Discuss

discuss@lists.surbl.org

2 participants
1870 discussions

[SURBL-Discuss] Re: RFC: Combined SURBL list details, phishing list ready
by Daniel Quinlan 13 May '04

13 May '04

Jeff Chan <jeffc(a)surbl.org> writes: > 1. We had discussed two strategies for a combined list A records before: We still don't really care as long as you don't it right. :-) If you think you might end up supporting more than 32 return codes (seems like a very remote possibility), separate A records is much easier. Maybe that helps make up your mind. > So the code using a combined list could be made to detect > specific results, i.e., the specific list which triggered > a matching A record could be determined, and not just that it > matched "all" or any from the original list. On the other hand, > the fact that matches from any list occurred may be good enough > for some users. Personally I prefer more a detailed explanation A more detailed explanation is merely the job of the client. If a client can't handle multi-DNSBLs, then it's really behind the times. Given that these clients are going to need to parse URIs and that is non-trivial, I think you can just require multi-DNSBL support for newer lists at some point if you want. > 2. Another question would be the name of the combined list. Since > there would be three or more lists, someone had suggested a name > of "all" before. That sounds good to me unless there are other > suggestions. "query" and "bl" are two somewhat more common names for a single combined blacklist. > 3. I'm assuming TXT records are no longer really feasible in a > combined list and that descriptive messages will need to be > signalled by the list (127. address) matched. I suppose it would > be possible to create custom TXT records for every entry, but a > generic TXT (or perhaps none) might be more likely. Is a generic > TXT better than none? Even in a BIND file, where it incurs some > use of space? You could return a single URL that if loaded contains information about exactly which lists hit. You can also return multiple TXT records that can be matched as SpamAssassin rules (yes!), but unless you promise to keep the format very very stable, then we'll just use the A records. My suggestion: start with the A and worry about the rest later. > 4. TTLs: If an entry has matches on more than one list, should > it get a unique TTL? If so, should such a custom TTL on the > multiply-matching entry be the longest TTL or the shortest TTL? > I lean towards the inheriting the shortest TTL from the matching > source list, plus setting a default TTL for the combined zone > file to be near the longest. > [...] Sounds fine to me. > 5. We will likely want to combine the ws and be lists into a > single entry in a combined list, probably using the .1 bit for > both of them, since both lists contain the enumerated > (non-wildcarded) domains from SA regular expressions. Also, > things are moving towards combining the non-wildcarded domains > sa-blacklist and BigEvil/MidEvil, so this would somewhat > short-circuit that process and future-proof things. As long as they have similar S/O ratios, I'm okay with it. If they are maintained separately, it might shift the decision towards keeping them separate, but if they're getting merged, then that makes more sense. Daniel -- Daniel Quinlan anti-spam (SpamAssassin), Linux, http://www.pathname.com/~quinlan/ and open source consulting

1 0

RE: X posting due to importance
by Chris Santerre 12 May '04

12 May '04

>-----Original Message----- >From: Matt Linzbach [mailto:MLinzbach@Merchant-Gould.com] >Sent: Wednesday, May 12, 2004 2:57 PM >To: Spamassassin-Talk (E-mail) >Cc: SURBL Discussion list (E-mail) >Subject: RE: X posting due to importance > > >> -----Original Message----- >> From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com] >> Sent: Wednesday, May 12, 2004 10:24 AM >> To: Spamassassin-Talk (E-mail) >> Cc: SURBL Discussion list (E-mail) >> Subject: X posting due to importance >> >> >> This was posted to Spam-L list. Very interesting. We should all watch >> closely. Consider how we would defend our projects if we had to. :-) >> >> A Northern California District Court judge issued a temporary >> restraining >> order to prevent SpamCop, an antispam operation, from >> interfering with >> messages sent by alleged junk e-mailer OptInRealBig.com. >> >> http://news.com.com/2100-1024_3-5210518.html?tag=nefd.top > > >/. has an active discussion on this today. > >http://yro.slashdot.org/yro/04/05/12/1226222.shtml?tid=111&tid= 123&tid=126&t id=95&tid=99 And just like that, it is over :-) http://biz.yahoo.com/prnews/040512/sfw083_1.html Perhaps I should setup a BigEvil Drinking fund? I mean Legal defense fund. Yeah thats what I meant! --Chris

1 0

RE: X posting due to importance
by Matt Linzbach 12 May '04

12 May '04

> -----Original Message----- > From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com] > Sent: Wednesday, May 12, 2004 10:24 AM > To: Spamassassin-Talk (E-mail) > Cc: SURBL Discussion list (E-mail) > Subject: X posting due to importance > > > This was posted to Spam-L list. Very interesting. We should all watch > closely. Consider how we would defend our projects if we had to. :-) > > A Northern California District Court judge issued a temporary > restraining > order to prevent SpamCop, an antispam operation, from > interfering with > messages sent by alleged junk e-mailer OptInRealBig.com. > > http://news.com.com/2100-1024_3-5210518.html?tag=nefd.top /. has an active discussion on this today. http://yro.slashdot.org/yro/04/05/12/1226222.shtml?tid=111&tid=123&tid=126&t id=95&tid=99

1 0

X posting due to importance
by Chris Santerre 12 May '04

12 May '04

This was posted to Spam-L list. Very interesting. We should all watch closely. Consider how we would defend our projects if we had to. :-) A Northern California District Court judge issued a temporary restraining order to prevent SpamCop, an antispam operation, from interfering with messages sent by alleged junk e-mailer OptInRealBig.com. http://news.com.com/2100-1024_3-5210518.html?tag=nefd.top Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

2 1

Stupid SPAM
by Jose-Marcio.Martins＠ensmp.fr 11 May '04

11 May '04

Hello, Take a look at this SPAM : http://www.ensmp.fr/~martins/Prozac Mainly, check the source. The problem is that it comes with many, many URLs. At the beginning, there are URLs needed by the SPAM itself. After, it puts many URLs with font size equals to 1. Most of these last domains aren't spam... 8-) Jose-Marcio -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins@ensmp.fr

5 10

SpamCopURI rpms
by Robert Brooks 10 May '04

10 May '04

Hi, I've created binary and source rpms which can be found here: http://www.elvis.demon.co.uk/SpamCopURI/ I will look at improving these and better integration with SpamAssassin rpms over the next few weeks, but in the mean time your feedback is welcome. Note it is likely you will have to --force the install so that the common files with SpamAssassin are replaced. It is _strongly recommended_ that you build from the source rpm on your system as the binaries are built on RedHat 7.3 and may not suit your systems. rpm --rebuild perl-Mail-SpamAssassin-SpamCopURI-0.15-1.src.rpm It likely I will also share some related rpms in the near future. If anyone has a better place to host the rpms let me know. Regards, Rob -- Robert Brooks, Network Manager, Cable & Wireless UK <robb(a)hyperlink-interactive.co.uk> http://hyperlink-interactive.co.uk/ Tel: +44 (0)20 7240 8121 Fax: +44 (0)20 7240 8098 - Help Microsoft stamp out piracy. Give Linux to a friend today! -

3 2

Re: [Possible Spam] New Redirector?
by Carl Hutzler 08 May '04

08 May '04

Yes, we are aware of it and working to shut it down. It is not easy at all due to how the system works (as is the case with many redirector URLs). Feel free to block the URL completely. It is only serving ads for AOL partners really. Should not be a big problem if you can block URLs in your antispam SW. -Carl david(a)platformnetworks.net wrote: >============================================================================== > MAIL SECURITY MESSAGE >============================================================================== > >Mail Security is not 100% sure if the attached message is spam or not and >needs your help to decide. > > >How to help: >-------------------------- >If the attached message is not spam, please forward this email to >notspam(a)mailsecurity.net.au so we can correct our database, which will >stop future messages of this type from being intercepted. > >If the attached message is spam, please delete this message and future >messages like this will be blocked. > >Attached Message Details: >-------------------------- >From: david(a)platformnetworks.net >Subject: New Redirector? > >Thankyou for your help, your assistance helps us to keep our databases as >up to date as possible. >-- >Kind Regards, > >Mail Security >www.mailsecurity.net.au > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam(a)mailsecurity.net.au >======================================================================== > > > > > ------------------------------------------------------------------------ > > Subject: > New Redirector? > From: > "David Hooton" <david(a)platformnetworks.net> > Date: > Fri, 7 May 2004 15:38:40 +1000 > To: > <discuss(a)lists.surbl.org> > > > Hi All, > > Just found an AOL redirector being abused in a spam: > >http://www.aol.com/ams/clickThruRedirect.adp?1= > >073757372,2147618210x2147531923,http://www.freeyouraccounts.com/stressfree/= > > Not sure if it’s included in the SURBL/SpamCopURI redirector list yet > or not – is this published anywhere? > > Regards, > > David Hooton > > Senior Partner > > Platform Networks > > www.platformnetworks.net > -- Carl Hutzler Director, AntiSpam Operations America Online Mail Operations cdhutzler(a)aol.com 703.265.5521 work 703.915.6862 cell

2 1

Re: [SURBL-Discuss] Should bravemouser.com be blacklisted?
by Jeff Chan 08 May '04

08 May '04

On Friday, May 7, 2004, 3:08:13 PM, ITReading ITReading wrote: >>>> Jeff Chan <jeffc(a)surbl.org> 05/07/2004 4:45:22 PM >>> >>I don't see any reports about it to SpamCop. You may want to >>do that. > That's interesting. I submit all my "false negatives" to > Spamcop. I know I've submitted at least a dozen or so ". . . > bravemouser.com . ." messages. When I tried processing your message I got the message from SpamCop saying ~"ISP says problem will cease". So the ISP is presumably working on it. Let me know if the spam continues, and I'll add bravemouser.com to my manual blacklist. Jeff C.

1 0

Should bravemouser.com be blacklisted?
by ITReading ITReading 07 May '04

07 May '04

Hello all, I continue to receive messages with URIs to "bravemouser.com" in the past few weeks. Should this domain be added to one of the surbl lists? Most of the messages are TV Pay Per View spam. An example of one of the messages can be found here: http://www.aldridge-borden.com/bravemouser.txt -Charles Solomon

2 1

Fwd: URI's not recognized
by Jeff Chan 07 May '04

07 May '04

This is a forwarded message From: Menno van Bennekom <mvbengro(a)xs4all.nl> To: spamassassin-users(a)incubator.apache.org Date: Friday, May 7, 2004, 3:35:37 AM Subject: URI's not recognized ===8<==============Original message text=============== Hi, I have problems getting URI's recognized by SpamAssassin 2.63 (postfix/amavisd-new). At first redirects like this were not recognized: http://rd.yahoo.com*http://spammer.spam.biz So I removed ^ from the BIZ expression: uri BIZ_TLD /(?:https?:\/\/|mailto:)[^\/]+\.biz(?:\/|$)/i Still the following was not recognized: <a href=3Dhttp://away.goingabroadd.biz/aps/cms/> Because of the 3D (and other stuff spammers put there lately). Only by changing 'uri BIZ_TLD' to 'body BIZ_TLD' it gets recognized. But I use SpamCopURI and that also doesn't recognize URI's with things in front of http. And I can't tell SpamCopURI to use the 'body' check instead or uri.. How can I make the URI subroutine recognize these URI's? Would using SpamAssassin v3.0 help? Thanks Menno ===8<===========End of original message text===========

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss