Discuss

discuss@lists.surbl.org

1867 discussions

Stats wanted
by Jeff Chan 20 Oct '08

20 Oct '08

Hi All, SURBL is looking for statistics about what portion of unsolicited our lists are detecting (ideally in large mail flows). An overall number would be ideal, as in what fraction of total unsolicited messages are caught by any SURBL list. One possible way to measure this from SpamAssassin-processed messages would be to count the messages marked as spam that had 'SURBL' in their scores versus the ones that didn't have a SURBL rule hit. The ratio would be the spams with SURBL hits divided by total number of spams. Another way would be to count the SURBL hits from an MTA milter, but to have the meaningful denominator, one would need a count of the total spams, which a simple SURBL-only milter would not be able to provide. Something else, or a more sophisticated milter would need to count the total spams in order to get the denominator. Ideally the results would be after MTA blocking with a major sender blacklist like zen.spamhaus.org. Please let us know whether a sender blacklist is used in the MTA or not. Any results would be greatly appreciated. Cheers, Jeff C.

10 9

Re: [SURBL-Discuss] Stats wanted
by Jeff Chan 18 Oct '08

18 Oct '08

On Saturday, October 18, 2008, 12:29:17 AM, Jeff Chan wrote: > SURBL is looking for statistics about what portion of unsolicited our > lists are detecting (ideally in large mail flows). An overall number > would be ideal, as in what fraction of total unsolicited messages are > caught by any SURBL list. One possible way to measure this from > SpamAssassin-processed messages would be to count the messages marked > as spam that had 'SURBL' in their scores versus the ones that didn't > have a SURBL rule hit. The ratio would be the spams with SURBL hits > divided by total number of spams. I should have added, here is a SpamAssassin meta rule that may show how many messages hit any surbl rule: meta URIBL_META_SURBL_ANY (URIBL_AB_SURBL || \ URIBL_JP_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || \ URIBL_SC_SURBL || URIBL_WS_SURBL) score URIBL_META_SURBL_ANY 0.01 (For however the line wraps should be handled.) Jeff C.

1 0

URI BL responses, always loopback network?
by Ron Guerin 06 Aug '08

06 Aug '08

Hello again, I posted here once before I believe on the subject of URL shorteners. I am the operator author of the GPL software known as TightURL, and operator of the .com of the same name where there is a public installation of this software. I was supposed to come back with some kind of response about checking URL submissions at submission time vs. re-checking later, but various things in life intervened, and I have yet to implement anything to track how many URLs I reject at submission time, but I am pleased to report that re-checking previously accepted URLs has clearly been a success. I am presently rechecking all my URLs every 6 hours *if* they meet the following conditions: * Is not already blocked in my database * Was added within a window period (7 days) -or- * Has recent activity and more than a threshold of hits recorded Using this formula, I've been blocking URLs that were submitted over a year prior to blocking them, along with many recent submissions. I have not added the capability to unblock them later, largely because visual inspection of the blocked URLs gives me a pretty good feeling they'll be blocked again sooner or later. I may have to do something about that, but I'm not seeing the need right now. Anyway,... today's question pertains to people who are mucking around in their DNS resolution, or have DNS providers that are falsifying DNS responses in order to generate ad income from typing errors in people's browsers. I recently concluded some support for a new user whose every URL submission appeared to be listed in both SURBL and URIBL, which my code checks to see if the URL should be rejected. This user was somehow getting his own IP address returned to him any time the true response was really NXDOMAIN. This was some local thing on his end, but I presume the same problem exists if your DNS provider is tampering with the responses, except in that case you'd get some IP address from the public IP space that misdirects you to some "helpful" site if you happen to be using a web browser. My workaround for this problem was to check to see if the first 4 characters of the response are "127." Every BL or URI BL I know about returns a response somewhere in the range of 127.0.0.0 - 127.0.0.255, unless I'm mistaken. While I guess this still leaves open the possibility for false-positives on my users end if they make use of both loopback network hosts and their DNS responses have been tampered with, what I wanted to know was if anyone knows of a BL or URI BL that returns or plans on returning something other than a loopback address as a positive response to a lookup? - Ron

3 5

Joe Jobbed by a scammer and AbuseButler
by Ron Guerin 06 Aug '08

06 Aug '08

I ironically now find tighturl.com listed in SURBL as the result effectively being joe-jobbed by some sleazeball promoting a work from home scam and using a tighturl link to a fake removal page, which was blocked by me within the 45th access (and is now probably around 10,000 hits which redirect to a page explaining the inadvisibility of clicking on links in spam or putting your email address into a spammer's removal box). AbuseButler has yet to respond to mail sent late Saturday night to abuse(a)abusebutler.com about the matter, and they clearly are not resolving URLs to their destination as I would have expected from a data source used by SURBL. Just what is the SURBL policy about listing URLs that have not been resolved to their destination, and about the quality of the data accepted into SURBL? I find the lack of a response from AbuseButler to its abuse address an indication that they're not running a responsible or reliable service over there. - Ron

3 4

Re: [SURBL-Discuss] RFC: significantly reducing FPs on OB
by Jeff Chan 21 Jul '08

21 Jul '08

On Sunday, July 13, 2008, 9:12:25 AM, Joseph Brennan wrote: > Jeff Chan <jeffc(a)surbl.org> wrote: >> I think we >> probably can't reveal the exact listing criteria in case they're >> useful for the bad guys. I know it's somewhat inappropriate to >> ask for comments without revealing details. I suppose I'm asking >> for general responses then. :) > So you'll keep ob, but take some undisclosed action to improve its > accuracy. Sounds worthwhile to me. Thanks! Yes, we would not get rid of OB entirely ever. It does have some good data, but with too many FPs. The goal would be to keep as much of the good data as possible while eliminating most of the bad. Unfortunately some of the good data may be thrown out with the bad; baby with the bathwater, so to speak. IMO FPs are much worse than FNs, so some increase in FNs balances out a decrease in FPs. Trying to decide if it's worth doing.... Jeff C.

5 7

Re: [SURBL-Discuss] RFC: significantly reducing FPs on OB
by Jeff Chan 13 Jul '08

13 Jul '08

On Saturday, July 12, 2008, 7:00:29 PM, Joseph Brennan wrote: > --On Saturday, July 12, 2008 1:41 AM -0700 Jeff Chan <jeffc(a)surbl.org> > wrote: >> We can probably significantly reduce the false positives on >> ob.surbl.org, the SURBL list based on Outblaze's URI blacklist: >> >> http://www.surbl.org/lists.html#ob >> >> at the cost of some possibly minor false negatives. [...] >> Should we make that change? > This agrees with our experience using SURBL for a few years. We've > seen the occasional fp with the ob listings, and none I am aware of > with the rest of SURBL. > What's the change? Thanks much for the feedback Daryl and Joseph! I think we probably can't reveal the exact listing criteria in case they're useful for the bad guys. I know it's somewhat inappropriate to ask for comments without revealing details. I suppose I'm asking for general responses then. :) Jeff C.

2 1

RFC: significantly reducing FPs on OB
by Jeff Chan 13 Jul '08

13 Jul '08

We can probably significantly reduce the false positives on ob.surbl.org, the SURBL list based on Outblaze's URI blacklist: http://www.surbl.org/lists.html#ob at the cost of some possibly minor false negatives. SpamAssassin has live (weekly?) statistics about the performance of their rules, including all SURBL lists, against their ham and spam corpora at their Rule QA site: http://ruleqa.spamassassin.org/ As you can see OB ranks significantly below the other SURBL lists, with much higher FP rates around 0.1% compared to 0.01% to 0.025% or so. (Note that the Rule QA site seems to have occasional glitches, so if the numbers seem out of range one week, check again later.) Should we make that change? Jeff C.

3 2

Re: [SURBL-Discuss] What does it take to be blacklisted?
by Jeff Chan 25 Jun '08

25 Jun '08

On Wednesday, June 25, 2008, 5:37:30 AM, Ben Spencer wrote: > Ok...the subject is a bit misleading. Let me clarify a little bit... > What does it take for a domain to end up on the multi.surbl.org list? > Realizing that multi is made up of several different lists, it might not > be > clear cut as each might have their own rules and in some cases it is > more > complicated then just end user reports. > Background: someone complained that they couldn't email us and it turns > out > they were blocked because of the multi.surbl.org list. In a response we > received from them, they stated: One person has a software program that > erroneously flagged <the domain> as spam. > What I am trying to confirm is that none of the multi.surbl.org lists > actually will block on a single incident report. Reading over the > surbl.org > site (haven't dig into the rules for each list just yet), the lists seem > to > sway towards safer (no listing) then sorry end of things. None of the lists will blacklist based solely on a user report. Each list is pretty different. Please report false positives to whitelist at our domain. Jeff C.

2 1

What does it take to be blacklisted?
by Ben Spencer 25 Jun '08

25 Jun '08

Ok...the subject is a bit misleading. Let me clarify a little bit... What does it take for a domain to end up on the multi.surbl.org list? Realizing that multi is made up of several different lists, it might not be clear cut as each might have their own rules and in some cases it is more complicated then just end user reports. Background: someone complained that they couldn't email us and it turns out they were blocked because of the multi.surbl.org list. In a response we received from them, they stated: One person has a software program that erroneously flagged <the domain> as spam. What I am trying to confirm is that none of the multi.surbl.org lists actually will block on a single incident report. Reading over the surbl.org site (haven't dig into the rules for each list just yet), the lists seem to sway towards safer (no listing) then sorry end of things. Thanks Benji Spencer System Administrator Moody Bible Institute Phone: 312-329-2288 Fax: 312-329-8961

1 0

SignInAndWIN.ca - In Hotmail Signature
by Darrell 03 Apr '08

03 Apr '08

FYI - I seen a couple false positives today on mail from hotmail that include this domain in the auto generated signature. SignInAndWIN . ca Example Signature: Sign in to Windows Live Messenger, and enter for your chance to win $1000 a day-today until May 12th. Visit SignInAndWIN . ca <http://g.msn.ca/ca55/210> Darrell

2 1

← Newer
1
...
9
10
11
12
13
14
15
...
187
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss