Discuss

discuss@lists.surbl.org

1867 discussions

RE: [SURBL-Discuss] Phish via "previewmysite.com"
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: David B Funk [mailto:dbfunk@engineering.uiowa.edu] >Sent: Monday, August 23, 2004 11:15 PM >To: 'SURBL Discussion list' >Subject: [SURBL-Discuss] Phish via "previewmysite.com" > > >Found a citibank phish that used a redirect thru go.msn.com to >'zach.com.previewmysite.com' (see attached message). > >Is previewmysite.com guilty or an innocent open site that is being >exploited? My eyes! They see nothing! Help!!!!!! I think you forgot to attach it! Without even seeing it, I think they are being exploited, and they may need to start using SURBL to check their users. --Chris

1 0

RE: [SURBL-Discuss] Improved name server status page
by William C. Devine II 24 Aug '04

24 Aug '04

You could keep a generic list of nameservers such as 'Server 1', 'Server 2', etc, which correlates to 'ns1', 'ns2', etc. It'd just add a level of obscurity and require just a little more of a monkey to figure out though. william -----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Tuesday, August 24, 2004 6:40 AM To: SURBL Discuss Subject: Re: [SURBL-Discuss] Improved name server status page On Tuesday, August 24, 2004, 6:32:44 AM, Chris Santerre wrote: > That is very cool! However do you think it is wise to make public the IP's > of the servers? Yeah that kind of raised some flags for me too, but the servers are easy enough to find, and the names of the servers are not unique due to the round robin. For example e.surbl.org resolves to two different name servers. So the only thing unique and used for the subdomains are their IP addresses. I suppose we could set up another set of aliases for them, but kind of don't want another set to maintain. (The old style ns1, ns2, etc. names remain but for BIND type servers for the parent zone. They have already diverged from the rbldnsd servers.) Jeff C. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

RE: [SURBL-Discuss] WS & DS FP?
by Chris Santerre 24 Aug '04

24 Aug '04

Sorry I just noticed yesmail.com is listed is SURBL. So clickaction.net should be as well. They are one in the same. --Chris

2 1

RE: [SURBL-Discuss] WS & DS FP?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, August 24, 2004 3:51 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] WS & DS FP? > > >On Tuesday, August 24, 2004, 12:27:22 AM, David Funk wrote: >> On Mon, 23 Aug 2004, Jeff Chan wrote: > >>> > <! click the link below or copy it into a web browser.> >>> > <! >>> > >https://secure.clickaction.MUNGEDnet/ClickAction?func=S_TurnOff >Html&partname=itworld&uid=MUNGED >>> > ========== >>> >>> > It was tagged by both WS and DS. Should this domain be >whitelisted and/or >>> > removed from these SURBLs? >>> >>> I'm going to assume that itworld.com would not put spammer >>> domains in their newsletter. Whitelisting: >>> >>> accelacommunications.com >>> itwpub1.com >>> itworld.com >>> clickaction.net >>> >>> If anyone knows anything about any of them, please speak >>> up. > >> FWIW, I've got "clickaction.net" spam in my archive and there's >> a couple hundred NANAS listings for them too. > >> It may be that that "secure.clickaction.net" is the clean side >> of their house but I have spam sent from the clickaction.net >> mail servers containing "www.clickaction.net" URLs. > >I took a look at some of the NANAS hits on clickaction.net and >most of them seem to be for legitimate businesses and >organizations. That leads me to think we should keep them off >the lists, though they do seem somewhat spammy. > >Anyone else know anything about them? > Good lord the deeper the rabbit hole goes, the spammier they look! They are yesmail, and yesmail is a spammer in my book! They are using itworld as a "Legitimizer" How does this quote of theirs sound to you? "Join Yesmail, Latham & Watkins, and Accela Communications to learn more about how you can mitigate risk to your company and continue to leverage the power of email communications in your marketing programs." With a quote like that, I would keep them listed in a heartbeat. And the more I look the more I say let them stay. You legit companies in NANAS still look like spam. The vermont teddy stuff looks like a run on a purchased mail list. I keep looking, and I keep seeing spammer! Someone show me a legit ham, that was optin, or asked for! --Chris

1 0

Improved name server status page
by Jeff Chan 24 Aug '04

24 Aug '04

I've set up a better SURBL name server status page at: http://www.surbl.org/nameservers-output.html which is also linked from the main page. It shows some latency in zone file propagation, and it also shows one of the name servers down. (Bjorn is that coming back eventually?) We may want to ask all the public name servers to rsync every 10 minutes.... Would that be OK Raymond? Currently I have the DNS timeout set to 10 seconds with two retries. What kind of values are more typical or standard for resolvers? I will use the scripts that generate the page to send notifications (probably to myself at first) once things stabilize. Since events don't happen very often, it's probably not necessary to show a history on the page. Comments? Jeff C.

2 3

Add Vanuatu (.vu) to countries?
by John Lundin 24 Aug '04

24 Aug '04

Using SpamCopURI, ws.surbl.org FP'ed some mail from Fedora-List. http://dirk-wendland.deMUNGED.vu/ (a personal webpage in a sig). WS contains deMUNGED.vu. But they're a registrar. (.vu is Vanuatu.) So perhaps SURBL should whitelist de.vu and check at third level? -- lundin(a)fini.net "Not only did we get you an apple with a mouse like you asked, we also got you a banana with a lizard."

4 5

WS & DS FP?
by Bill Landry 24 Aug '04

24 Aug '04

Included in an "IT World" newsletter (www.itworld.com) is the content below that included clickaction.MUNGEDnet: ========== <! ATTENTION!> <! You are reading this message because your mail reader cannot display HTML.> <! If you would prefer to receive text messages from now on,> <! click the link below or copy it into a web browser.> <! https://secure.clickaction.MUNGEDnet/ClickAction?func=S_TurnOffHtml&partnam… ========== It was tagged by both WS and DS. Should this domain be whitelisted and/or removed from these SURBLs? Bill

3 3

[SURBL-Discuss] Geturi 1.4 released! (The SURBL URI classification helper)
by Ryan Thompson 24 Aug '04

24 Aug '04

Finally. I've been taunting you poor folks for weeks, now. :-) Here it is: http://ry.ca/geturi/ -- geturi v1.4 >From the DESCRIPTION: geturi is designed to process a directory containing a list of RFC822 messages (one message per file). It analyses each message, attempts to strip out as many unclickable URIs as possible, and then compiles the list of found URIs, putting HTML output on STDOUT. What I'd *like* to see are a bunch of people using this, and some suggestions for improvement (I already have quite a few, some of which are in the TODO section of the documentation). I'd call this alpha code at the moment, for want of testers, but I don't know of any huge bugs. Feedback more than welcome! - Ryan -- Ryan Thompson <ryan(a)sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America

2 2

whitelist rm04.net and rm02.net?
by Jeff Chan 24 Aug '04

24 Aug '04

We've had a request to whitelist rm04.net and rm02.net. Does anyone know anything about them? They seem to belong to: > SilverPOP Systems > (DOM-151479) > 200 Galleria Parkway > Suite 750 Atlanta > GA > 30339 US And reportedly appeared in a newsletter belonging to: Altiris http://www.altiris.com Comments? Jeff C.

1 1

Phish via "previewmysite.com"
by David B Funk 24 Aug '04

24 Aug '04

Found a citibank phish that used a redirect thru go.msn.com to 'zach.com.previewmysite.com' (see attached message). Is previewmysite.com guilty or an innocent open site that is being exploited? -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss