Hi All,
'Tis my first post to this list... so I'll try to make it a good one.
I have a heap (and will continue to have future heaps) of spam with URIs
that don't hit any of the SURBLs. We'll hand-classify the URIs, of
course, but are there any objections to scripting the submission against
http://www.rulesemporium.com/cgi-bin/uribl.cgi?report=1 ?
The basic idea would be to run one automatic pass to analyze our SA
headers to see if *_URI_BL rules already matched; if they don't, add the
…
[View More]message to a processing queue. Then, for each URI in the each message of
that queue, do the lookup again with Net::DNS, since the URI might have
been added in the last 24 hours or so since the spam was received. This
should hopefully produce a comparatively short list of URIs (and spams)
that don't appear in the SURBL. From here, we can hand-classify this
bunch (i.e., delete any that aren't spammer sites), and have our
second-pass script strip the SA markup (if present) from the spam, and
automatically submit the hand-picked URIs and their spams via the web
interface.
Questions:
1) Is this approach reasonable (i.e., am I going to hear screams from
someone if I script this, assuming I take precautions, rate-limit the
submissions, and check the results before turning it loose?)
2) Is there already a more efficient way to submit URIs? (Besides
running my own list, which, I guess, isn't too unreasonable :-)
3) Is there any advantage to submitting the same URI more than once
(i.e., from different spam messages?) It seems like the answer is
probably "no", but I'll gladly accept enlightenment.
4) Should I be submitting to multiple SURBLs, or just stick with
ws.surbl.org?
Since implementing SURBLs in SA2.63 about a week ago, we've had amazing
success. So much that we're having occasional word-wrap issues with the
X-Spam-Level: (stars) header. :-)
Now I want to give something back.
- Ryan
--
Ryan Thompson <ryan(a)sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
[View Less]
>-----Original Message-----
>From: Mariano Absatz [mailto:el.baby@gmail.com]
>Sent: Thursday, July 08, 2004 4:32 PM
>To: SURBL Discussion list
>Subject: {Spam?} Re: [SURBL-Discuss] {Spam?} Perfect example of URL
>Poison
>
>
>I always 'LOOK' at the actually displayed message within my mailer and
>THEN analyze the source... but looking at this, I'd tend to report
>opoloves.com and netuetion.com (supposing the faxd.gif has something
>visible in it).
>
>…
[View More]Please, people... by far the BEST thing about SURBL is its really,
>really, really low FP rate so you can be very comfortable scoring it
>high.
>
>I have them scored at 3.5 (except for 6dos) in a VERY conservative ISP
>and it's doing wonderfully.
>
>I can't offer right now 'cause I have no time at all, but I'd very
>much like that the SURBL lists keep being managed manually.
>
>It'd be great if we could, at some point, form a small group of
>volunteers with VERY good skills at spotting guilty URIs within spam
>and keep the lists much like clamav maintains its virus database...
>
Oh that has been discussed. And started. But then that guy got abducted by
aliens or something. If you ever meet a guy named Paul on the street, ask
him how he is doing, and if the mother ship has returned.
:)
--Chris
[View Less]
>-----Original Message-----
>From: Steven Champeon [mailto:schampeo@hesketh.com]
>Sent: Thursday, July 08, 2004 3:27 PM
>To: SURBL Discussion list (E-mail)
>Subject: Re: [SURBL-Discuss] Submissions to SURBL list thru SARE
>website.
>
>
>on Thu, Jul 08, 2004 at 03:17:52PM -0400, Chris Santerre wrote:
>> Good grief. Let me say this slowly....
>>
>> SURBL is for domains in LINKS, URLS, websites, images,
>things you click on,
>> images hosted …
[View More]in the email.
>>
>> SURBL is NOT, will never be used, doesn't care, /dev/null's,
>any domain or
>> IP the email came from.
>
>Well, I for one won't be sending any more domains along if I
>have to also
>distinguish between the domains I happened to find in email bodies from
>those I happened to find in message headers. Sorry. The
>overlap is far too
>great, as for example in a recent message I got (summarized):
>
No you misunderstand. Steve, what you do with me is fine ;)
These are people who keep reporting the same dang domain but all the IP
addresses it comes from. Which are mostly zombied broadband machines!!
So I get 20 submissions of the SAME spam, with the same one line URL in it,
only they report each IP it came from!!! ARGH!!!
And please, when using the SURBL submission page on SARE, try to include a
copy of the spam, it helps get it added MUCH faster. Remember these are hand
checked!!
For those of you submitting them thru other methods to me, continue what
your are doing. That is working fine.
--Chris
[View Less]
Good grief. Let me say this slowly....
SURBL is for domains in LINKS, URLS, websites, images, things you click on,
images hosted in the email.
SURBL is NOT, will never be used, doesn't care, /dev/null's, any domain or
IP the email came from.
Thanks, I feel better now.
Chris Santerre
System Admin and SARE Ninja
http://www.rulesemporium.comhttp://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
Good afternoon, Eric,
On Thu, 8 Jul 2004, Eric Hammond wrote:
> William Stearns wrote:
> > I have a sense we could help _you_. When a user requests a
> > notlong url, would you consider checking the target URL against the
> > sa-blacklist, by [...]
(Just for reference, surbl list, I suggested checking against
either the static domain list or with dns lookups against surbl)
> This sounds like a great idea. In fact, I heard about your service
> by noticing …
[View More]that another URL shortening service run by a friend
> (metamark.net) does check with SURBL.
I'm sincerely glad to hear that!
Please check back with us if we can help with the implementation.
Cheers,
- Bill
---------------------------------------------------------------------------
Too many packets
Syn. Ack. Fin. I. C. M. P.
I am so tired
-- Dennis McGrath
--------------------------------------------------------------------------
William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
[View Less]
> I've been trying to get SpamCopURI-0.18 working on my system and
> I've run into many problems. First I had to install
> LWP::UserAgent, which
> kept failing until I got everything it needed installed;
> after everything
> was installed I re-did the SpamCopURI-0.18 install.
>
> All tests were "ok" but when I copy over the spamcopuri.cf
> file I get this
> from spam assassin:
>
> Failed to parse line in SpamAssassin configuration, skipping:
> …
[View More]open_redirect_list_spamcop_uri xurl.us
> Failed to compile URI SpamAssassin tests, skipping:
> (syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule
> SPAMCOP_URI_RBL, line 1, near "eval:"
>
> I tried searching the archive for support on this, but I only
> found one
> person posted this problem with no replies.
>
> Can anyone shed some light onto this? I'm guessing I'm missing a PERL
> Module somewhere but I don't know which one.
>
> Thanks,
> Steve
>
Hi Steve,
Can you let us know what flavor Linux you are running, what version of perl
& SA, and how you are trying to install? For example, I use FreeBSD, then
use the ports collection for everything in that, but since it doesn't have
SpamCopURI, I could either use the CPAN install or the standard download,
make, make install, etc. I use the wrapper program amavisd-new as well with
a postfix mail server, so I have to integrate my SA/SpamCop install into
amavis and that gave me some headaches, but maybe an uninstall & reinstall
of the latest version of SA, make sure other things are up to date too.
>From the source, here are the needed modules in perl:
use URI;
use URI::QueryParam;
use URI::Escape
use Text::Wrap ();
use Mail::SpamAssassin::EvalTests;
use Mail::SpamAssassin::SpamCopURI;
use Mail::SpamAssassin::AutoWhitelist;
use Mail::SpamAssassin::HTML;
use Mail::SpamAssassin::Conf;
use Mail::SpamAssassin::Received;
use Mail::SpamAssassin::Util;
use Mail::SpamAssassin::NetSet;
There may be others needed, but these are obviously needed.
Best regards,
Mitch Planck
ias.net
[View Less]
>Hi Steve,
>Can you let us know what flavor Linux you are running, what version of perl
>& SA, and how you are trying to install?
Mitch,
I'm running Gentoo Linux sparc (2.4.24-sparc-r2), This is perl,
v5.8.2 built for sparc-linux, SA 2.63.
I tried both CPAN install and source install. Neither of them run.
I installed the SpamCopURI on a Linux Redhat box with SA 2.63 and it works
just fine. So I was thinking it was a perl module problem.
Thanks,
Steve
>From the source, …
[View More]here are the needed modules in perl:
Hmmm I'll check to make sure those are all install.
[View Less]
Hello,
I've been trying to get SpamCopURI-0.18 working on my system and
I've run into many problems. First I had to install LWP::UserAgent, which
kept failing until I got everything it needed installed; after everything
was installed I re-did the SpamCopURI-0.18 install.
All tests were "ok" but when I copy over the spamcopuri.cf file I get this
from spam assassin:
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri snurl.com *.snurl.…
[View More]com
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri snipurl.com *.snipurl.com
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri tinyclick.com *.tinyclick.com
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri babyurl.com *.babyurl.com
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri lin.kz *.lin.kz
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri *.v3.net
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri shorl.com *.shorl.com
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri tinyurl.com *.tinyurl.com
Failed to parse line in SpamAssassin configuration, skipping:
open_redirect_list_spamcop_uri xurl.us
Failed to compile URI SpamAssassin tests, skipping:
(syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule
SPAMCOP_URI_RBL, line 1, near "eval:"
I tried searching the archive for support on this, but I only found one
person posted this problem with no replies.
Can anyone shed some light onto this? I'm guessing I'm missing a PERL
Module somewhere but I don't know which one.
Thanks,
Steve
[View Less]
Roger, you wern't the only one. Page got less then halfway and I stopped it.
Being a father of 2 it made me sick and angry.
I reported it using www.missingkids.com 'cybertip line' . THis is where the
trail ends. (FBI says call customs, customs says to call this number, number
says to go here and this report gets sent out to all agencies. Whew!
I hope they nail them to a wall. (Or let me in a room with them for 5
minutes!)
--Chris
>-----Original Message-----
>From: Roger WJ Alterskjær …
[View More][mailto:roger.alterskjaer@vm.ntnu.no]
>Sent: Wednesday, July 07, 2004 9:24 AM
>To: SURBL Discussion list
>Subject: Re: [SURBL-Discuss] Help: kid pron.....help report
>
>
>Wow!
>I couldn't stomach letting the entire page load. I've reported
>this site
>to the Norwegian computer crime division. With regards to
>child-pornography, they have investigative units that co-operate
>internationally with other such law-enforcement organizations.
>(That way
>they can synchronize raids on child-porno rings on an large
>geographical
>basis!)
>
>Let's hope they get them!
>
>---
>Regards,
>Roger WJ Alterskjær
>IT Consultant
>Museum of Natural History and Archaeology, NTNU
>(+47) 73 59 79 78
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
[View Less]
Hi Chris,
> Joseph, I'm running sa-stats which only pulls out the
> numbers, what do you use to parse out the info you posted?
On my test box I'm running MailScanner + SpamAssassin and a utility for
MailScanner called MailWatch. Essentially this throws all the data from
each message into a MySQL database and provides a php frontend.
I've just made up a few php scripts to create summaries by pulling
relevant log details from the MySQL db.
Looking at the SURBL stats, the messages that …
[View More]are in the end marked HAM
are borderline. Some of them are postmaster bounces or postmaster
messages from other servers I maintain, others are questionable mailing
lists or even spam sent via yahoo groups.
>From my look into the "false positives" of the SURBL lists there's
hardly a message that wouldn't be missed if it hit the bit bucket.
Regards,
Joseph
[View Less]