8m.com seem to be used for sub-domain delegation.
While some of those subdomains might be used in spam, not all are, so maybe
8m.com should be white-listed and just the subdomains be listed?
It's currently listed in ds and ws.
Patrik
Hi,
I just got the message below containing a URL referring a subdomain of
overhand1383biz-MUNGED.us.
As it didn't hit any SURBL list, I promptly checked it in
http://www.rulesemporium.com/cgi-bin/uribl.cgi in order to submit it for
ws.surbl.org... Much to my surprise, it said it is already listed in
ws.surbl.org as well as in ob.surbl.org...
Checking my dns logs (it actually was today about 1:15 AM (UTC-03:00)) it
doesn't show a problem with DNS, but actual NXDOMAIN answers:
07-08 01:14:04 query 121975 \
127.0.0.1:4497:52051 a overhand1383biz-MUNGED.us.ob.surbl.org.
07-08 01:14:04 tx 0 a overhand1383biz-MUNGED.us.ob.surbl.org. \
ob.surbl.org. \
209.234.97.11 62.58.50.220 66.251.133.4 66.59.111.182 \
152.20.240.35 64.21.208.212 193.95.141.43 216.58.97.21 \
128.255.17.20 66.170.2.50 213.132.0.70 130.161.128.84 \
128.255.17.19 69.10.169.115 194.109.9.8 66.170.2.60
07-08 01:14:04 nxdomain 209.234.97.11 3600 \
overhand1383biz-MUNGED.us.ob.surbl.org.
07-08 01:14:05 query 121978 \
127.0.0.1:4497:52054 a overhand1383biz-MUNGED.us.ws.surbl.org.
07-08 01:14:05 tx 0 a overhand1383biz-MUNGED.us.ws.surbl.org. \
ws.surbl.org. \
213.132.0.70 128.255.17.19 66.170.2.50 193.95.141.43 \
209.204.159.15 64.21.208.212 208.201.249.238 128.255.17.20 \
130.161.128.84 139.130.4.5 62.58.50.220 66.59.111.182 \
209.234.97.11 66.170.2.60 66.251.133.4 194.109.9.8
07-08 01:14:05 nxdomain 213.132.0.70 3600 \
overhand1383biz-MUNGED.us.ws.surbl.org.
maybe they were added between 1:00 AM and 9:00 AM?
It'd be nice to have a kind of timestamp in entries (at least when checking
them via web).
Thanx for a great job!!
############ ORIGINAL SPAM (DOMAIN MUNGED) WITH HEADERS ########
Received: from [218.79.131.116] ([218.79.131.116]:23567 "HELO fishingfan.com"
whoson: "-unregistered-") by dedos.pert.com.ar with SMTP
id <S185399AbUGHEOG>; Thu, 8 Jul 2004 01:14:06 -0300
Message-ID: <41692037.13C92E2(a)fishingfan.com>
Date: Thu, 08 Jul 2004 13:41:31 +1000
Reply-To: "jake edgar" <herminiacottmtin(a)fishingfan.com>
From: "jake edgar" <herminiacottmtin(a)fishingfan.com>
User-Agent: Foxmail 4.2 [cn]
X-Accept-Language: en-us
MIME-Version: 1.0
To: "morgan hubert" <baby(a)baby.com.ar>
Subject: Aydhkli Prescriptions 0vernighted To Your Doorstep..Val1um Etc..
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MailScanner: Se encontro limpio
X-MailScanner-SpamAssassin: ham, SpamAssassin-2.63 (puntaje=4.404,
requerido 5, DRUGS_ANXIETY 0.01, DRUGS_ANXIETY_OBFU 1.00,
J_CHICKENPOX_45 0.60, RATWR10_MESSID 0.11, RCVD_IN_RFCI 0.10,
SARE_RECV_IP_218079 1.67, SARE_USERAG_SPAM0 0.92)
Return-Path: <herminiacottmtin(a)fishingfan.com>
maalderij onderzoeksinspanningen koortjes
Our online shop is your source for locating many presscription drugs
without a prior presscription in comp1iance with FDA regulations.
B`uy V@L|UM, X(a)NA.X O`n1ine For Less
Safe & Secure Ordering!
W C http://i.rcg.overhand1383biz-MUNGED.us/f74/
Illness, injury, love, lost moments of true greatness, and sheer stupidity
all occur to test the limits of your soul. Without these small tests,
whatever they may be, life would be like a smoothly paved straight flat road
to nowhere. It would be safe and comfortable, but dull and utterly
pointless.
Having a secret is so fantastically sustaining and comforting, especially
when teenage turbulence squalls up. My parents bought the records, but I was
totally convinced that only I had the monopoly of true understanding. When I
heard her belt through gotta move, I seriously thought this gal must be
psychic.
forada2arnillo08boyuno,depuratorio despreciador.
--
Mariano Absatz
El Baby
----------------------------------------------------------
Conjecture: All odd numbers are prime.
Mathematician's Proof:
3 is prime. 5 is prime. 7 is prime. By induction, all
odd numbers are prime.
Physicist's Proof:
3 is prime. 5 is prime. 7 is prime. 9 is experimental
error. 11 is prime. 13 is prime ...
Engineer's Proof:
3 is prime. 5 is prime. 7 is prime. 9 is prime.
11 is prime. 13 is prime ...
Computer Scientists's Proof:
3 is prime. 3 is prime. 3 is prime. 3 is prime...
group.to points to opt.to which I *think* is a redir.
??????
Chris Santerre
System Admin and SARE Ninja
http://www.rulesemporium.comhttp://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
More to acompany the sudden upsurge of FP's in the WS list.
meredith.com (magazine publisher - owner of americanbaby.com newsletter)
websponsors.combe3a.com
This week has been a particularly bad week for FP's :(
--
Regards,
David Hooton
Hello!
I'm trying to install SpamCopURI veriosn 0.18 on my YellowDog Linux server.
When I install a .cf file that calls it, I get the following messages from
spamassassin --lint :
[root@merlin spamassassin]# spamassassin --lint
Failed to compile URI SpamAssassin tests, skipping:
(syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL,
line 1, near "eval:"
syntax error at /etc/mail/spamassassin/bigevil.cf, rule BigEvilList_1614,
line 11071, near ";
}"
)
I've installed the same version of SpamCopURI on a RedHat 7.3 server
without any problems. I took the .cf file from that machine and it still
fails. The .cf file looks like this :
uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
describe WS_URI_RBL URI's domain appears in sa-blacklist
tflags WS_URI_RBL net
score WS_URI_RBL 3.0
Any thoughts ? I tried removing all my other .cf files and I still get ...
[root@merlin Mail-SpamAssassin-SpamCopURI-0.18]# spamassassin --lint
Failed to compile URI SpamAssassin tests, skipping:
(syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL,
line 1, near "eval:"
syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 23,
near ";
}"
)
Thanks!
Michael
--
--------------------------------o---------------------------------
Michael H. Martel | Vermont State Colleges
martelm(a)quark.vsc.edu | Systems Administrator
http://probe.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363
>-----Original Message-----
>From: David B Funk [mailto:dbfunk@engineering.uiowa.edu]
>Sent: Wednesday, July 07, 2004 6:05 PM
>To: SURBL Discussion list
>Subject: [SURBL-Discuss] FP for images.meredith.com in ws.surbl.org ?
>
>
>My boss subscribes to the "WOOD ONLINE" woodworking newsletter
><newsletter(a)email.woodmall.com>, which is published by
>Meredith Corporation.
>
>It contains references to images from http://images.meredith.com
>which trigger hits from ws.surbl.org and BigEvil.cf
>(it survived the single hit from BigEvil but when I deployed
>SURBL it got taken down, then the boss was asking why his
>newsletter was landing in his spam-basket ;).
>
>Now that I know about it, I've whitelisted the newsletter but not
>sure what else might be hit.
>Is images.meredith.com truely evil or a FP?
>(I can supply a copy of the newsletter if anybody wants to see it).
>
>Dave
This is an interesting one. Of the only 2 recent ones I see, one was a
poison attempt:
http://tinyurl.com/2mzf6
And the other looked like legit spam:
http://tinyurl.com/2an9j
But who knows? I definetly don't see any pattern like I do with real spam.
I'm thinking they may be okay to remove. Anyone else?
--Chris
My boss subscribes to the "WOOD ONLINE" woodworking newsletter
<newsletter(a)email.woodmall.com>, which is published by
Meredith Corporation.
It contains references to images from http://images.meredith.com
which trigger hits from ws.surbl.org and BigEvil.cf
(it survived the single hit from BigEvil but when I deployed
SURBL it got taken down, then the boss was asking why his
newsletter was landing in his spam-basket ;).
Now that I know about it, I've whitelisted the newsletter but not
sure what else might be hit.
Is images.meredith.com truely evil or a FP?
(I can supply a copy of the newsletter if anybody wants to see it).
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
I know that netwinsite.com has been forged into a slew of "Mobster I.
Syphilitic" spams, as a bogus Received: header, but I would not block
mail simply based on the domain.
Chris Pugmire <chrisphome(a)netwin.co.nz> is the contact I worked with
over at Surgweb to clear up the forged Received: headers issue. He was
very antispam when I talked to him, perhaps he would be interested to
know if he's got some spamming customer(s).
--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today!
http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/