Hello,
myfamily.com is present at ds list. It seems to me that this is
a false positive.
Jose-Marcio
--
---------------------------------------------------------------
Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41
Ecole des Mines de Paris http://j-chkmail.ensmp.fr
60, bd Saint Michel http://www.ensmp.fr/~martins
75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins@ensmp.fr
Could be a wakeup call for them. Maybe they should stop hosting spammers?
Yeah yeah I know. I'm removing them now :)
--Chris
>-----Original Message-----
>From: Patrik Nilsson [mailto:patrik@patrik.com]
>Sent: Wednesday, July 14, 2004 9:47 AM
>To: SURBL Discussion list
>Subject: [SURBL-Discuss] 8m.com FP? in ds and ws.
>
>
>8m.com seem to be used for sub-domain delegation.
>
>While some of those subdomains might be used in spam, not all
>are, so maybe
>8m.com should be white-listed and just the subdomains be listed?
>
>It's currently listed in ds and ws.
>
>Patrik
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
>-----Original Message-----
>From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net]
>Sent: Wednesday, July 14, 2004 10:26 AM
>To: SURBL Discussion list
>Subject: Re: [SURBL-Discuss] ws.surbl.org more FP's
>
>
>Hi!
>
>> meredith.com (magazine publisher - owner of americanbaby.com
>newsletter)
>> websponsors.com
>> be3a.com
>>
>> This week has been a particularly bad week for FP's :(
>
>I dont know about the other 2 but websponsors.com is not a FP.
>They are a
>advertising network and have a lot of people spamming to drive
>traffic to
>the sites they advertise. Why would you wanna whitelist that one ? Any
>specific reasons ?
>
>Perhaps look here: http://websponsors.com/affiliates.htm
>
>We have seen a LOT of mail with that one and refers to it.
>
>Its a matter of vieuw i also think, what you feel is a FP, but in this
>case i dont agree with you.
>
Hey for once these didn't come from me or my sources :)
However:
> websponsors.com
> be3a.com
Both show up in 6dos data files. Which at least raises an eyebrow.
--Chris
Hi!
Some talks about SURBL on the MailScanner list. This might be interesting
for some of you:
---------- Forwarded message ----------
Date: Tue, 13 Jul 2004 17:07:14 -0400
From: John Lundin <lundin(a)CAVTEL.NET>
Reply-To: MailScanner mailing list <MAILSCANNER(a)jiscmail.ac.uk>
To: MAILSCANNER(a)jiscmail.ac.uk
Subject: Re: SURBL scoring
On Mon, 12 Jul 2004, Raymond Dijkxhoorn wrote:
>> If the tests aren't very independent, should I reduce the scores
>> when using more than one test? We delete mail that scores over 12,
>> with these cumulative scores a false positive could result in lost
>> mail. Should I worry about that?
>
> They are completely independant. See it as 3 regular RBL checks, if
> you have a open proxy its also listed in all 3 (most likely). If its
> listed in 3, and it scores 12 you are about as positive as it can be
> that its spam...
(cough) Well, since no one else spoke up... IMO, you should worry.
And the problem is about to get worse; there's a new list in beta.
A few days after adding WS to spamcop_uri, I had a friend's letter
wind up in my spam folder. He was building a new computer and had sent
me a parts list for comment. One of his possible suppliers turned out
to be in SC and WC. (You can guess what one of my comments was.)
o Do you really want to lose every message containing the hot URI?
And any followup that quotes it?
o They wouldn't be completely independent. Similar sets of spammers,
same URI being matched against in the message.
Personally, I do worry about forcing high-scoring spam status based
on any single content feature. I scored the RBI_URL checks fairly low
(3.0), and added a few meta-rules to soften multiple impact. This was
guess by eyeball. I haven't gotten around to playing with the math,
but have started to keep statistics to base new scores on.
FWIW, I maintain MS on one old spam-ridden site. About 95% of its
inbound mail currently scores as spam. 83% of that spam hits at least
one URI_RBL rule. 31% of spam (37% of spam hits with URI_RBL's) hit
all four of AB, OB, SC and WS, and 53% (63%) hit three or more! Of the
"non-spam", 1.4% still has at least one URI_RBL hit.
What I added to spamcop_uri.cf (first pass):
meta OB_SC_URI_RBL (SPAMCOP_URI_RBL && OB_URI_RBL)
describe OB_SC_URI_RBL Compensate if both spamcop and OB trigger
score OB_SC_URI_RBL -1.5
meta AB_SC_URI_RBL (SPAMCOP_URI_RBL && AB_URI_RBL)
describe AB_SC_URI_RBL Compensate if both AB and SC trigger
score AB_SC_URI_RBL -1.5
meta OB_WS_URI_RBL (OB_URI_RBL && WS_URI_RBL)
describe OB_WS_URI_RBL Compensate if both WS and OB trigger
score OB_WS_URI_RBL -1.0
I'd be interested to know what other people do to fix this.
--
lundin(a)cavtel.net
"By the time they had diminished from 50 to 8,
the other dwarves began to suspect 'Hungry' ..."
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail(a)jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
>-----Original Message-----
>From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net]
>Sent: Tuesday, July 13, 2004 7:51 PM
>To: SURBL Discussion list
>Subject: Re: [SURBL-Discuss] fp mailscanner dot info
>
>
>Hi!
>
>> (S)He'd better check that out thoroughly before... MailScanner dot
>> info is the official home of MailScanner, which is a (very good)
>> antispam/antivirus server tool... it does integrate SURBL via SA and
>> its great!
>>
>> The possible problems your submitter might have had would be:
>>
>> 1) a foolish sysadmin enabling spam bounces to faked 'mail from:'
>> addresses which could include a default signature including
>> www.mailscanner-MUNGED.info (and possibly www.transtec.co.uk).
>
>If he/she would have looked on the page, eg, handchecked the
>submission
>then this would have never happened. Very very silly.
>
I'll take the heat on this one. I have been trusting the submissions of this
source. As they are well known and not a noob on this matter. But from now
on I will handcheck everyone of the submissions from this source.
--Chris
Fixed just now. I've informed the person who submitted it. I couldn't find
anything bad on them. But sometimes this submitter does. I've whitelisted
them.
--Chris
>-----Original Message-----
>From: Lindsay Snider [mailto:lindsay@pa.net]
>Sent: Tuesday, July 13, 2004 10:58 AM
>To: discuss(a)lists.surbl.org
>Subject: [SURBL-Discuss] fp mailscanner dot info
>
>
>I noticed mailscanner dot info is in ws.surbl.org and I believe this to
>be incorrect. Do we have an alternate more automated way of dealing w/
>false positives?
>
>Best Regards,
>Lindsay
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
"
Symantec's patent-pending URL Filters technology leverages key
infrastructure elements unique to Symantec. Using its real-time
spam data, the BLOC builds a list of spammer's Web sites. At the
customer site, URL Filters compare embedded links in messages
to the list of spam URLs maintained by the BLOC.
The list itself is created by using a combination of offline and real-time
processes, incorporating URLs fromthe following sources:
Probe Network data. The majority of the spam URLs are extracted from
incoming spam and historical data from the Probe Network. Thus, if there are
URLs present in the message, and the BLOC has ruled against the message, the
URL is added to the list.
Trusted third party lists. URL lists maintained by third party vendors and
partners are verified, cross-checked, and incorporated into Symantec's spam
URL list.
"
Patent Pending? Third Party? Hmmm........
I have a problem with people making money off open source. I have a REAL
problem when people don't even mention the source. I'm not saying they do
use surbl.org, but if they did, they should say it.
They also say that URL filtering is exclusive to brightmail. Nice!
Chris Santerre
System Admin and SARE Ninja
http://www.rulesemporium.comhttp://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
Just curious is brightmail or ironport IPs are rsyncing surbl data? Anyone
know?
Chris Santerre
System Admin and SARE Ninja
http://www.rulesemporium.comhttp://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
I noticed mailscanner dot info is in ws.surbl.org and I believe this to
be incorrect. Do we have an alternate more automated way of dealing w/
false positives?
Best Regards,
Lindsay