Discuss

discuss@lists.surbl.org

1862 discussions

8m.com FP? in ds and ws.
by Patrik Nilsson 15 Jul '04

15 Jul '04

8m.com seem to be used for sub-domain delegation. While some of those subdomains might be used in spam, not all are, so maybe 8m.com should be white-listed and just the subdomains be listed? It's currently listed in ds and ws. Patrik

4 5

domain overhand1383biz-MUNGED.us
by Mariano Absatz 15 Jul '04

15 Jul '04

Hi, I just got the message below containing a URL referring a subdomain of overhand1383biz-MUNGED.us. As it didn't hit any SURBL list, I promptly checked it in http://www.rulesemporium.com/cgi-bin/uribl.cgi in order to submit it for ws.surbl.org... Much to my surprise, it said it is already listed in ws.surbl.org as well as in ob.surbl.org... Checking my dns logs (it actually was today about 1:15 AM (UTC-03:00)) it doesn't show a problem with DNS, but actual NXDOMAIN answers: 07-08 01:14:04 query 121975 \ 127.0.0.1:4497:52051 a overhand1383biz-MUNGED.us.ob.surbl.org. 07-08 01:14:04 tx 0 a overhand1383biz-MUNGED.us.ob.surbl.org. \ ob.surbl.org. \ 209.234.97.11 62.58.50.220 66.251.133.4 66.59.111.182 \ 152.20.240.35 64.21.208.212 193.95.141.43 216.58.97.21 \ 128.255.17.20 66.170.2.50 213.132.0.70 130.161.128.84 \ 128.255.17.19 69.10.169.115 194.109.9.8 66.170.2.60 07-08 01:14:04 nxdomain 209.234.97.11 3600 \ overhand1383biz-MUNGED.us.ob.surbl.org. 07-08 01:14:05 query 121978 \ 127.0.0.1:4497:52054 a overhand1383biz-MUNGED.us.ws.surbl.org. 07-08 01:14:05 tx 0 a overhand1383biz-MUNGED.us.ws.surbl.org. \ ws.surbl.org. \ 213.132.0.70 128.255.17.19 66.170.2.50 193.95.141.43 \ 209.204.159.15 64.21.208.212 208.201.249.238 128.255.17.20 \ 130.161.128.84 139.130.4.5 62.58.50.220 66.59.111.182 \ 209.234.97.11 66.170.2.60 66.251.133.4 194.109.9.8 07-08 01:14:05 nxdomain 213.132.0.70 3600 \ overhand1383biz-MUNGED.us.ws.surbl.org. maybe they were added between 1:00 AM and 9:00 AM? It'd be nice to have a kind of timestamp in entries (at least when checking them via web). Thanx for a great job!! ############ ORIGINAL SPAM (DOMAIN MUNGED) WITH HEADERS ######## Received: from [218.79.131.116] ([218.79.131.116]:23567 "HELO fishingfan.com" whoson: "-unregistered-") by dedos.pert.com.ar with SMTP id <S185399AbUGHEOG>; Thu, 8 Jul 2004 01:14:06 -0300 Message-ID: <41692037.13C92E2(a)fishingfan.com> Date: Thu, 08 Jul 2004 13:41:31 +1000 Reply-To: "jake edgar" <herminiacottmtin(a)fishingfan.com> From: "jake edgar" <herminiacottmtin(a)fishingfan.com> User-Agent: Foxmail 4.2 [cn] X-Accept-Language: en-us MIME-Version: 1.0 To: "morgan hubert" <baby(a)baby.com.ar> Subject: Aydhkli Prescriptions 0vernighted To Your Doorstep..Val1um Etc.. Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MailScanner: Se encontro limpio X-MailScanner-SpamAssassin: ham, SpamAssassin-2.63 (puntaje=4.404, requerido 5, DRUGS_ANXIETY 0.01, DRUGS_ANXIETY_OBFU 1.00, J_CHICKENPOX_45 0.60, RATWR10_MESSID 0.11, RCVD_IN_RFCI 0.10, SARE_RECV_IP_218079 1.67, SARE_USERAG_SPAM0 0.92) Return-Path: <herminiacottmtin(a)fishingfan.com> maalderij onderzoeksinspanningen koortjes Our online shop is your source for locating many presscription drugs without a prior presscription in comp1iance with FDA regulations. B`uy V@L|UM, X(a)NA.X O`n1ine For Less Safe & Secure Ordering! W C http://i.rcg.overhand1383biz-MUNGED.us/f74/ Illness, injury, love, lost moments of true greatness, and sheer stupidity all occur to test the limits of your soul. Without these small tests, whatever they may be, life would be like a smoothly paved straight flat road to nowhere. It would be safe and comfortable, but dull and utterly pointless. Having a secret is so fantastically sustaining and comforting, especially when teenage turbulence squalls up. My parents bought the records, but I was totally convinced that only I had the monopoly of true understanding. When I heard her belt through gotta move, I seriously thought this gal must be psychic. forada2arnillo08boyuno,depuratorio despreciador. -- Mariano Absatz El Baby ---------------------------------------------------------- Conjecture: All odd numbers are prime. Mathematician's Proof: 3 is prime. 5 is prime. 7 is prime. By induction, all odd numbers are prime. Physicist's Proof: 3 is prime. 5 is prime. 7 is prime. 9 is experimental error. 11 is prime. 13 is prime ... Engineer's Proof: 3 is prime. 5 is prime. 7 is prime. 9 is prime. 11 is prime. 13 is prime ... Computer Scientists's Proof: 3 is prime. 3 is prime. 3 is prime. 3 is prime...

3 3

redirect service???
by Chris Santerre 15 Jul '04

15 Jul '04

group.to points to opt.to which I *think* is a redir. ?????? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 2

{Spam?} Perfect example of URL Poison
by Chris Santerre 15 Jul '04

15 Jul '04

I just wanted to share this example submitted today. (Thanks Dave!) Can you tell which domains to report? :) This is why scraping urls with scripts is no good. ********************************************** <a href="http://opoloves.com/tp/default.asp?id=rxsavings"> <img src="http://netuetion.com/faxd.gif" border=0> </a> Up to 8<A href="http://www.impractical.org"></A>0<A href="http://www.hettie.org"></A>% Sa<A href="http ://www.sheath.org"></A>vin<A href="http://www.inhibitor.org"></A>gs on X<A href="http://www.brown.org" ></A>an<A href="http://www.shinto.org"></A>ax, Va<A href="http://www.triptych.org"></A>li<A href="http ://www.irreproducible.org"></A>um, P<A href="http://www.anonymity.org"></A>hen<A href="http://www.sire n.org"></A>term<A href="http://www.warble.org"></A>ine, V<A href="http://www.bind.org"></A>ia<A href=" http://www.volterra.org"></A>gr<A href="http://www.baccarat.org"></A>a <a href="http://opoloves.com/tp/default.asp?id=rxsavings"> HERE</a> For em<A href="http://www.della.org"></A>ail re<A href="http://www.aviate.org"></A>mov<A href="http://www.accede.org"></A>a<A href="http://www.servitor.org"></A>l, g<A href="http://www.beet.org"></A>o <A href="http://opoloves.com/er/e.asp">here.</A> ********************************************** Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered. Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

6 5

ws.surbl.org more FP's
by David Hooton 15 Jul '04

15 Jul '04

More to acompany the sudden upsurge of FP's in the WS list. meredith.com (magazine publisher - owner of americanbaby.com newsletter) websponsors.com be3a.com This week has been a particularly bad week for FP's :( -- Regards, David Hooton

4 6

[SURBL-Discuss] Problems with SpamCopURI-0.18 on YellowDog linux 3.0.1
by Michael H. Martel 15 Jul '04

15 Jul '04

Hello! I'm trying to install SpamCopURI veriosn 0.18 on my YellowDog Linux server. When I install a .cf file that calls it, I get the following messages from spamassassin --lint : [root@merlin spamassassin]# spamassassin --lint Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/bigevil.cf, rule BigEvilList_1614, line 11071, near "; }" ) I've installed the same version of SpamCopURI on a RedHat 7.3 server without any problems. I took the .cf file from that machine and it still fails. The .cf file looks like this : uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe WS_URI_RBL URI's domain appears in sa-blacklist tflags WS_URI_RBL net score WS_URI_RBL 3.0 Any thoughts ? I tried removing all my other .cf files and I still get ... [root@merlin Mail-SpamAssassin-SpamCopURI-0.18]# spamassassin --lint Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 23, near "; }" ) Thanks! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Vermont State Colleges martelm(a)quark.vsc.edu | Systems Administrator http://probe.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363

1 1

RE: [SURBL-Discuss] FP for images.meredith.com in ws.surbl.org ?
by Chris Santerre 14 Jul '04

14 Jul '04

>-----Original Message----- >From: David B Funk [mailto:dbfunk@engineering.uiowa.edu] >Sent: Wednesday, July 07, 2004 6:05 PM >To: SURBL Discussion list >Subject: [SURBL-Discuss] FP for images.meredith.com in ws.surbl.org ? > > >My boss subscribes to the "WOOD ONLINE" woodworking newsletter ><newsletter(a)email.woodmall.com>, which is published by >Meredith Corporation. > >It contains references to images from http://images.meredith.com >which trigger hits from ws.surbl.org and BigEvil.cf >(it survived the single hit from BigEvil but when I deployed >SURBL it got taken down, then the boss was asking why his >newsletter was landing in his spam-basket ;). > >Now that I know about it, I've whitelisted the newsletter but not >sure what else might be hit. >Is images.meredith.com truely evil or a FP? >(I can supply a copy of the newsletter if anybody wants to see it). > >Dave This is an interesting one. Of the only 2 recent ones I see, one was a poison attempt: http://tinyurl.com/2mzf6 And the other looked like legit spam: http://tinyurl.com/2an9j But who knows? I definetly don't see any pattern like I do with real spam. I'm thinking they may be okay to remove. Anyone else? --Chris

2 1

FP for images.meredith.com in ws.surbl.org ?
by David B Funk 14 Jul '04

14 Jul '04

My boss subscribes to the "WOOD ONLINE" woodworking newsletter <newsletter(a)email.woodmall.com>, which is published by Meredith Corporation. It contains references to images from http://images.meredith.com which trigger hits from ws.surbl.org and BigEvil.cf (it survived the single hit from BigEvil but when I deployed SURBL it got taken down, then the boss was asking why his newsletter was landing in his spam-basket ;). Now that I know about it, I've whitelisted the newsletter but not sure what else might be hit. Is images.meredith.com truely evil or a FP? (I can supply a copy of the newsletter if anybody wants to see it). Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

2 1

FP - netwinsite.com
by Steven Champeon 14 Jul '04

14 Jul '04

I know that netwinsite.com has been forged into a slew of "Mobster I. Syphilitic" spams, as a bogus Received: header, but I would not block mail simply based on the domain. Chris Pugmire <chrisphome(a)netwin.co.nz> is the contact I worked with over at Surgweb to clear up the forged Received: headers issue. He was very antispam when I talked to him, perhaps he would be interested to know if he's got some spamming customer(s). -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/

2 1

fp: wallstreetreporter.com
by Steven Champeon 14 Jul '04

14 Jul '04

Please whitelist/exclude 'wallstreetreporter.com'. It's showing up in some legit mail here. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss