Discuss

discuss@lists.surbl.org

1862 discussions

possible false positive on DS
by Jose-Marcio.Martins＠ensmp.fr 14 Jul '04

14 Jul '04

Hello, myfamily.com is present at ds list. It seems to me that this is a false positive. Jose-Marcio -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins@ensmp.fr

2 1

RE: [SURBL-Discuss] 8m.com FP? in ds and ws.
by Chris Santerre 14 Jul '04

14 Jul '04

Could be a wakeup call for them. Maybe they should stop hosting spammers? Yeah yeah I know. I'm removing them now :) --Chris >-----Original Message----- >From: Patrik Nilsson [mailto:patrik@patrik.com] >Sent: Wednesday, July 14, 2004 9:47 AM >To: SURBL Discussion list >Subject: [SURBL-Discuss] 8m.com FP? in ds and ws. > > >8m.com seem to be used for sub-domain delegation. > >While some of those subdomains might be used in spam, not all >are, so maybe >8m.com should be white-listed and just the subdomains be listed? > >It's currently listed in ds and ws. > >Patrik > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

RE: [SURBL-Discuss] ws.surbl.org more FP's
by Chris Santerre 14 Jul '04

14 Jul '04

>-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] >Sent: Wednesday, July 14, 2004 10:26 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] ws.surbl.org more FP's > > >Hi! > >> meredith.com (magazine publisher - owner of americanbaby.com >newsletter) >> websponsors.com >> be3a.com >> >> This week has been a particularly bad week for FP's :( > >I dont know about the other 2 but websponsors.com is not a FP. >They are a >advertising network and have a lot of people spamming to drive >traffic to >the sites they advertise. Why would you wanna whitelist that one ? Any >specific reasons ? > >Perhaps look here: http://websponsors.com/affiliates.htm > >We have seen a LOT of mail with that one and refers to it. > >Its a matter of vieuw i also think, what you feel is a FP, but in this >case i dont agree with you. > Hey for once these didn't come from me or my sources :) However: > websponsors.com > be3a.com Both show up in 6dos data files. Which at least raises an eyebrow. --Chris

1 0

Re: SURBL scoring (fwd)
by Raymond Dijkxhoorn 14 Jul '04

14 Jul '04

Hi! Some talks about SURBL on the MailScanner list. This might be interesting for some of you: ---------- Forwarded message ---------- Date: Tue, 13 Jul 2004 17:07:14 -0400 From: John Lundin <lundin(a)CAVTEL.NET> Reply-To: MailScanner mailing list <MAILSCANNER(a)jiscmail.ac.uk> To: MAILSCANNER(a)jiscmail.ac.uk Subject: Re: SURBL scoring On Mon, 12 Jul 2004, Raymond Dijkxhoorn wrote: >> If the tests aren't very independent, should I reduce the scores >> when using more than one test? We delete mail that scores over 12, >> with these cumulative scores a false positive could result in lost >> mail. Should I worry about that? > > They are completely independant. See it as 3 regular RBL checks, if > you have a open proxy its also listed in all 3 (most likely). If its > listed in 3, and it scores 12 you are about as positive as it can be > that its spam... (cough) Well, since no one else spoke up... IMO, you should worry. And the problem is about to get worse; there's a new list in beta. A few days after adding WS to spamcop_uri, I had a friend's letter wind up in my spam folder. He was building a new computer and had sent me a parts list for comment. One of his possible suppliers turned out to be in SC and WC. (You can guess what one of my comments was.) o Do you really want to lose every message containing the hot URI? And any followup that quotes it? o They wouldn't be completely independent. Similar sets of spammers, same URI being matched against in the message. Personally, I do worry about forcing high-scoring spam status based on any single content feature. I scored the RBI_URL checks fairly low (3.0), and added a few meta-rules to soften multiple impact. This was guess by eyeball. I haven't gotten around to playing with the math, but have started to keep statistics to base new scores on. FWIW, I maintain MS on one old spam-ridden site. About 95% of its inbound mail currently scores as spam. 83% of that spam hits at least one URI_RBL rule. 31% of spam (37% of spam hits with URI_RBL's) hit all four of AB, OB, SC and WS, and 53% (63%) hit three or more! Of the "non-spam", 1.4% still has at least one URI_RBL hit. What I added to spamcop_uri.cf (first pass): meta OB_SC_URI_RBL (SPAMCOP_URI_RBL && OB_URI_RBL) describe OB_SC_URI_RBL Compensate if both spamcop and OB trigger score OB_SC_URI_RBL -1.5 meta AB_SC_URI_RBL (SPAMCOP_URI_RBL && AB_URI_RBL) describe AB_SC_URI_RBL Compensate if both AB and SC trigger score AB_SC_URI_RBL -1.5 meta OB_WS_URI_RBL (OB_URI_RBL && WS_URI_RBL) describe OB_WS_URI_RBL Compensate if both WS and OB trigger score OB_WS_URI_RBL -1.0 I'd be interested to know what other people do to fix this. -- lundin(a)cavtel.net "By the time they had diminished from 50 to 8, the other dwarves began to suspect 'Hungry' ..." -------------------------- MailScanner list ---------------------- To leave, send leave mailscanner to jiscmail(a)jiscmail.ac.uk Before posting, please see the Most Asked Questions at http://www.mailscanner.biz/maq/ and the archives at http://www.jiscmail.ac.uk/lists/mailscanner.html

1 0

RE: [SURBL-Discuss] fp mailscanner dot info
by Chris Santerre 14 Jul '04

14 Jul '04

>-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] >Sent: Tuesday, July 13, 2004 7:51 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] fp mailscanner dot info > > >Hi! > >> (S)He'd better check that out thoroughly before... MailScanner dot >> info is the official home of MailScanner, which is a (very good) >> antispam/antivirus server tool... it does integrate SURBL via SA and >> its great! >> >> The possible problems your submitter might have had would be: >> >> 1) a foolish sysadmin enabling spam bounces to faked 'mail from:' >> addresses which could include a default signature including >> www.mailscanner-MUNGED.info (and possibly www.transtec.co.uk). > >If he/she would have looked on the page, eg, handchecked the >submission >then this would have never happened. Very very silly. > I'll take the heat on this one. I have been trusting the submissions of this source. As they are well known and not a noob on this matter. But from now on I will handcheck everyone of the submissions from this source. --Chris

1 0

RE: [SURBL-Discuss] fp mailscanner dot info
by Chris Santerre 14 Jul '04

14 Jul '04

Fixed just now. I've informed the person who submitted it. I couldn't find anything bad on them. But sometimes this submitter does. I've whitelisted them. --Chris >-----Original Message----- >From: Lindsay Snider [mailto:lindsay@pa.net] >Sent: Tuesday, July 13, 2004 10:58 AM >To: discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] fp mailscanner dot info > > >I noticed mailscanner dot info is in ws.surbl.org and I believe this to >be incorrect. Do we have an alternate more automated way of dealing w/ >false positives? > >Best Regards, >Lindsay >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

3 2

beam.to redirect service, listed in ws.
by Patrik Nilsson 13 Jul '04

13 Jul '04

Should beam.to be whitelisted? It's a redirect service. Currently listed in ws. Patrik

2 1

WHy did I ask about brightmail?
by Chris Santerre 13 Jul '04

13 Jul '04

" Symantec's patent-pending URL Filters technology leverages key infrastructure elements unique to Symantec. Using its real-time spam data, the BLOC builds a list of spammer's Web sites. At the customer site, URL Filters compare embedded links in messages to the list of spam URLs maintained by the BLOC. The list itself is created by using a combination of offline and real-time processes, incorporating URLs fromthe following sources: Probe Network data. The majority of the spam URLs are extracted from incoming spam and historical data from the Probe Network. Thus, if there are URLs present in the message, and the BLOC has ruled against the message, the URL is added to the list. Trusted third party lists. URL lists maintained by third party vendors and partners are verified, cross-checked, and incorporated into Symantec's spam URL list. " Patent Pending? Third Party? Hmmm........ I have a problem with people making money off open source. I have a REAL problem when people don't even mention the source. I'm not saying they do use surbl.org, but if they did, they should say it. They also say that URL filtering is exclusive to brightmail. Nice! Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

2 1

rsync and brightmail
by Chris Santerre 13 Jul '04

13 Jul '04

Just curious is brightmail or ironport IPs are rsyncing surbl data? Anyone know? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

1 0

fp mailscanner dot info
by Lindsay Snider 13 Jul '04

13 Jul '04

I noticed mailscanner dot info is in ws.surbl.org and I believe this to be incorrect. Do we have an alternate more automated way of dealing w/ false positives? Best Regards, Lindsay

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss