > Ah, sorry - came in part-way through. Erik's method is a very > effective way of integration with Exim, I hope Robert might give it > another try. The exim-users list will support him if he needs it. > > Peter > > -- > Peter Bowyer > Email: peter(a)bowyer.org So it IS possible to use SURBL without Spamassassin? That would be awesome. I'll check out the exim site for their users discussion list. Thanks!

1 0

Re: [SURBL-Discuss] Exim / SURBL (Was: Re: Discuss Digest, Vol 30, Issue 12)
by Peter Bowyer 29 Sep '06

29 Sep '06

On 29/09/06, Robert Temple <rtscruiser(a)gmail.com> wrote: > Sorry for the newbie quesiton. I did more research on the SURBL site and > found out you can't use it as a stand alone app. Re-enabled Spamassassin :( > and now it is working perfectly. Robert I believe you mentioned you were using Exim - there is a method of directly integrating URIBL/SURBL - which is (actively) maintained by Erik Mugele. http://www.teuton.org/~ejm/exim_surbl/ Peter -- Peter Bowyer Email: peter(a)bowyer.org

2 2

Re: Discuss Digest, Vol 30, Issue 12
by Robert Temple 29 Sep '06

29 Sep '06

Sorry for the newbie quesiton. I did more research on the SURBL site and found out you can't use it as a stand alone app. Re-enabled Spamassassin :( and now it is working perfectly. > > > Hello; > > > > I wanted to replace Spamassassin on my server, so I've set up SURBL > using > > instructions from a forum on my server companies site (here: http:/ > > /forums.ev1servers.net/showthread.php?t=57896) > > > > The installation seemed to go well, but I haven't noticed any reduction > in > > spam, and when I SSL into the server and > > > > grep "Message contains blacklisted domain" /var/log/exim_mainlog > > > > I don't see any entries. > > > > Is there a way to check to see if SURBL is working? > > > > What's in your exim config? > > >

1 0

Powerdns: high performance dns recursor
by Yusuf Goolamabbas 29 Sep '06

29 Sep '06

I haven't put this through its paces yet. The recursor can forward zones to a nameserver (I still prefer dnscache's syntax) so this can be used as a caching nameserver in front of rbldnsd http://doc.powerdns.com/built-in-recursor.html http://wiki.powerdns.com/projects/trac/ The author of PowerDNS Bert Hubert is well-known in Linux circles for his work in explaining the esoteric commands of iproute via LARTC (Linux Advanced Routing and Traffic Control) http://lartc.org/ Hope this helps, Regards, Yusuf -- Yusuf Goolamabbas yusufg(a)outblaze.com

1 0

New User Needs Help
by Robert Temple 29 Sep '06

29 Sep '06

Hello; I wanted to replace Spamassassin on my server, so I've set up SURBL using instructions from a forum on my server companies site (here: http:/ /forums.ev1servers.net/showthread.php?t=57896) The installation seemed to go well, but I haven't noticed any reduction in spam, and when I SSL into the server and grep "Message contains blacklisted domain" /var/log/exim_mainlog I don't see any entries. Is there a way to check to see if SURBL is working? Thanks for any suggestions. - Robert

2 1

Re: [SPAM-TAG] [SURBL-Discuss] Lots of new questionable URL, redirectors
by opencomputing＠gmail.com 28 Sep '06

28 Sep '06

>Some of these may be minor redirection sites being abused. > >One operator of such a site contacted us bemoaning the abuse and >also contemplating shutting it down due to it. > > If only these URL redirectors checked the target URL in URIBL/SURBL the first time it gets submitted and also during the runtime, every time it gets accessed, it should reduce the problem immensely. I guess plain laziness to combat spam ain't going to work ;) cheers, skar. -- OpenProtect - The email virus/spam filter http://openprotect.com

2 5

Re: [SURBL-Discuss] Lots of new questionable URL redirectors
by List Mail User 28 Sep '06

28 Sep '06

>... >Good evening, all, > I'm seeing a _lot_ of URL redirection sites I've never seen >before: > >shorten.in, registered Aug 20, 2006 (http://shorten.in/194 -> prosperityautomatedsystem.com) >simurl.com (http://simurl.com/ss-nn-uu -> julesent4.info -> prosperityautomatedsystem.com) >qdeo.com (http://qdeo.com/53 -> julesent4.info -> prosperityautomatedsystem.com) >kuturl.com (http://kuturl.com/x.php?za -> 404) > > This last one now shows: > >Because of the actions of a SPAMMER - we have withdrawn this service. >So, apologies to all of you who genuinely used our free service. >You can blame the scum who ruined it for everyone else. >We try hard to help others, while some are determined to prove themselves as lower than amoeba crap. > > Many of the URLs redirect to www.prosperityautomatedsystem.com. > > Try submitting a URL to these; you'll see the number returned is >very low, indicating these are either fake redirectors or rarely used. > > Thoughts? Opinions? Strawberry-banana smoothies? ;-) > Cheers, > - Bill > >--------------------------------------------------------------------------- >I are sigfile disease!! >All your quote are belong to us. >Copy us every "sig"! >(Courtesy of Charlie Stross, on an lwn.net letter) >-------------------------------------------------------------------------- >William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, >rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org >... Well, at least part of the path is well known and recognizable: See Spamhaus' ROK3985, ROK4460, ROK4682, ROK6181, ROK6713 and ROK6937 for the address in shdns.info) Paul Shupak track(a)plectere.com ... ;; ANSWER SECTION: julesent4.info. 86400 IN NS ns2.shdns.info. julesent4.info. 86400 IN NS ns1.shdns.info. ;; ADDITIONAL SECTION: ns2.shdns.info. 86400 IN A 211.144.69.237 ns1.shdns.info. 86400 IN A 220.164.140.232 ;; Query time: 20 msec ;; SERVER: 199.7.66.33#53(199.7.66.33) ;; WHEN: Wed Sep 27 03:36:13 2006 ;; MSG SIZE rcvd: 106 % jwhois shdns.info [Querying whois.afilias.info] [whois.afilias.info] Access to INFO WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Afilias registry database. The data in this record is provided by Afilias Limited for informational purposes only, and Afilias does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Afilias reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain ID:D13029584-LRMS Domain Name:SHDNS.INFO Created On:10-Apr-2006 19:59:26 UTC Last Updated On:09-Jun-2006 21:01:15 UTC Expiration Date:10-Apr-2007 19:59:26 UTC Sponsoring Registrar:eNom, Inc. (R126-LRMS) Status:OK Registrant ID:9902F5AE7419E685 Registrant Name:bill lai Registrant Organization:newtech co. Registrant Street1:211 yangzi road Registrant Street2:211 yangzi road widf Registrant Street3: Registrant City:widf Registrant State/Province:SD Registrant Postal Code:23423424 Registrant Country:US Registrant Phone:+91.343282334 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:daniel@sv-luka.org Admin ID:9902F5AE7419E685 Admin Name:bill lai Admin Organization:newtech co. Admin Street1:211 yangzi road Admin Street2:211 yangzi road widf Admin Street3: Admin City:widf Admin State/Province:SD Admin Postal Code:23423424 Admin Country:US Admin Phone:+91.343282334 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:daniel@sv-luka.org Billing ID:9902F5AE7419E685 Billing Name:bill lai Billing Organization:newtech co. Billing Street1:211 yangzi road Billing Street2:211 yangzi road widf Billing Street3: Billing City:widf Billing State/Province:SD Billing Postal Code:23423424 Billing Country:US Billing Phone:+91.343282334 Billing Phone Ext.: Billing FAX: Billing FAX Ext.: Billing Email:daniel@sv-luka.org Tech ID:9902F5AE7419E685 Tech Name:bill lai Tech Organization:newtech co. Tech Street1:211 yangzi road Tech Street2:211 yangzi road widf Tech Street3: Tech City:widf Tech State/Province:SD Tech Postal Code:23423424 Tech Country:US Tech Phone:+91.343282334 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:daniel@sv-luka.org Name Server:DNS1.NAME-SERVICES.COM Name Server:DNS2.NAME-SERVICES.COM Name Server:DNS3.NAME-SERVICES.COM Name Server:DNS4.NAME-SERVICES.COM Name Server:DNS5.NAME-SERVICES.COM Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server:

2 1

Lots of new questionable URL redirectors
by William Stearns 27 Sep '06

27 Sep '06

Good evening, all, I'm seeing a _lot_ of URL redirection sites I've never seen before: shorten.in, registered Aug 20, 2006 (http://shorten.in/194 -> prosperityautomatedsystem.com) simurl.com (http://simurl.com/ss-nn-uu -> julesent4.info -> prosperityautomatedsystem.com) qdeo.com (http://qdeo.com/53 -> julesent4.info -> prosperityautomatedsystem.com) kuturl.com (http://kuturl.com/x.php?za -> 404) This last one now shows: Because of the actions of a SPAMMER - we have withdrawn this service. So, apologies to all of you who genuinely used our free service. You can blame the scum who ruined it for everyone else. We try hard to help others, while some are determined to prove themselves as lower than amoeba crap. Many of the URLs redirect to www.prosperityautomatedsystem.com. Try submitting a URL to these; you'll see the number returned is very low, indicating these are either fake redirectors or rarely used. Thoughts? Opinions? Strawberry-banana smoothies? ;-) Cheers, - Bill --------------------------------------------------------------------------- I are sigfile disease!! All your quote are belong to us. Copy us every "sig"! (Courtesy of Charlie Stross, on an lwn.net letter) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

3 2

Re: Redirection URLs
by opencomputing＠gmail.com 24 Sep '06

24 Sep '06

>Date: Sun, 24 Sep 2006 02:07:25 -0400 >From: Eric Montr?al <erv(a)mailpeers.net> >Subject: Re: [SURBL-Discuss] Redirection URLs >To: SURBL Discussion list <discuss(a)lists.surbl.org> >Message-ID: <4516209D.6000500(a)mailpeers.net> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > >A year ago, when the Geocities problem was much bigger, I made a simple >analysis tool. > >I don't maintain it anymore, and data is partial, however, it shows that >the javascript >encoding used is nearly always very basic and easy to decode: > >http://nospam.mailpeers.net/alive_spammy2.txt > > Did you check every geocities et al link in your spam mails and add them to this list? You must've been angry to blast the spammers outta the earth!!! I just love that spirit. Thanks for the links. >Most of the listed sites appeared in spams long time ago and were not >removed by >Geocities. > >The original site http://nospam.mailpeers.net/ contains .cf rules, but >except for the generic >ones it's not useful anymore, mostly since Yahoo / Geocities finally >decided to do the right >thing and block the new spam sites and I don't actively search geocities >spamvertized links >anymore. > > Are the rules listed like subevil, alive_spammy(2), rip_spammy, alive_spammy_malware all kept updated? Even if not, I guess they shouldn't give FPs? cheers, skar. -- OpenProtect - The email virus/spam filter http://openprotect.com

1 0

Redirection URLs
by opencomputing＠gmail.com 24 Sep '06

24 Sep '06

Hi, I'm receiving lots of spam with URLs like the one below: http://geocities.com/wihim2968 The above URL in fact redirects a blacklisted domain j99k.com. Is there a plan to add the redirected original URL also to the blacklists? Or blacklist URL redirection services(at least in a different list like AG-aggressive) which don't check the target URL in blacklists? Or should I look up the real target of the URL and look it up too? But this would lead to latencies of around 10-20 seconds depending on a 3rd party web server like geocities in the above example :( cheers, skar. -- OpenProtect - The email virus/spam filter http://openprotect.com

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss