Discuss

discuss@lists.surbl.org

1862 discussions

large number of empty URIs preceeding actual one
by Jeff Chan 05 Jun '04

05 Jun '04

Not sure if this is a new type of spam or not: http://www.surbl.org/fitch7826drug.us.4jun04.txt This example I just received had many real or joe job URIs with no text in the anchor like: <a href=3D"http://www.elysian-MUNGED.com"></a> Perhaps it's trying to run out some counters, but the real target domain is visible as the last "removal" URI: <a href=3D"http://= www.ozone.fitch7826drug-MUNGED.us/d.ddd">here.</a> > Name: fitch7826drug.us > Address: 61.250.93.214 Where this IP is in sbl.spamhaus.org of course. The "ordering" link just before it was broken (no dot, at least in my MUA, The Bat!): <a href=3D"http://fitch7826drug= us/b94">Click Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones. That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

5 5

Re: [SURBL-Discuss] Joe Job again: Watchsound.com
by Jim Knuth 04 Jun '04

04 Jun '04

Hallo und guten Morgen Jeff, danke für die Email vom 04.06.2004 um 00:43 Jeff Chan schrieb - wrote: > On Thursday, June 3, 2004, 7:25:06 AM, Chris Santerre wrote: >> LOL, guess they don't like being added to BigEvil! watchsound.com is Joe >> Jobbing me now. Poor little pron spammer hosted in China. (61.152.133.68). >> Feel free to add this to the other SURBL servers, firewall blocks, Host file >> blocks, squid blocks, ect..... > FWIW This domain is currently in sc.surbl.org and ws.surbl.org.. > (But not be.surbl.org? That doesn't seem right...) warum schickst Du mir das? Hab ich damit etwas zu tun? why do you send that to me? Have done I with that something? -- Viele Grüße, Kind regards, Jim Knuth jk(a)jkart.de ICQ #277289867 ---------- Zufalls-Zitat ---------- Frauen würden sich leichter damit abfinden, dass ihr Mann später nach Hause kommt, wenn sie sich wirklich darauf verlassen könnten, dass er nicht früher da ist. [Sidonie-Gabrielle Colette] ---------- Dieser Text hat nichts mit dem Empfänger der Mail zu tun ---------- virengeprüft mit NOD32 Version 1.780 Update 03.06.2004

1 0

Joe Job again: Watchsound.com
by Chris Santerre 04 Jun '04

04 Jun '04

LOL, guess they don't like being added to BigEvil! watchsound.com is Joe Jobbing me now. Poor little pron spammer hosted in China. (61.152.133.68). Feel free to add this to the other SURBL servers, firewall blocks, Host file blocks, squid blocks, ect..... Thankfully a LOT of people have wised up to Joe Jobs and seem to be checking the sending IP vs. the From. So I don't get many complaints. I guess I should be flatered? Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 2

Whitelist sparklist.com
by Chris Santerre 04 Jun '04

04 Jun '04

They *seem* to be white. But have spammers signup and run one time spam runs. They aren't in the URL links, but are the senders. Just something to look out for. However, surpluscomputers.com can be blacklisted to the stoneage! ALong with softwareandstuff.com ! Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

3 2

RE: [SURBL-Discuss] Whitelist sparklist.com
by Chris Santerre 03 Jun '04

03 Jun '04

>-----Original Message----- >From: Kris Deugau [mailto:kdeugau@vianet.ca] >Sent: Thursday, June 03, 2004 12:47 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Whitelist sparklist.com > > >Chris Santerre wrote: >> However, surpluscomputers.com can be blacklisted to the stoneage! >> ALong with softwareandstuff.com ! > >Why? Their list management seems... dubious at times, but they're a >legit business and I for one specifically signed up for their >newsletter- which, IIRC, was properly confirmed opt-in. (Both domains >are for the same company; they've been trying to change their name and >domain.) > >-kgd Because they sent a SPAM to me, to an email that was setup specifically to be used by at another site. I make alias emails for everything I sign up for. So I can track when this happens. They used this email address, which they somehow got from a competitor of theirs. It was obviously not signed up for use with them, because I would have made a new one. So not only did they spam, but they got the address thru ill means. I am working with the original site to find how they got it. They are NOT affiliates or partners. --Chris

2 1

Re: rbldnsd is not responding
by Ricardo 03 Jun '04

03 Jun '04

Hi! > On Wednesday, June 2, 2004, 9:00:52 AM, Ricardo Ricardo wrote: >>We are trying to setup a local rbldnsd with rsynced data to answer the >>DNS queries, but the rbldnsd is not responding. [...] >>If I test our cached DNS system: >>% nslookup adulteroticfiction-MUNGED.com.sc.surbl.org 127.0.0.1 >>*** Can't find server name for address 127.0.0.1: Query refused >>*** Default servers are not available Thanks for the tips! I saw that I was not doing the right test... This one worked: dig test.surbl.org-MUNGED.sc.surbl.org @127.0.0.1 BTW, I (think I) understand how the whole thing works, but... isn't it possible to change SpamCopURI to resolve the names at a specific machine ip/port, instead of changing the DNS setup? Wouldn't this be easier and safer? []s! -- ... Hofstadter's Law: The time and effort required to complete a project are always more than you expect, even when you take into account Hofstadter's Law.

2 1

Need assistance in Installing SpamCopURI
by Rich 03 Jun '04

03 Jun '04

I'm sorry if this is a little off-base here, I am trying to install SA plugin SpamCopURI but kept getting errors as shown below, one error indicates 'Can't locate URI/QueryParam.pm' but I already copied the file to /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ Any input would be appreciated. Thanks. #perl Makefile.PL # SAPATH /usr/lib/perl5/site_perl/5.8.0 # installsitelib /usr/lib/perl5/site_perl/5.8.0 # INSTALLDIRS site Warning: prerequisite Net::DNS 0 not found. Warning: prerequisite URI 1.28 not found. We have 1.21. Writing Makefile for Mail::SpamAssassin::SpamCopURI #make Manifying blib/man3/Mail::SpamAssassin::Conf.3pm Manifying blib/man3/Mail::SpamAssassin::PerMsgStatus.3pm Manifying blib/man3/Mail::SpamAssassin::SpamCopURI.3pm #make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/blacklist........Can't locate URI/QueryParam.pm in @INC (@INC contains: /usr/local/src/Mail-SpamAssassin-SpamCopURI-0.18/blib/lib /usr/local/src/Mail-SpamAssassin-SpamCopURI-0.18/blib/arch /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/local/src/Mail-SpamAssassin-SpamCopURI-0.18/blib/lib/Mail/SpamAssassin/ SpamCopURI.pm line 5. BEGIN failed--compilation aborted at /usr/local/src/Mail-SpamAssassin-SpamCopURI-0.18/blib/lib/Mail/SpamAssassin/ SpamCopURI.pm line 5. Compilation failed in require at t/blacklist.t line 4. BEGIN failed--compilation aborted at t/blacklist.t line 4. . . . . Test returned status 255 (wstat 65280, 0xff00) DIED. FAILED tests 1-6 Failed 6/6 tests, 0.00% okay Failed Test Stat Wstat Total Fail Failed List of Failed ---------------------------------------------------------------------------- --- t/blacklist.t 255 65280 4 4 100.00% 1-4 t/dnsrbl.t 255 65280 6 6 100.00% 1-6 t/extract_urls.t 255 65280 23 23 100.00% 1-23 t/mailto.t 255 65280 1 1 100.00% 1 t/open_redirect.t 255 65280 5 5 100.00% 1-5 t/spamcopuri.t 255 65280 12 12 100.00% 1-12 t/whitelist.t 255 65280 6 6 100.00% 1-6 Failed 7/7 test scripts, 0.00% okay. 57/57 subtests failed, 0.00% okay. make: *** [test_dynamic] Error 2

5 5

RE: [SURBL-Discuss] Need assistance in Installing SpamCopURI
by Chris Santerre 03 Jun '04

03 Jun '04

>-----Original Message----- >From: John Andersen [mailto:jsa@pen.homeip.net] >Sent: Wednesday, June 02, 2004 10:47 PM >To: discuss(a)lists.surbl.org >Subject: Re: [SURBL-Discuss] Need assistance in Installing SpamCopURI > > >On Wednesday 02 June 2004 07:05, Raymond Dijkxhoorn wrote: >> Hi! >> >> > You could also try install SpamCopURI through CPAN: >> > >> > perl -MCPAN -e shell >> > install Mail::SpamAssassin::SpamCopURI >> > >> > >> > And the dependencies should be taken care of. >> >> Hey, cool, didnt know it was in CPAN yet, great! > >That is cool! >I wish more people would use CPAN for perl things. >I don't understand why people want to use RPMs for this, >I've always done Spamassassin this way and its So easy. > Hey I didn't know it was on CPAN either! Now that is cool! Very nice guys, great work! --Chris

1 0

Re: ANNOUNCE: Mail::SpamAssassin::SpamCopURI 0.18
by Jeff Chan 03 Jun '04

03 Jun '04

On Wednesday, June 2, 2004, 2:10:58 PM, Lucas Albers wrote: > I noticed this release does not have support for: > open_redirect_list_spamcop_uri drs.yahoo.com > open_redirect_list_spamcop_uri rd.yahoo.com > Why not? > Should I just add them back in? > I currently has these listed: > open_redirect_list_spamcop_uri snurl.com *.snurl.com > open_redirect_list_spamcop_uri snipurl.com *.snipurl.com > open_redirect_list_spamcop_uri tinyclick.com *.tinyclick.com > open_redirect_list_spamcop_uri babyurl.com *.babyurl.com > open_redirect_list_spamcop_uri lin.kz *.lin.kz > open_redirect_list_spamcop_uri *.v3.net > open_redirect_list_spamcop_uri shorl.com *.shorl.com > open_redirect_list_spamcop_uri tinyurl.com *.tinyurl.com > open_redirect_list_spamcop_uri xurl.us As I understand it, SpamCopURI only handles "open" redirects where the redirected-to site is visible in the original URI. I'm not sure why/if the yahoo redirectors came out of the list. Perhaps Eric Kolve can comment. "Opaque" redirection sites, which encode or otherwise obscure the destination URI, such as tinyurl.com, are not currently handled in SpamCopURI (SA 2.63) or urirhsbl (SA 3.0), due to potential resource issues. Following such redirections would incur network access, timeouts, etc. that would probably be unusable on a mail system with significant message volume. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

2 2

Re: [SURBL-Discuss] Is spamd broken?
by John Andersen 03 Jun '04

03 Jun '04

On Wednesday 02 June 2004 20:22, David B Funk wrote: > On Wed, 2 Jun 2004, John Andersen wrote: > > Folks here probably remember me whining about never once > > seeing a surbl hit in my spam even after wadeing thru hundreds > > of spams. > > > > Several users gave me hints which I dutifully carried out (thanks guys). > > John Fawcett even sent me a spammer's web URI that was > > guarenteed to trigger the Spamcop URI code and it did when fired > > off manually with a command line like > > /usr/bin/spamassassin -D -t < message-file > output-file 2>&1 > > > > BUT STILL no Surbl hits. > > > > Just as a lark I remove the spamd line from my procmailrc and > > replaced it with /usr/bin/spamassassin -a > > > > AND IT WORKS? > > > > So, what's wrong with spamd? Is it not capable of handling > > anything but the basic rules? > > One question John, > Do you -really- mean 'spamd' ? > Are you actually trying to use 'spamd' in your procmailrc? No, - Good catch, I was using spamc in procmailrc to send it to spamd. Spamassassin used directly seems a bit more resource intensive as I can hear my disks ratteling away when mail arrives. Not that this matters much because the machine has nothing to do most of the time. -- _____________________________________ John Andersen

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss