Discuss

discuss@lists.surbl.org

1870 discussions

RE: [SURBL-Discuss] Revised DMOZ data, got Wikipedia domains too
by Chris Santerre 08 Oct '04

08 Oct '04

>-----Original Message----- >From: Alex Broens [mailto:surbl@alexb.ch] >Sent: Friday, October 08, 2004 12:51 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Revised DMOZ data, got Wikipedia domains >too > > >Bill Landry wrote: >> ----- Original Message ----- >> From: "Alex Broens" <surbl(a)alexb.ch> >> >>>Jeff Chan wrote: >>> >>>> http://spamcheck.freeapp.net/whitelists/wikipedia-dmoz.srt >>>> >>>>Please also take a look at these blocklist hits (potential FPs) >>>>and share what you think: >>>> >>>> >> >> >http://spamcheck.freeapp.net/whitelists/wikipedia-dmoz-blocklis >t.summed.txt >> >>>>Would there be many FNs (missed spams) if we whitelisted all >>>>of these? In other words are these all truly False Positives? >>>>If not, which ones do you feel are true spammers and why. >>> >>>probably not a new idea, but why not run a "wl.surbl.org" >with all the >>>whitelisted domains and ppl can choose to use it or not. >> >> >> I like this idea! Whitelist the most commonly used 1,000 or >so domains, and >> then create a wl.surbl.org for the rest of the >wikipedia-dmoz domains. > >WOW... Bill didn't bark at me this time. > >my point is the following: > >take for example "angelfire. com". This domain may have >legitimate users >but my user base would NEVER have contact with anybody hosting >a site or >anything there. If they support spam, list them, put pressure >on them to >stop supporting spammers, bla, bla, bla. >I wouldn't appreciate it being whitelisted as then if there's >abuse, and >it does get blacklisted, there's no pressure on the domain holder to >clean up. I'm hoping UC list will help with that. Anyone who wishes to use it can add a minor score to spam for UC hits. This would put at least some sort of preasure for these grey hats to do something. > >As I imagine we're fighting spam here, not just filtering, I have a >certain difficulty understanding why the world is crying for >whitelisting instead of putting pressure on so called whitehats who >support abuse for a lifetime. I completely agree, but when working with SURBL I can't use this mindset. I have to go by Jeff's vision. However with UC its a whole different ball game. > >as Chris said, you could make whitelisting a lifetime task. >I believe the better approach would be to decrease potential FP's by >increasing the reporting QUALITY !!!!!!!! > >Alex > >//Are we fighting Spam or working for Messagelabs & Co. for free? // OUCH!!! I hear ya.....but OUCH! ;) --Chris

3 2

RE: Revised DMOZ data, got Wikipedia domains too
by Chris Santerre 08 Oct '04

08 Oct '04

>-----Original Message----- >From: Daniel Quinlan [mailto:quinlan@pathname.com] >Sent: Friday, October 08, 2004 2:01 PM >To: Chris Santerre >Cc: 'Jeff Chan'; SURBL Discuss; SpamAssassin Developers >Subject: Re: Revised DMOZ data, got Wikipedia domains too > > >Chris Santerre <csanterre(a)MerchantsOverseas.com> writes: > >> I think this is just plain nuts to whitelist all of these! Why? If we >> don't try to whitelist the most popular sites, then what the heck it >> the point? We could whitelist millions of legit domains forever. The >> popular ones are the most important. > >The points: > > - whitelisting legitimate domains limits the effectiveness of joe job > attacks that result in FPs in various SURBL blacklists > - whitelisting could be used as negative points for MAIL FROM if > combined with SPF (and more domains is better) Yeah, but not everyone is using SPF yet. But if they were, sure! > >In addition: > > - I would only whitelist those domains (a) subject to editorial > removal (b) so long as their domain registration is old enough and > (c) so long as they pass other criteria such as no SBL listing for > NS->A. Yeah date seems to be key in more and more cases. Granted a spammer could buy one of these older ones, but hasn't happened often enough. > - I would maintain the automated whitelist separately from the human > edited whitelist and handle it differently. For example, perhaps > automated whitelist entries can only remove a single blacklist hit > (like SpamCop), but to remove two independent blacklist hits, it > requires a human decision. > Did you look at the example from the list I gave? It doesn't even have a web page! Just says testing. I'm all for whitelisting, but popular/useful domains only. >> so: >> -1 for adding all those intersected to WL >> +1 for whitelisting the blacklist hits. > >I think there are other options available due to the miracle of >programming. ;-) > Well like they say around here, "You can't argue with success." But taking away spam points based on an autowhitelist still makes me nervous. But you might have a few tricks up your sleeve D.Q. that I don't know about yet ;) --Chris

2 1

Re: Revised DMOZ data, got Wikipedia domains too
by Daniel Quinlan 08 Oct '04

08 Oct '04

Chris Santerre <csanterre(a)MerchantsOverseas.com> writes: > I think this is just plain nuts to whitelist all of these! Why? If we > don't try to whitelist the most popular sites, then what the heck it > the point? We could whitelist millions of legit domains forever. The > popular ones are the most important. The points: - whitelisting legitimate domains limits the effectiveness of joe job attacks that result in FPs in various SURBL blacklists - whitelisting could be used as negative points for MAIL FROM if combined with SPF (and more domains is better) In addition: - I would only whitelist those domains (a) subject to editorial removal (b) so long as their domain registration is old enough and (c) so long as they pass other criteria such as no SBL listing for NS->A. - I would maintain the automated whitelist separately from the human edited whitelist and handle it differently. For example, perhaps automated whitelist entries can only remove a single blacklist hit (like SpamCop), but to remove two independent blacklist hits, it requires a human decision. > so: > -1 for adding all those intersected to WL > +1 for whitelisting the blacklist hits. I think there are other options available due to the miracle of programming. ;-) Daniel -- Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin http://www.pathname.com/~quinlan/ http://www.apachecon.com/ sessions & more)

1 0

RE: [SURBL-Discuss] Revised DMOZ data, got Wikipedia domains too
by Chris Santerre 08 Oct '04

08 Oct '04

>-----Original Message----- >From: Alex Broens [mailto:surbl@alexb.ch] >Sent: Friday, October 08, 2004 11:53 AM >To: Jeff Chan; SURBL Discussion list >Subject: Re: [SURBL-Discuss] Revised DMOZ data, got Wikipedia domains >too > > >Jeff Chan wrote: >> http://spamcheck.freeapp.net/whitelists/wikipedia-dmoz.srt >> >> Please also take a look at these blocklist hits (potential FPs) >> and share what you think: >> >> >http://spamcheck.freeapp.net/whitelists/wikipedia-dmoz-blocklis >t.summed.txt >> >> Would there be many FNs (missed spams) if we whitelisted all >> of these? In other words are these all truly False Positives? >> If not, which ones do you feel are true spammers and why. > >probably not a new idea, but why not run a "wl.surbl.org" with all the >whitelisted domains and ppl can choose to use it or not. > > IMHO More traffic and scan time. Better to just ignore having them in the list. Also things like Yahoo, AOL, ect... will most likely have SA code to not even bother to look those up. --Chris

1 0

Possible large whitelist from DMOZ data
by Jeff Chan 08 Oct '04

08 Oct '04

Daniel Quinlan, one of the principal SpamAssassin architects had some good suggestions for reducing false positives in the SURBL data. One was using public databases of URIs, particularly hand-built ones like dmoz.org and wikipedia.org or even yahoo.com as sources of mostly legitimate domains. (The wikipedia is not a web directory in a conventional sense; it's more like an open encyclopedia, but it has a relatively large collection of URIs.) Presumably most of the URIs in these are legitimate and don't belong to spammers, especially in DMOZ since it's hand-built. So the question is: can these be useful as whitelist sources or perhaps as one of the checks on new SURBL additions. The DMOZ open directory publishes it's data in RDF form at: http://rdf.dmoz.org/ So we downloaded the URL data, extracted the domains and compared them against the SURBL block and whitelists: % join dmoz.srt ../multi.domains.sort | wc 1338 1338 20533 % join dmoz.srt ../whitelist-domains.sort | wc 7375 7375 96720 % join dmoz.srt ../multi.domains.sort > dmoz-blocklist.txt % join dmoz.srt ../whitelist-domains.sort > dmoz-whitelist.txt There were 1338 DMOZ hits against our blocklisted domains and 7375 against our whitelists. You can view those matches at: http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.txt http://spamcheck.freeapp.net/whitelists/dmoz-whitelist.txt Of the 1338 DMOZ hits against our blocklists, which arguably could be false positives, most are in WS. Here is a list with the data from multi.surbl.org showing list membership included: %join dmoz.srt ../multi.domains.summed > dmoz-blocklist.summed.txt http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.summed.txt And some list counts from those hits: [ws] hits: 1173 [ob] hits: 165 [jp] hits: 61 [sc] hits: 8 [ab] hits: 4 [ph] hits: 2 These add up to more than 1338 since some records hit multiple lists. The actual hits are in: http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.ws http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.ob http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.jp http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.sc http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.ab http://spamcheck.freeapp.net/whitelists/dmoz-blocklist.ph Data source folks, please review these and try to determine which ones are FPs and which would result in false negatives if they came off the lists. For ones that are FPs you may want to eliminate them on your end. For the ones that could cause FNs, we'd like to know about those as a measure of using the DMOZ data for whitelisting. Right now I'm leaning towards whitelisting all of these, so please speak up! The 7.4k DMOZ whitelist hits represents a majority of the 12.25k whitelist entries that are not reserved .us geographic domains, so there is significant overlap between DMOZ and our existing whitelists, which is probably speaks well for both lists. % wc dotus_reservedlist_v3.lower.sort 52049 52049 1012735 dotus_reservedlist_v3.lower.sort % wc ../whitelist-domains.sort 64299 64299 1169155 ../whitelist-domains.sort % join dmoz.srt dotus_reservedlist_v3.lower.sort | wc 7 7 112 The DMOZ data has about 2.3 million domains. How does anyone feel about adding them to our whitelists? A 1.2 MB gzip of the extracted domains is at: http://spamcheck.freeapp.net/whitelists/dmoz.srt.gz I think we can safely say that whitelisting DMOZ domains will reduce FPs. Probably a more important question is: how many FNs would that cause? In other words, how many purely spam domains are in DMOZ, where whitelisting them would wrongly exclude spam domains from SURBLs? One way to answer that is to note that the lists ab, sc, jp, ph, which have much lower FP rates than ws (measured by the SpamAssassin corpora checks, for example, and also anecdotally by human FP reports) appear relatively infrequently in the DMOZ hits. In other words, SURBL lists that we know are quite spammy like sc, jp, etc. don't match DMOZ often, so the DMOZ data may not have too many spam domains. Similar tests could be done against other proposed whitelists. (We'll probably try the wikipedia data next.) Another concern is that since these directories are relatively open, spammers could simply add themselves and effectively get whitelisted. However I intend to take a snapshot of these and probably not try to refresh the data very often in future (it at all), instead using them as relatively static snapshots of established domains. Doing that would miss some new additions, but could also prevent some future abuse by spammers. On the other hand 2 million domains is a pretty good start.... :-) Extraction scripts are not perfect, particularly in the simplistic chopping to three levels of cctlds, but they're probably adequate: http://spamcheck.freeapp.net/whitelists/extract-dmoz-domains http://spamcheck.freeapp.net/whitelists/chop-two-level-domains.sed http://spamcheck.freeapp.net/whitelists/reduce-to-third-level.sed Comments please, Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

9 23

Strange domains, Get no hits. Are they trying to fool SURBL?
by Martin 08 Oct '04

08 Oct '04

Hi, Got two different spams not getting caught by SURBL. The domains for both of the spams looks like this: http://ss.net.yourstuffspotMUNGED.com?qd="and a tracking id" AND http://mq.net.yourstuffspotMUNGED.com?r="and a tracking id" I checked the domain at rulesemporium and got a hit on yourstuffspotMUNGED.com but not at the subdomains. Somehow SURBL don't catch it even though it's listed on WS. Are they trying to fool SURBL or what is going on? Thanks in advance / Martin

2 3

RE: [SURBL-Discuss] submission to WS
by Chris Santerre 08 Oct '04

08 Oct '04

>-----Original Message----- >From: Martin [mailto:martin.lyberg@idkommunikation.com] >Sent: Thursday, October 07, 2004 10:25 AM >To: discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] submission to WS > > >Hi, > >How long will it take for a submission made to WS at >http://www.rulesemporium.com/cgi-bin/uribl.cgi to become active? > >I wonder because i got a new fresh spam that i submitted, but it's not >yet listed to WS. > >Edit: i just noticed that it got listed on the OB-list. > These submission used to go just to me, not they get split between a few others. THANK GOODNESS!!! So it depends on the person. We have to hand check them. I myself am behind a little on these. But I checked and don't have yours. SO I guess I can only quote game developers when I say "soon." ;) --Chris

3 2

submission to WS
by Martin 08 Oct '04

08 Oct '04

Hi, How long will it take for a submission made to WS at http://www.rulesemporium.com/cgi-bin/uribl.cgi to become active? I wonder because i got a new fresh spam that i submitted, but it's not yet listed to WS. Edit: i just noticed that it got listed on the OB-list. Thank you Martin

5 5

URIBL with "spam sigs" proposal
by Yves Junqueira 07 Oct '04

07 Oct '04

Hi, In some cases, it would be interesting to provide an alternative zone, with a "spam signature info", for domains that could also be used for legitimate purposes. This zone would feature a special TXT part with a regexp or some encoded string that will be used by checking clients to test the message. A fake example: buyziagra.com TXT: listed in re.surbl.org (etc...) #click here.*buy [zvj]iagra# The text between #'s will be used as an regexp that, if matched against the text in slurp mode (whole buffer checked instead of line-by-line), will make the tool return that that e-mail is Spam. I can adapt my suriproxy to do that very easily. (Btw, there is a new test version of suriproxy avaliable with domain whitelisting and a better uri matching algorithm at http://sourceforge.net/projects/pf-aux. Any new feedback would be appreciated) The format I used is just an illustration. It would be ideal to develop or find a simpler "text matching" format then regexp, and yet more powerful, to accept different character coding. The idea of this "URIBL with spam sigs" is to avoid FP's and, specially, to let us list domains in a less restrictive policy. Even if a domain could used for legimate purposes, it could be added to this special zone. I do agree with the current policy used here, but I have several spam arriving everyday, specially from Brazilian domains, that, if the policy is respected, could not get into the list. Yet we need to find a solution for that, and this is my suggestion. This new feature would, then, take two different collaborative anti-spam solutions types - URIBL and on line content checks (Razor, DCC, etc) in a very efficient way and using existing infra-structure, that is, DNS servers. The odds are it would be a bit more difficult to maintain and spam gangs can change the text all the time. Even then, I believe this could be interesting. Do you think this is worth trying? sorry for my bad english, Yves -- Yves Junqueira http://www.lynx.com.br

1 0

Re: [SURBL-Discuss] Possible large whitelist from DMOZ data
by Daniel Quinlan 07 Oct '04

07 Oct '04

Michele Solutions wrote: >> Although directories such as DMOZ are manually edited there is a danger of >> spammers "grabbing" expired domains and abusing them. I've seen a lot of >> scripts for sale that track dmoz listed domains..... Jeff Chan <jeffc(a)surbl.org> writes: > Thanks. That's definitely good to know about. Ah, you could also look at how long a domain has been registered. ;-) Daniel -- Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin http://www.pathname.com/~quinlan/ http://www.apachecon.com/ sessions & more)

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss