Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

[SURBL-Discuss] Problems with SpamCopURI-0.18 on YellowDog linux 3.0.1
by Michael H. Martel 15 Jul '04

15 Jul '04

Hello! I'm trying to install SpamCopURI veriosn 0.18 on my YellowDog Linux server. When I install a .cf file that calls it, I get the following messages from spamassassin --lint : [root@merlin spamassassin]# spamassassin --lint Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/bigevil.cf, rule BigEvilList_1614, line 11071, near "; }" ) I've installed the same version of SpamCopURI on a RedHat 7.3 server without any problems. I took the .cf file from that machine and it still fails. The .cf file looks like this : uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe WS_URI_RBL URI's domain appears in sa-blacklist tflags WS_URI_RBL net score WS_URI_RBL 3.0 Any thoughts ? I tried removing all my other .cf files and I still get ... [root@merlin Mail-SpamAssassin-SpamCopURI-0.18]# spamassassin --lint Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/surbl.cf, rule WS_URI_RBL, line 23, near "; }" ) Thanks! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Vermont State Colleges martelm(a)quark.vsc.edu | Systems Administrator http://probe.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363

1 1

RE: [SURBL-Discuss] FP for images.meredith.com in ws.surbl.org ?
by Chris Santerre 14 Jul '04

14 Jul '04

>-----Original Message----- >From: David B Funk [mailto:dbfunk@engineering.uiowa.edu] >Sent: Wednesday, July 07, 2004 6:05 PM >To: SURBL Discussion list >Subject: [SURBL-Discuss] FP for images.meredith.com in ws.surbl.org ? > > >My boss subscribes to the "WOOD ONLINE" woodworking newsletter ><newsletter(a)email.woodmall.com>, which is published by >Meredith Corporation. > >It contains references to images from http://images.meredith.com >which trigger hits from ws.surbl.org and BigEvil.cf >(it survived the single hit from BigEvil but when I deployed >SURBL it got taken down, then the boss was asking why his >newsletter was landing in his spam-basket ;). > >Now that I know about it, I've whitelisted the newsletter but not >sure what else might be hit. >Is images.meredith.com truely evil or a FP? >(I can supply a copy of the newsletter if anybody wants to see it). > >Dave This is an interesting one. Of the only 2 recent ones I see, one was a poison attempt: http://tinyurl.com/2mzf6 And the other looked like legit spam: http://tinyurl.com/2an9j But who knows? I definetly don't see any pattern like I do with real spam. I'm thinking they may be okay to remove. Anyone else? --Chris

2 1

FP for images.meredith.com in ws.surbl.org ?
by David B Funk 14 Jul '04

14 Jul '04

My boss subscribes to the "WOOD ONLINE" woodworking newsletter <newsletter(a)email.woodmall.com>, which is published by Meredith Corporation. It contains references to images from http://images.meredith.com which trigger hits from ws.surbl.org and BigEvil.cf (it survived the single hit from BigEvil but when I deployed SURBL it got taken down, then the boss was asking why his newsletter was landing in his spam-basket ;). Now that I know about it, I've whitelisted the newsletter but not sure what else might be hit. Is images.meredith.com truely evil or a FP? (I can supply a copy of the newsletter if anybody wants to see it). Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

2 1

FP - netwinsite.com
by Steven Champeon 14 Jul '04

14 Jul '04

I know that netwinsite.com has been forged into a slew of "Mobster I. Syphilitic" spams, as a bogus Received: header, but I would not block mail simply based on the domain. Chris Pugmire <chrisphome(a)netwin.co.nz> is the contact I worked with over at Surgweb to clear up the forged Received: headers issue. He was very antispam when I talked to him, perhaps he would be interested to know if he's got some spamming customer(s). -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/

2 1

fp: wallstreetreporter.com
by Steven Champeon 14 Jul '04

14 Jul '04

Please whitelist/exclude 'wallstreetreporter.com'. It's showing up in some legit mail here. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/

2 1

possible false positive on DS
by Jose-Marcio.Martins＠ensmp.fr 14 Jul '04

14 Jul '04

Hello, myfamily.com is present at ds list. It seems to me that this is a false positive. Jose-Marcio -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins@ensmp.fr

2 1

RE: [SURBL-Discuss] 8m.com FP? in ds and ws.
by Chris Santerre 14 Jul '04

14 Jul '04

Could be a wakeup call for them. Maybe they should stop hosting spammers? Yeah yeah I know. I'm removing them now :) --Chris >-----Original Message----- >From: Patrik Nilsson [mailto:patrik@patrik.com] >Sent: Wednesday, July 14, 2004 9:47 AM >To: SURBL Discussion list >Subject: [SURBL-Discuss] 8m.com FP? in ds and ws. > > >8m.com seem to be used for sub-domain delegation. > >While some of those subdomains might be used in spam, not all >are, so maybe >8m.com should be white-listed and just the subdomains be listed? > >It's currently listed in ds and ws. > >Patrik > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

RE: [SURBL-Discuss] ws.surbl.org more FP's
by Chris Santerre 14 Jul '04

14 Jul '04

>-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] >Sent: Wednesday, July 14, 2004 10:26 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] ws.surbl.org more FP's > > >Hi! > >> meredith.com (magazine publisher - owner of americanbaby.com >newsletter) >> websponsors.com >> be3a.com >> >> This week has been a particularly bad week for FP's :( > >I dont know about the other 2 but websponsors.com is not a FP. >They are a >advertising network and have a lot of people spamming to drive >traffic to >the sites they advertise. Why would you wanna whitelist that one ? Any >specific reasons ? > >Perhaps look here: http://websponsors.com/affiliates.htm > >We have seen a LOT of mail with that one and refers to it. > >Its a matter of vieuw i also think, what you feel is a FP, but in this >case i dont agree with you. > Hey for once these didn't come from me or my sources :) However: > websponsors.com > be3a.com Both show up in 6dos data files. Which at least raises an eyebrow. --Chris

1 0

Re: SURBL scoring (fwd)
by Raymond Dijkxhoorn 14 Jul '04

14 Jul '04

Hi! Some talks about SURBL on the MailScanner list. This might be interesting for some of you: ---------- Forwarded message ---------- Date: Tue, 13 Jul 2004 17:07:14 -0400 From: John Lundin <lundin(a)CAVTEL.NET> Reply-To: MailScanner mailing list <MAILSCANNER(a)jiscmail.ac.uk> To: MAILSCANNER(a)jiscmail.ac.uk Subject: Re: SURBL scoring On Mon, 12 Jul 2004, Raymond Dijkxhoorn wrote: >> If the tests aren't very independent, should I reduce the scores >> when using more than one test? We delete mail that scores over 12, >> with these cumulative scores a false positive could result in lost >> mail. Should I worry about that? > > They are completely independant. See it as 3 regular RBL checks, if > you have a open proxy its also listed in all 3 (most likely). If its > listed in 3, and it scores 12 you are about as positive as it can be > that its spam... (cough) Well, since no one else spoke up... IMO, you should worry. And the problem is about to get worse; there's a new list in beta. A few days after adding WS to spamcop_uri, I had a friend's letter wind up in my spam folder. He was building a new computer and had sent me a parts list for comment. One of his possible suppliers turned out to be in SC and WC. (You can guess what one of my comments was.) o Do you really want to lose every message containing the hot URI? And any followup that quotes it? o They wouldn't be completely independent. Similar sets of spammers, same URI being matched against in the message. Personally, I do worry about forcing high-scoring spam status based on any single content feature. I scored the RBI_URL checks fairly low (3.0), and added a few meta-rules to soften multiple impact. This was guess by eyeball. I haven't gotten around to playing with the math, but have started to keep statistics to base new scores on. FWIW, I maintain MS on one old spam-ridden site. About 95% of its inbound mail currently scores as spam. 83% of that spam hits at least one URI_RBL rule. 31% of spam (37% of spam hits with URI_RBL's) hit all four of AB, OB, SC and WS, and 53% (63%) hit three or more! Of the "non-spam", 1.4% still has at least one URI_RBL hit. What I added to spamcop_uri.cf (first pass): meta OB_SC_URI_RBL (SPAMCOP_URI_RBL && OB_URI_RBL) describe OB_SC_URI_RBL Compensate if both spamcop and OB trigger score OB_SC_URI_RBL -1.5 meta AB_SC_URI_RBL (SPAMCOP_URI_RBL && AB_URI_RBL) describe AB_SC_URI_RBL Compensate if both AB and SC trigger score AB_SC_URI_RBL -1.5 meta OB_WS_URI_RBL (OB_URI_RBL && WS_URI_RBL) describe OB_WS_URI_RBL Compensate if both WS and OB trigger score OB_WS_URI_RBL -1.0 I'd be interested to know what other people do to fix this. -- lundin(a)cavtel.net "By the time they had diminished from 50 to 8, the other dwarves began to suspect 'Hungry' ..." -------------------------- MailScanner list ---------------------- To leave, send leave mailscanner to jiscmail(a)jiscmail.ac.uk Before posting, please see the Most Asked Questions at http://www.mailscanner.biz/maq/ and the archives at http://www.jiscmail.ac.uk/lists/mailscanner.html

1 0

RE: [SURBL-Discuss] fp mailscanner dot info
by Chris Santerre 14 Jul '04

14 Jul '04

>-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] >Sent: Tuesday, July 13, 2004 7:51 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] fp mailscanner dot info > > >Hi! > >> (S)He'd better check that out thoroughly before... MailScanner dot >> info is the official home of MailScanner, which is a (very good) >> antispam/antivirus server tool... it does integrate SURBL via SA and >> its great! >> >> The possible problems your submitter might have had would be: >> >> 1) a foolish sysadmin enabling spam bounces to faked 'mail from:' >> addresses which could include a default signature including >> www.mailscanner-MUNGED.info (and possibly www.transtec.co.uk). > >If he/she would have looked on the page, eg, handchecked the >submission >then this would have never happened. Very very silly. > I'll take the heat on this one. I have been trusting the submissions of this source. As they are well known and not a noob on this matter. But from now on I will handcheck everyone of the submissions from this source. --Chris

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss