Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

makeurl.com
by Chris Santerre 16 Jul '04

16 Jul '04

looks like spammers are using this redir as well. (Thanks Dave) Time for another nicely written letter? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

1 0

Spamassassin 3 problems with SURBL
by Scott Truman 16 Jul '04

16 Jul '04

Hi, I am having trouble using the new URIDNSBL plugin. I have the following in my local.cf file: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL score URIBL_WS_SURBL 3.0 score URIBL_SBL 3.0 (these are previously defined in 25_uribl.cf) but I seem to be getting no hits with them. Is this correct? Cheers Scott

2 1

RE: [SURBL-Discuss] Re: Using (SU)RBL with a browser, any way to do it? (was <snip> )
by Chris Santerre 15 Jul '04

15 Jul '04

>-----Original Message----- >From: Nicolas Riendeau [mailto:knightr@istop.com] >Sent: Tuesday, July 13, 2004 12:21 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Re: Using (SU)RBL with a browser, any way >to do it? (was <snip> ) > > >Chris Santerre wrote: > >> >> Or one could take the sa-blacklist file and turn it into a >quick hosts file. >> I have a host file on the server that is copied to everyones machine >> everytime they log in. Full of spyware domains that simply point to >> 127.0.0.1 and It is easy for me to change. >> >> However squid also rocks. I have had a test server running >for 1.5 years. I >> haven't had time to tweak it yet to go production yet. >> > >Hi Chris! > >I *assume* (I know what happens when you assume... (-; ) that >the host file is >not loaded in memory and is processed sequentially so wouldn't >having a big host >file make its parsing be very very slow? > >That's an assumption though... > Somewhat, but not too bad. Some people have had web completely turned off for failing to listen to me. 2 whole deparments have no web access now. Muahahahhahaha....I'm drunk with power! But yeah, I guess if you had 35k listings in host file it could be pretty slow :) Another reason to use squid. --Chris

4 3

{Spam?} Why is OrgDNS listed in SURBL ?
by Ralph Seichter 15 Jul '04

15 Jul '04

I wonder why www.orgdns.org ist listed in ab.surbl.org, sc.surbl.org and ws.surbl.org. OrgDNS offers dynamic name services and I just found an account activation notification flagged as spam by SpamAssassin, based on said SURBL listings. -- Mit freundlichen Grüßen / Yours sincerely Dipl. Inform. Ralph Seichter HORUS-IT Ahornweg 10 D-57635 Oberirsen Tel +49 2686 987880 Fax +49 2686 987889 http://horus-it.de/

4 7

Top Rule Hits on Pre2 in the last 16 hours (fwd)
by William Stearns 15 Jul '04

15 Jul '04

---------- Forwarded message ---------- Date: Wed, 14 Jul 2004 09:42:58 -0500 From: Dallas L. Engelken <dallase(a)nmgi.com> To: spamassassin-users(a)incubator.apache.org Subject: Top Rule Hits on Pre2 in the last 16 hours Just FYI, my pre2 results after upgrading yesterday. 5 of the 6 top hitters are URIBL! DCC, Razor and Pyzor still hanging in there at ~1%... And a big pat on the back to Bob (SARE ninja) for the LONGWORDS. Email: 55473 Autolearn: 9744 AvgScore: 3.82 AvgScanTime: 1.85 sec Spam: 16157 Autolearn: 8723 AvgScore: 12.77 AvgScanTime: 3.66 sec Ham: 39316 Autolearn: 1021 AvgScore: 0.14 AvgScanTime: 1.11 sec TOP SPAM RULES FIRED ------------------------------------------------------------ RANK RULE NAME COUNT PERCENT ------------------------------------------------------------ -> 1 URIBL_WS_SURBL 13057 5.36% -> 2 URIBL_SBL 12907 5.30% 3 HTML_MESSAGE 11136 4.57% -> 4 URIBL_SC_SURBL 11060 4.54% -> 5 URIBL_OB_SURBL 10728 4.40% -> 6 URIBL_AB_SURBL 7981 3.28% 7 LONGWORDS 7947 3.26% 8 MPART_ALT_DIFF 6186 2.54% 9 MIME_HTML_NO_CHARSET 5507 2.26% 10 FORGED_RCVD_HELO 5196 2.13% 11 MIME_MISSING_BOUNDARY 4987 2.05% 12 MIME_HTML_MOSTLY 4565 1.87% 13 INFO_TLD 4192 1.72% 14 NO_REAL_NAME 4102 1.68% 15 BIZ_TLD 3984 1.64% 16 MIME_HTML_ONLY 3717 1.53% 17 RCVD_IN_NJABL_DUL 3660 1.50% 18 HTML_20_30 3099 1.27% 19 DCC_CHECK 3018 1.24% 20 RAZOR2_CF_RANGE_51_100 2972 1.22% 21 RAZOR2_CHECK 2965 1.22% 22 AWL 2852 1.17% 23 HTML_FONT_BIG 2740 1.12% 24 DIGEST_MULTIPLE 2292 0.94% 25 PYZOR_CHECK 2262 0.93% 26 CLICK_BELOW 1919 0.79% 27 HTML_IMAGE_ONLY_12 1918 0.79% 28 HTML_30_40 1869 0.77% 29 LINES_OF_YELLING 1737 0.71% 30 HTML_LINK_CLICK_HERE 1591 0.65% 31 MIME_BOUND_DD_DIGITS 1583 0.65% 32 HTML_80_90 1566 0.64% 33 HTML_FONT_TINY 1549 0.64% 34 HTML_FONT_SIZE_TINY 1525 0.63% 35 HTML_70_80 1498 0.61% 36 MONEY_BACK 1301 0.53% 37 HTML_FONT_SIZE_LARGE 1255 0.52% 38 DRUGS_ERECTILE 1247 0.51% 39 SATIS_GUAR 1191 0.49% 40 MSGID_DOLLARS 1189 0.49% ------------------------------------------------------------

3 2

8m.com FP? in ds and ws.
by Patrik Nilsson 15 Jul '04

15 Jul '04

8m.com seem to be used for sub-domain delegation. While some of those subdomains might be used in spam, not all are, so maybe 8m.com should be white-listed and just the subdomains be listed? It's currently listed in ds and ws. Patrik

4 5

domain overhand1383biz-MUNGED.us
by Mariano Absatz 15 Jul '04

15 Jul '04

Hi, I just got the message below containing a URL referring a subdomain of overhand1383biz-MUNGED.us. As it didn't hit any SURBL list, I promptly checked it in http://www.rulesemporium.com/cgi-bin/uribl.cgi in order to submit it for ws.surbl.org... Much to my surprise, it said it is already listed in ws.surbl.org as well as in ob.surbl.org... Checking my dns logs (it actually was today about 1:15 AM (UTC-03:00)) it doesn't show a problem with DNS, but actual NXDOMAIN answers: 07-08 01:14:04 query 121975 \ 127.0.0.1:4497:52051 a overhand1383biz-MUNGED.us.ob.surbl.org. 07-08 01:14:04 tx 0 a overhand1383biz-MUNGED.us.ob.surbl.org. \ ob.surbl.org. \ 209.234.97.11 62.58.50.220 66.251.133.4 66.59.111.182 \ 152.20.240.35 64.21.208.212 193.95.141.43 216.58.97.21 \ 128.255.17.20 66.170.2.50 213.132.0.70 130.161.128.84 \ 128.255.17.19 69.10.169.115 194.109.9.8 66.170.2.60 07-08 01:14:04 nxdomain 209.234.97.11 3600 \ overhand1383biz-MUNGED.us.ob.surbl.org. 07-08 01:14:05 query 121978 \ 127.0.0.1:4497:52054 a overhand1383biz-MUNGED.us.ws.surbl.org. 07-08 01:14:05 tx 0 a overhand1383biz-MUNGED.us.ws.surbl.org. \ ws.surbl.org. \ 213.132.0.70 128.255.17.19 66.170.2.50 193.95.141.43 \ 209.204.159.15 64.21.208.212 208.201.249.238 128.255.17.20 \ 130.161.128.84 139.130.4.5 62.58.50.220 66.59.111.182 \ 209.234.97.11 66.170.2.60 66.251.133.4 194.109.9.8 07-08 01:14:05 nxdomain 213.132.0.70 3600 \ overhand1383biz-MUNGED.us.ws.surbl.org. maybe they were added between 1:00 AM and 9:00 AM? It'd be nice to have a kind of timestamp in entries (at least when checking them via web). Thanx for a great job!! ############ ORIGINAL SPAM (DOMAIN MUNGED) WITH HEADERS ######## Received: from [218.79.131.116] ([218.79.131.116]:23567 "HELO fishingfan.com" whoson: "-unregistered-") by dedos.pert.com.ar with SMTP id <S185399AbUGHEOG>; Thu, 8 Jul 2004 01:14:06 -0300 Message-ID: <41692037.13C92E2(a)fishingfan.com> Date: Thu, 08 Jul 2004 13:41:31 +1000 Reply-To: "jake edgar" <herminiacottmtin(a)fishingfan.com> From: "jake edgar" <herminiacottmtin(a)fishingfan.com> User-Agent: Foxmail 4.2 [cn] X-Accept-Language: en-us MIME-Version: 1.0 To: "morgan hubert" <baby(a)baby.com.ar> Subject: Aydhkli Prescriptions 0vernighted To Your Doorstep..Val1um Etc.. Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MailScanner: Se encontro limpio X-MailScanner-SpamAssassin: ham, SpamAssassin-2.63 (puntaje=4.404, requerido 5, DRUGS_ANXIETY 0.01, DRUGS_ANXIETY_OBFU 1.00, J_CHICKENPOX_45 0.60, RATWR10_MESSID 0.11, RCVD_IN_RFCI 0.10, SARE_RECV_IP_218079 1.67, SARE_USERAG_SPAM0 0.92) Return-Path: <herminiacottmtin(a)fishingfan.com> maalderij onderzoeksinspanningen koortjes Our online shop is your source for locating many presscription drugs without a prior presscription in comp1iance with FDA regulations. B`uy V@L|UM, X(a)NA.X O`n1ine For Less Safe & Secure Ordering! W C http://i.rcg.overhand1383biz-MUNGED.us/f74/ Illness, injury, love, lost moments of true greatness, and sheer stupidity all occur to test the limits of your soul. Without these small tests, whatever they may be, life would be like a smoothly paved straight flat road to nowhere. It would be safe and comfortable, but dull and utterly pointless. Having a secret is so fantastically sustaining and comforting, especially when teenage turbulence squalls up. My parents bought the records, but I was totally convinced that only I had the monopoly of true understanding. When I heard her belt through gotta move, I seriously thought this gal must be psychic. forada2arnillo08boyuno,depuratorio despreciador. -- Mariano Absatz El Baby ---------------------------------------------------------- Conjecture: All odd numbers are prime. Mathematician's Proof: 3 is prime. 5 is prime. 7 is prime. By induction, all odd numbers are prime. Physicist's Proof: 3 is prime. 5 is prime. 7 is prime. 9 is experimental error. 11 is prime. 13 is prime ... Engineer's Proof: 3 is prime. 5 is prime. 7 is prime. 9 is prime. 11 is prime. 13 is prime ... Computer Scientists's Proof: 3 is prime. 3 is prime. 3 is prime. 3 is prime...

3 3

redirect service???
by Chris Santerre 15 Jul '04

15 Jul '04

group.to points to opt.to which I *think* is a redir. ?????? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 2

{Spam?} Perfect example of URL Poison
by Chris Santerre 15 Jul '04

15 Jul '04

I just wanted to share this example submitted today. (Thanks Dave!) Can you tell which domains to report? :) This is why scraping urls with scripts is no good. ********************************************** <a href="http://opoloves.com/tp/default.asp?id=rxsavings"> <img src="http://netuetion.com/faxd.gif" border=0> </a> Up to 8<A href="http://www.impractical.org"></A>0<A href="http://www.hettie.org"></A>% Sa<A href="http ://www.sheath.org"></A>vin<A href="http://www.inhibitor.org"></A>gs on X<A href="http://www.brown.org" ></A>an<A href="http://www.shinto.org"></A>ax, Va<A href="http://www.triptych.org"></A>li<A href="http ://www.irreproducible.org"></A>um, P<A href="http://www.anonymity.org"></A>hen<A href="http://www.sire n.org"></A>term<A href="http://www.warble.org"></A>ine, V<A href="http://www.bind.org"></A>ia<A href=" http://www.volterra.org"></A>gr<A href="http://www.baccarat.org"></A>a <a href="http://opoloves.com/tp/default.asp?id=rxsavings"> HERE</a> For em<A href="http://www.della.org"></A>ail re<A href="http://www.aviate.org"></A>mov<A href="http://www.accede.org"></A>a<A href="http://www.servitor.org"></A>l, g<A href="http://www.beet.org"></A>o <A href="http://opoloves.com/er/e.asp">here.</A> ********************************************** Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered. Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

6 5

ws.surbl.org more FP's
by David Hooton 15 Jul '04

15 Jul '04

More to acompany the sudden upsurge of FP's in the WS list. meredith.com (magazine publisher - owner of americanbaby.com newsletter) websponsors.com be3a.com This week has been a particularly bad week for FP's :( -- Regards, David Hooton

4 6

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss