Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

Hand classification / Scripted submission
by Ryan Thompson 09 Jul '04

09 Jul '04

Hi All, 'Tis my first post to this list... so I'll try to make it a good one. I have a heap (and will continue to have future heaps) of spam with URIs that don't hit any of the SURBLs. We'll hand-classify the URIs, of course, but are there any objections to scripting the submission against http://www.rulesemporium.com/cgi-bin/uribl.cgi?report=1 ? The basic idea would be to run one automatic pass to analyze our SA headers to see if *_URI_BL rules already matched; if they don't, add the message to a processing queue. Then, for each URI in the each message of that queue, do the lookup again with Net::DNS, since the URI might have been added in the last 24 hours or so since the spam was received. This should hopefully produce a comparatively short list of URIs (and spams) that don't appear in the SURBL. From here, we can hand-classify this bunch (i.e., delete any that aren't spammer sites), and have our second-pass script strip the SA markup (if present) from the spam, and automatically submit the hand-picked URIs and their spams via the web interface. Questions: 1) Is this approach reasonable (i.e., am I going to hear screams from someone if I script this, assuming I take precautions, rate-limit the submissions, and check the results before turning it loose?) 2) Is there already a more efficient way to submit URIs? (Besides running my own list, which, I guess, isn't too unreasonable :-) 3) Is there any advantage to submitting the same URI more than once (i.e., from different spam messages?) It seems like the answer is probably "no", but I'll gladly accept enlightenment. 4) Should I be submitting to multiple SURBLs, or just stick with ws.surbl.org? Since implementing SURBLs in SA2.63 about a week ago, we've had amazing success. So much that we're having occasional word-wrap issues with the X-Spam-Level: (stars) header. :-) Now I want to give something back. - Ryan -- Ryan Thompson <ryan(a)sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America

1 0

RE: {Spam?} Re: [SURBL-Discuss] {Spam?} Perfect example of URL Po ison
by Chris Santerre 09 Jul '04

09 Jul '04

>-----Original Message----- >From: Mariano Absatz [mailto:el.baby@gmail.com] >Sent: Thursday, July 08, 2004 4:32 PM >To: SURBL Discussion list >Subject: {Spam?} Re: [SURBL-Discuss] {Spam?} Perfect example of URL >Poison > > >I always 'LOOK' at the actually displayed message within my mailer and >THEN analyze the source... but looking at this, I'd tend to report >opoloves.com and netuetion.com (supposing the faxd.gif has something >visible in it). > >Please, people... by far the BEST thing about SURBL is its really, >really, really low FP rate so you can be very comfortable scoring it >high. > >I have them scored at 3.5 (except for 6dos) in a VERY conservative ISP >and it's doing wonderfully. > >I can't offer right now 'cause I have no time at all, but I'd very >much like that the SURBL lists keep being managed manually. > >It'd be great if we could, at some point, form a small group of >volunteers with VERY good skills at spotting guilty URIs within spam >and keep the lists much like clamav maintains its virus database... > Oh that has been discussed. And started. But then that guy got abducted by aliens or something. If you ever meet a guy named Paul on the street, ask him how he is doing, and if the mother ship has returned. :) --Chris

3 2

RE: [SURBL-Discuss] Submissions to SURBL list thru SARE website.
by Chris Santerre 08 Jul '04

08 Jul '04

>-----Original Message----- >From: Steven Champeon [mailto:schampeo@hesketh.com] >Sent: Thursday, July 08, 2004 3:27 PM >To: SURBL Discussion list (E-mail) >Subject: Re: [SURBL-Discuss] Submissions to SURBL list thru SARE >website. > > >on Thu, Jul 08, 2004 at 03:17:52PM -0400, Chris Santerre wrote: >> Good grief. Let me say this slowly.... >> >> SURBL is for domains in LINKS, URLS, websites, images, >things you click on, >> images hosted in the email. >> >> SURBL is NOT, will never be used, doesn't care, /dev/null's, >any domain or >> IP the email came from. > >Well, I for one won't be sending any more domains along if I >have to also >distinguish between the domains I happened to find in email bodies from >those I happened to find in message headers. Sorry. The >overlap is far too >great, as for example in a recent message I got (summarized): > No you misunderstand. Steve, what you do with me is fine ;) These are people who keep reporting the same dang domain but all the IP addresses it comes from. Which are mostly zombied broadband machines!! So I get 20 submissions of the SAME spam, with the same one line URL in it, only they report each IP it came from!!! ARGH!!! And please, when using the SURBL submission page on SARE, try to include a copy of the spam, it helps get it added MUCH faster. Remember these are hand checked!! For those of you submitting them thru other methods to me, continue what your are doing. That is working fine. --Chris

2 1

Submissions to SURBL list thru SARE website.
by Chris Santerre 08 Jul '04

08 Jul '04

Good grief. Let me say this slowly.... SURBL is for domains in LINKS, URLS, websites, images, things you click on, images hosted in the email. SURBL is NOT, will never be used, doesn't care, /dev/null's, any domain or IP the email came from. Thanks, I feel better now. Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

4 3

Re: blacklist for notlong.com
by William Stearns 08 Jul '04

08 Jul '04

Good afternoon, Eric, On Thu, 8 Jul 2004, Eric Hammond wrote: > William Stearns wrote: > > I have a sense we could help _you_. When a user requests a > > notlong url, would you consider checking the target URL against the > > sa-blacklist, by [...] (Just for reference, surbl list, I suggested checking against either the static domain list or with dns lookups against surbl) > This sounds like a great idea. In fact, I heard about your service > by noticing that another URL shortening service run by a friend > (metamark.net) does check with SURBL. I'm sincerely glad to hear that! Please check back with us if we can help with the implementation. Cheers, - Bill --------------------------------------------------------------------------- Too many packets Syn. Ack. Fin. I. C. M. P. I am so tired -- Dennis McGrath -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 0

RE: [SURBL-Discuss] Help with SpamCopURI-0.18
by Mitch Planck 08 Jul '04

08 Jul '04

> I've been trying to get SpamCopURI-0.18 working on my system and > I've run into many problems. First I had to install > LWP::UserAgent, which > kept failing until I got everything it needed installed; > after everything > was installed I re-did the SpamCopURI-0.18 install. > > All tests were "ok" but when I copy over the spamcopuri.cf > file I get this > from spam assassin: > > Failed to parse line in SpamAssassin configuration, skipping: > open_redirect_list_spamcop_uri xurl.us > Failed to compile URI SpamAssassin tests, skipping: > (syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule > SPAMCOP_URI_RBL, line 1, near "eval:" > > I tried searching the archive for support on this, but I only > found one > person posted this problem with no replies. > > Can anyone shed some light onto this? I'm guessing I'm missing a PERL > Module somewhere but I don't know which one. > > Thanks, > Steve > Hi Steve, Can you let us know what flavor Linux you are running, what version of perl & SA, and how you are trying to install? For example, I use FreeBSD, then use the ports collection for everything in that, but since it doesn't have SpamCopURI, I could either use the CPAN install or the standard download, make, make install, etc. I use the wrapper program amavisd-new as well with a postfix mail server, so I have to integrate my SA/SpamCop install into amavis and that gave me some headaches, but maybe an uninstall & reinstall of the latest version of SA, make sure other things are up to date too. >From the source, here are the needed modules in perl: use URI; use URI::QueryParam; use URI::Escape use Text::Wrap (); use Mail::SpamAssassin::EvalTests; use Mail::SpamAssassin::SpamCopURI; use Mail::SpamAssassin::AutoWhitelist; use Mail::SpamAssassin::HTML; use Mail::SpamAssassin::Conf; use Mail::SpamAssassin::Received; use Mail::SpamAssassin::Util; use Mail::SpamAssassin::NetSet; There may be others needed, but these are obviously needed. Best regards, Mitch Planck ias.net

2 1

RE: [SURBL-Discuss] Help with SpamCopURI-0.18
by Steve Dimoff 08 Jul '04

08 Jul '04

>Hi Steve, >Can you let us know what flavor Linux you are running, what version of perl >& SA, and how you are trying to install? Mitch, I'm running Gentoo Linux sparc (2.4.24-sparc-r2), This is perl, v5.8.2 built for sparc-linux, SA 2.63. I tried both CPAN install and source install. Neither of them run. I installed the SpamCopURI on a Linux Redhat box with SA 2.63 and it works just fine. So I was thinking it was a perl module problem. Thanks, Steve >From the source, here are the needed modules in perl: Hmmm I'll check to make sure those are all install.

1 0

Help with SpamCopURI-0.18
by Steve Dimoff 08 Jul '04

08 Jul '04

Hello, I've been trying to get SpamCopURI-0.18 working on my system and I've run into many problems. First I had to install LWP::UserAgent, which kept failing until I got everything it needed installed; after everything was installed I re-did the SpamCopURI-0.18 install. All tests were "ok" but when I copy over the spamcopuri.cf file I get this from spam assassin: Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri snurl.com *.snurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri snipurl.com *.snipurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri tinyclick.com *.tinyclick.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri babyurl.com *.babyurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri lin.kz *.lin.kz Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri *.v3.net Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri shorl.com *.shorl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri tinyurl.com *.tinyurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri xurl.us Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 1, near "eval:" I tried searching the archive for support on this, but I only found one person posted this problem with no replies. Can anyone shed some light onto this? I'm guessing I'm missing a PERL Module somewhere but I don't know which one. Thanks, Steve

1 0

RE: [SURBL-Discuss] Help: kid pron.....help report
by Chris Santerre 08 Jul '04

08 Jul '04

Roger, you wern't the only one. Page got less then halfway and I stopped it. Being a father of 2 it made me sick and angry. I reported it using www.missingkids.com 'cybertip line' . THis is where the trail ends. (FBI says call customs, customs says to call this number, number says to go here and this report gets sent out to all agencies. Whew! I hope they nail them to a wall. (Or let me in a room with them for 5 minutes!) --Chris >-----Original Message----- >From: Roger WJ Alterskjær [mailto:roger.alterskjaer@vm.ntnu.no] >Sent: Wednesday, July 07, 2004 9:24 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Help: kid pron.....help report > > >Wow! >I couldn't stomach letting the entire page load. I've reported >this site >to the Norwegian computer crime division. With regards to >child-pornography, they have investigative units that co-operate >internationally with other such law-enforcement organizations. >(That way >they can synchronize raids on child-porno rings on an large >geographical >basis!) > >Let's hope they get them! > >--- >Regards, >Roger WJ Alterskjær >IT Consultant >Museum of Natural History and Archaeology, NTNU >(+47) 73 59 79 78 > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

2 1

RE: [SURBL-Discuss] Another list to test: ab.surbl.org
by Joseph Burford 08 Jul '04

08 Jul '04

Hi Chris, > Joseph, I'm running sa-stats which only pulls out the > numbers, what do you use to parse out the info you posted? On my test box I'm running MailScanner + SpamAssassin and a utility for MailScanner called MailWatch. Essentially this throws all the data from each message into a MySQL database and provides a php frontend. I've just made up a few php scripts to create summaries by pulling relevant log details from the MySQL db. Looking at the SURBL stats, the messages that are in the end marked HAM are borderline. Some of them are postmaster bounces or postmaster messages from other servers I maintain, others are questionable mailing lists or even spam sent via yahoo groups. >From my look into the "false positives" of the SURBL lists there's hardly a message that wouldn't be missed if it hit the bit bucket. Regards, Joseph

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss