Discuss

discuss@lists.surbl.org

2 participants
1870 discussions

Re: New SURBL additions
by Jeff Chan 03 Jul '04

03 Jul '04

On Thursday, July 1, 2004, 11:47:37 AM, Don Newcomer wrote: > Hat's off to the folks who brought out the new SURBL checks! Here's my top > 15 rule hits over the past 20 hours and look where my 4 URIBLs come in: > 18832 - HTML_MESSAGE (0.100) - 50_scores.cf > 10296 - BAYES_99 (5.400) - 50_scores.cf > 9810 - OB_URI_RBL (4.0) - surbl.cf > 9403 - MIME_HTML_ONLY (0.320) - 50_scores.cf > 8367 - WS_URI_RBL (3.0) - surbl.cf > 7922 - CLICK_BELOW (0.100) - 50_scores.cf > 5220 - HTML_LINK_CLICK_HERE (0.100) - 50_scores.cf > 5102 - SPAMCOP_URI_RBL (3.0) - surbl.cf > 4470 - MIME_MISSING_BOUNDARY (1.838) - 50_scores.cf > 4401 - MY_SHRT_IMG (0.848) - coding_html.cf > 4285 - MK_BAD_HTML_05 (0.3) - coding_html.cf > 4118 - NO_REAL_NAME (0.160) - 50_scores.cf > 4111 - AB_URI_RBL (5.0) - surbl.cf > 3887 - SARE_FROM_SPAM_WORD3 (0.100) - 70_sare_header.cf > 3678 - MIME_HTML_NO_CHARSET (0.561) - 50_scores.cf Thanks much for the data and the compliments Don! I'm forwarding your results to the SURBL discussion list. It's interesting to see how well ob is detecting spams. My hat is off in thanks to the OutBlaze folks for providing the data. Still looking for anyone's spam detection rates and false positive rates with all the lists: sc.surbl.org - SpamCop spamvertised sites ws.surbl.org - sa-blacklist, BigEvil and other data ob.surbl.org - OutBlaze spamvertised sites ab.surbl.org - AbuseButler spamvertised sites ds.surbl.org (beta, 6dos data) Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

4 5

RE: [SURBL-Discuss] uptilt.com and their customers probably not s pammers
by Chris Santerre 01 Jul '04

01 Jul '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Thursday, July 01, 2004 3:39 PM >To: 'SURBL Discussion list' >Subject: Re: [SURBL-Discuss] uptilt.com and their customers >probably not >s pammers > > >On Thursday, July 1, 2004, 6:51:32 AM, Chris Santerre wrote: >> -1 here > >> I think private is better. Public reports of FPs I am +1. > >OK To me FPs and whitelisting are the same thing, but it >sounds like if we did this you're saying it should be called >"FP reporting" and not "whitelist reporting". Am I interpreting >what you're saying correctly? > Yup. (I can be confusing sometimes.) Saying "Tell us who should be whitelisted." vs. "Did someone get marked incorrectly?" are different, yet the outcome is the same....sort of. If we never listed ebay, then no one will ever report ebay as an fp. CON: No proactive submissions. We may miss a popular domain. PRO: We don't get tons of whitelist submissions. Taking all our time checking them to see if they are legit instead of checking domains the should be added. --Chris

1 0

[SURBL-Discuss] uptilt.com and their customers probably not spammers
by Jeff Chan 01 Jul '04

01 Jul '04

I made a list of some of uptilt.com (emaillabs.com) customers': http://www.emaillabs.com/clientlist.html likely domains: http://spamcheck.freeapp.net/whitelists/uptilt and checked those domains against all existing SURBLs. The only matches were: uptilt.com on ws.surbl.org, due to Chris' earlier manual listing, and: digitalimpact.com uptilt.com wordbiz.com on ds.surbl.org (6dos) which is a pretty low hit rate for nearly a hundred domains against a fairly aggressive list *if uptilt.com were a spamhaus*. It's not totally conclusive, but the relative lack of inclusion across multiple SURBL data sources leads me to think that uptilt.com is probably not a spamhaus. Therefore I've used that list of uptilt.com domains and customer domains as a whitelist. That means they will not be included in SURBLs. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

5 7

RE: [SURBL-Discuss] uptilt.com and their customers probably not s pammers
by Chris Santerre 01 Jul '04

01 Jul '04

-1 here I think private is better. Public reports of FPs I am +1. --Chris >-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Thursday, July 01, 2004 7:51 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] uptilt.com and their customers >probably not >spammers > > >On Thursday, July 1, 2004, 4:40:54 AM, David Hooton wrote: >> On Thu, 1 Jul 2004 02:33:33 -0700, Jeff Chan <jeffc(a)surbl.org> wrote: >>> the relative lack of inclusion across multiple SURBL >>> data sources leads me to think that uptilt.com is probably >>> not a spamhaus. Therefore I've used that list of uptilt.com >>> domains and customer domains as a whitelist. That means they >>> will not be included in SURBLs. > >> Thanks for your super diligence, we all appreciate it, so do >our clients :) > >Thanks for your kind words David. As you can see I like to avoid >false positives. :-) > > >I'm strongly tempted to make a public form for submitting >whitelist entries, fully logged, rate-limited and reviewed, >of course. It could help with the FPs and add more public >visibility to the whitelisting process. > >Jeff C. > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

2 1

Fwd: Re: blacklist brings system to halt
by Jeff Chan 01 Jul '04

01 Jul '04

Here's some additional info on some of the recent sa-blacklist/ws.surbl.org/6dos goings on, copied from a message I sent to the SpamAssassin-users list: > 1477667 Jun 21 18:48 /etc/spamassassin/RulesDuJour/blacklist.cf.20040623-0106 > 421286 Jun 21 18:49 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040623-0106 > 1459329 Jun 23 00:03 /etc/spamassassin/RulesDuJour/blacklist.cf.20040624-1602 > 415544 Jun 23 00:04 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040624-1602 > 1484137 Jun 24 15:48 /etc/spamassassin/RulesDuJour/blacklist.cf.20040627-0301 > 422228 Jun 24 15:49 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040627-0301 > 1559813 Jun 27 02:17 /etc/spamassassin/RulesDuJour/blacklist.cf.20040628-1544 > 443922 Jun 27 02:18 /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20040628-1544 > 5432965 Jun 28 15:25 /etc/spamassassin/RulesDuJour/blacklist.cf.20040628-1558 > 1544207 Jun 28 15:28 /etc/spamassassin/blacklist-uri.cf > 7070231 Jun 28 15:54 /etc/spamassassin/blacklist.cf I think I can help explain why sa-blacklist went from 1.5 MB to 5.5 MB in size suddenly. Chris Santerre added a fairly large set of records from 6dos (6 degrees of spam) around that time in order to get the records into ws.surbl.org and sa-blacklist. Chris, Bill and I then discussed this and decided to take them back out of sa-blacklist and therefore ws.surbl.org, and put the 6dos entries into its own SURBL instead. However Bill's server experienced a hard disk problem around the same time so the entries have not come out of sa-blacklist yet. But they will come out once Chris gets access to Bill's server again. Until then, backing off to an earlier version of sa-blacklist makes perfect sense and it's what we've done for ws.surbl.org. When Chris gets in again, he will get the 6dos entries off sa-blacklist, it will come back down in size, and I'll restore live feeds of ws.surbl.org from the sa-blacklist data instead of freezing it at the older version, as it is now. Hopefully this makes some sense. If not I'll glady try to answer any questions or comments anyone has, though I'm not the original source of the changes. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

6 13

RE: [SURBL-Discuss] uptilt.com and their customers probably not s pammers
by Chris Santerre 01 Jul '04

01 Jul '04

They got on my list due to the tonyrobbins.com incedent. http://tinyurl.com/28xpc I that case I believe a "marketing company" was hired, who spammed for tonyrobbins.com. They are at least off-white in my mind. --Chris >-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Thursday, July 01, 2004 5:34 AM >To: SURBL Discuss >Subject: [SURBL-Discuss] uptilt.com and their customers probably not >spammers > > >I made a list of some of uptilt.com (emaillabs.com) customers': > > http://www.emaillabs.com/clientlist.html > >likely domains: > > http://spamcheck.freeapp.net/whitelists/uptilt > >and checked those domains against all existing SURBLs. >The only matches were: > > uptilt.com > >on ws.surbl.org, due to Chris' earlier manual listing, and: > > digitalimpact.com > uptilt.com > wordbiz.com > >on ds.surbl.org (6dos) which is a pretty low hit rate for >nearly a hundred domains against a fairly aggressive list >*if uptilt.com were a spamhaus*. It's not totally conclusive, >but the relative lack of inclusion across multiple SURBL >data sources leads me to think that uptilt.com is probably >not a spamhaus. Therefore I've used that list of uptilt.com >domains and customer domains as a whitelist. That means they >will not be included in SURBLs. > >Jeff C. >-- >Jeff Chan >mailto:jeffc@surbl.org >http://www.surbl.org/ > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

20 hours of 6DOS
by Mariano Absatz 01 Jul '04

01 Jul '04

Yesterday I activated ds.surbl.org in our local server for very few domains, so far, I got 54 hits, NO false positives. Regards. -- Mariano Absatz El Baby ---------------------------------------------------------- Asking if computers can think is like asking if submarines can swim.

3 3

[SURBL-Discuss] Fwd: Re: Fwd: Re: procmail exited w/ EX_TEMPFAIL and stucked spamd processes
by Jeff Chan 30 Jun '04

30 Jun '04

This is a forwarded message From: Jeff Chan <jeffc(a)surbl.org> To: William Stearns <wstearns(a)pobox.com> Date: Wednesday, June 30, 2004, 8:45:52 AM Subject: : Re: procmail exited w/ EX_TEMPFAIL and stucked spamd processes ===8<==============Original message text=============== On Wednesday, June 30, 2004, 7:38:42 AM, William Stearns wrote: >> From: Damon McMahon <inst_karma(a)hotmail.com> >> Are you by chance using Bill Stearn's sa-blacklist? >> >> Same thing happened on my mail server yesterday - it almost ground to a >> halt, stalled procmail processes all over the place, sendmail errors >> identical to yours - very ugly. >> >> Eventually traced it down to the fact that the sa-blacklist.current had >> inadvertently quintupled (5x) in size overnight, from 1.5 to almost 7 MB in >> size. I use daily auto-updates of this list so hadn't noticed until the >> side-effects appeared. > Am I missing something? Please take a look at > http://www.stearns.org/sa-blacklist/sa-blacklist.current.domains > - 23,752 domains, just > before Chris started adding 6dos. I relinked the last good one when I > brought the server back up. For generating ws.surbl.org, that's perfect, and I've re-enabled my getting of sa-blacklist.current.domains from your server. When Chris can get the 6dos data disabled, and you link back to an un-6dosed but otherwise current version, I think we will be fully functional again in terms of the ws.surbl.org generation process. I suppose you could rename the 6dos blacklist to disable it also. > If you're using my list, what version are you using? 200406281446 > should be a safe one to use. I was mainly referring to the folks using sa-blacklist as a cf file, which one of the versions apparently did get several times larger than before, presumably due to the inclusion of the 6dos data. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/ ===8<===========End of original message text===========

1 0

RE: [SURBL-Discuss] Remove overlapping rules due to SURBL?
by Chris Santerre 30 Jun '04

30 Jun '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Wednesday, June 30, 2004 4:40 AM >To: 'SURBL Discussion list' >Subject: Re: [SURBL-Discuss] Remove overlapping rules due to SURBL? > > >On Wednesday, June 30, 2004, 12:46:50 AM, Martin Lyberg wrote: >> This is the lists i use at the moment: > >> # sc.surbl.org - SpamCop message-body URI domains >> # ws.surbl.org - sa-blacklist domains as a SURBL >> # be.surbl.org - BigEvil and MidEvil domains >> # ob.surbl.org - OutBlaze spamvertised sites >> # ab.surbl.org - AbuseButler spamvertised sites > >> I wonder if any of my following rulesets is overlapping the >SURBL-lists and >> should be removed? > >> I have the following rulesets: > >> 70_sare_adult.cf >> 70_sare_random.cf >> 70_sare_specific.cf >> 72_sare_bml_post25x.cf >> antidrug.cf >> backhair.cf >> bigevil.cf >> chickenpox.cf >> evilnumbers.cf >> tripwire.cf >> weeds.cf > >Hi Martin, >On behalf of everyone contributing to the SURBL poject, thanks >for your kind words. Glad you're finding SURBLs useful. > >Chris or one of the SARE guys will know a lot more about >the specific SARE rules, but I know that the domains in >bigevil.cf are in be.surbl.org, so you may be able to >get rid of bigevil.cf. For that matter the records in >be.surbl.org are now in ws.surbl.org, so you can get rid >of be.surbl.org also. > >Chris & Co are probably creating a heavily wildcarded ruleset >that you may want to use in future in addition to SURBLs. > >1. Get rid of bigevil.cf, it's mostly in be.surbl.org >2. Get rid of be.surbl.org, it's in ws.surbl.org > Just a followup. Yup everything Jeff covered is spot on! However I see your not running any of the 70_SARE_HTML rulesets. You should look into those. They don't overlap either. And they are very good. -_Chris

1 0

RE: [SURBL-Discuss] Fwd: Re: blacklist brings system to halt
by Chris Santerre 30 Jun '04

30 Jun '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Wednesday, June 30, 2004 2:06 AM >To: SURBL Discuss >Subject: [SURBL-Discuss] Fwd: Re: blacklist brings system to halt > > >Here's some additional info on some of the recent >sa-blacklist/ws.surbl.org/6dos goings on, copied from a >message I sent to the SpamAssassin-users list: > *snip* > >I think I can help explain why sa-blacklist went from 1.5 MB >to 5.5 MB in size suddenly. Chris Santerre added a fairly large >set of records from 6dos (6 degrees of spam) around that time in >order to get the records into ws.surbl.org and sa-blacklist. >Chris, Bill and I then discussed this and decided to take them >back out of sa-blacklist and therefore ws.surbl.org, and put >the 6dos entries into its own SURBL instead. Yeah....ummm.....I made a little boo boo :) This is what happens with 3 weeks off of hockey and only 3 hours sleep the night before. I have been LART'd and it won't happen again. "Bad little monkey! Bad!" --Chris

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss