Discuss

discuss@lists.surbl.org

1862 discussions

Fwd: Please pass on to SURBL lists...
by Jeff Chan 24 Mar '06

24 Mar '06

This is a forwarded message From: Catherine Hampton <ariel(a)spambouncer.org> To: Jeff Chan <jeffc(a)surbl.org> Date: Thursday, March 23, 2006, 12:37:24 PM Subject: Please pass on to SURBL lists... ===8<==============Original message text=============== I don't think I'm subscribed to the lists that should see this soonest. Thanks! =-=-=-=-=-=-=-=-=-= Today I've seen a massive spam run on some of my domains, older domains that have a lot of spamtraps. The spams are all sent via open proxies/forged headers/etc., have subject lines of something along the lines of "for investors", "best way to invest", "do you want to invest", etc. The message bodies are pure text, two lines long, and consist of URLs at legitimate domain registrars and other companies not involved in the spam. Here are a few sample message bodies: =-=-=-=-=-=-=-=-=-= We offer best way for investment. http://godaddy.com/investdot.com We offer best way for investment. http://enom.com/talkgold.com We offer best way for investment. http://1BLU.DE/SX-INVEST.COM Do you want to invest your money ? Ask me how http://www.moneymakergroup.com/ [Is this one legit? I don't know. But it's part of the same pattern.] Don't lose your chance to make really good investor carier! http://www.mailer.vascoinvestment.com [Not sure about this one either.] 400% profit per month is TRUE! Visit our site. http://everydns.net/privateopps.com Don't lose your chance to make really good investor carier! http://namecheap.com/talkgold.com =-=-=-=-=-=-=-=-=-= I noticed that vascoinvestment.com is already listed in URIBL, and moneymakergroup.com is in SURBL (William Stearns). Just in case people hadn't noticed, I wanted to point out that we need to be careful about listing domains from these emails. It's perfectly possible, of course, that some of them are spammy and the others are being used as camoflauge, to slow down the SURBL and URIBL volunteers, and to cause FPs and make those blocklists less effective. It's also possible that *all* of them are legitimate/innocent. In either case, I think blocklists, and particularly SURBL and URIBL, are the targets of this attack. So please be careful and don't let the idiots win! -- Catherine Hampton <ariel(a)spambouncer.org> The SpamBouncer * <http://www.spambouncer.org/> Personal Home Page * <http://www.devsite.org/> ===8<===========End of original message text=========== -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

6 8

Problem with rbldnsd on Linux
by David B Funk 24 Mar '06

24 Mar '06

I'm having issues running rbldnsd (rbldnsd-0.996) on Linux. Tried two different varients (SUSE 10.0 & RH 4 AS) and both lock up if I use the '-f' option, no problem with '-f' when running on HP-UX. The problem occurs during a zone data reload, the parent forks off a child to answer requests while it reloads (what the -f does) then when it's done and tries to reap the child it goes into a spin-loop. Anybody else seen this, know of a solution other than the workaround of not using the '-f' option? Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

2 1

Fw: Interesting Phishing Trick
by Kevin A. McGrail 08 Mar '06

08 Mar '06

A co-worker of mine just pointed this out to me today. He tested it in Thunderbird and I tested it in OE6. It warrants serious attention. Ignoring the munged part, this would trick a very savvy internet user that allows HTML email, clicks on a link and doesn't check the browser address line. Any input on rules or techniques to block this nasty fellow? Sincerely, KAM > I just received a phishing e-mail claiming to be from eBay. All of the > links LOOKED legit, including what displayed in the status bar when you > moused over a link. I knew this was not legit, so I looked in the > source code and found this: > > <div><a href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_p artnerId=2&siteid=0"><table><caption><a href="http://211.254.130.108-MUNGED/...../"><u style="cursor: pointer"><font color="#008000">eBay Update Center</font></u></a></caption></table></a></div> > > Note the double use of an a href tag, one inside a caption tag, one outside. The outside a href displays, while the a href within the caption tag is what would actually be triggered. > Interesting way of masking the true URL.

2 1

xs.surbl.org
by Theo Van Dinter 06 Mar '06

06 Mar '06

Hey there, I was noticing in SpamAssassin dev rule files there's: urirhsbl T_URIBL_XS_SURBL xs.surbl.org. A body T_URIBL_XS_SURBL eval:check_uridnsbl('T_URIBL_XS_SURBL') it doesn't seem to be a used list, according to the SURBL website, but the results are semi-decent: 1.896 2.2832 0.0000 1.000 0.86 0.01 T_URIBL_XS_SURBL What are the plans for this list going forward? I'd like to either drop the test rule if XS isn't going anywhere, or promote it to an actual rule (preferably through multi) if it's going to stick around. Thoughts? Thanks. :) -- Randomly Generated Tagline: This score just in - Deep Space 9, Babylon 5.

2 2

Re: [SURBL-Discuss] 20050615 embedded image spam
by List Mail User 04 Mar '06

04 Mar '06

For anyone who remembers the issues surrounding Inphonic about 9 months ago, the following link might be of interest: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL37812 It would seem there is no doubt any longer. I certainly can't recommend them any more (and couldn't after their lame excuses last year). Paul Shupak track(a)plectere.com

1 0

Can Someone Help Us With Blocklist Removal?
by Rich Haber 03 Mar '06

03 Mar '06

Dear Mr. Stearns, I have sent three emails to Mr. Stearns with the information listed below below to remove hccs.com from you blocklist. I have had no response. Can someone help us? Thanks, Richard Haber hccs Company Name: Health Care Compliance Strategies, Inc. Address: 30 Jericho Executive Plaza, Suite 400C Jericho, New York 11753 Phone: 516 478-4100 Fax: 516-478-6773 URI Information: hccs.com is 155.212.86.67 [ rbl lookup ] domain registered: unknown [ full whois ] RBL: skipping uri lookups on ip-based RBLs URIBL: multi.surbl.org: listed [Blocked, hccs.com on lists [ws], See: http://www.surbl.org/lists.html] URIBL: multi.uribl.com: not listed [ report ] Company Description: http://www.hccs.com/about.html Anti-Spam Policy : Health Care Compliance Strategies, Inc. ("hccs") Unsolicited Bulk Email Policy: hccs specifically does not authorize the use of its proprietary computers, servers, routers and computer network (the "hccs Property") to accept, transmit or distribute unsolicited bulk e-mail sent from the Internet to others. It is also a violation of hccs policy, and the law, to send or cause to be sent to, or through, hccs Property email that makes use of or contains invalid or forged headers, invalid or non-existent domain names or other means of deceptive addressing. hccs considers such email to be unlawful and a violation of our policy, and any attempt to send or cause such email to be sent to, or through, hccs Property is unauthorized. Moreover, any email relayed from a third party's mail servers without the permission of that third party, or any email that hides or obscures, or attempts to hide or obscure, the source of an email also constitutes an unauthorized use of hccs Property. Email sent or caused to be sent to hccs Property that violates any agreement with hccs is also unauthorized. hccs reserves the right to take all legal and technical steps available to prevent unsolicited bulk email or other unauthorized email from entering, utilizing or remaining within hccs Property. Such action may include, without limitation, the use of filters or other network devices, immediate termination of hccs service, and prosecution of offenders through criminal or civil proceedings. Nothing in this policy shall be construed to grant any right to transmit or send email to, or through, hccs Property, and in no event shall any failure by hccs to enforce this policy constitute a waiver of hccs' rights. Unauthorized use of hccs Property in connection with the transmission of unsolicited bulk email, including the transmission of counterfeit email, may result in civil and criminal penalties against the sender, including those provided by the Computer Fraud and Abuse Act (18 U.S.C. § 1030 et seq.); and various state laws.

2 1

Google-based redirector
by Guy Rosen 27 Feb '06

27 Feb '06

Hi, We've been seeing some spam that uses Google as a redirection URL. The URL that makes this possible is: http://www.google.com/url?q=URL For example: http://www.google.com/url?q=http://www.bluesecurity.com This is letting spammers hide quite nicely from SURBLs. The redirector has actually been around for a few months (e.g. in the strange spam described in http://isc.sans.org/diary.php?storyid=847). Back then we notified security(a)google.com, and we sent them another email again today. Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/

2 1

removal of domain from ws.surbl.org
by Costas Ioannou 24 Feb '06

24 Feb '06

Hello! Can anyone help me? I'm relatively new with surbl.org lists. Can someone instruct me how to request a domain removal from ws.surbl.org? I have sent yesterday an email at wstearns(a)pobox.com but nothing changed until now. The domain is nbg.gr and is National Bank of Greece. It is black listed by one of our products that uses surbl.org lookups. The situation has become very very messy. Also the customer has sent email to Bill Stearns but to no avail. Thank you Costas ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message has been checked for Content Security and Computer Viruses by MIMEsweeper and F-Secure Anti Virus ********************************************************************** ------------------------------------------------------------------------------------------------------------- Ask for our new Security Training Program! Inter Engineering - World of Data Security! F-Secure Certified Anti Virus Center Certified Mimesweeper Distributor Mimesweeper Authorized Training Center Anti Virus - Cryptography - Access Control - Content Security - Biometrics - Consulting - Security Training - Special Projects P.O. Box 1626, 410 02 Larissa, Greece Tel. +30.2410.670030 Fax. +30.2410.670006 Visit our website http://www.inter.gr

2 3

RE: [SURBL-Discuss] browser plugin?
by Matthew.van.Eerde＠hbinc.com 15 Feb '06

15 Feb '06

Michele Neylon:: Blacknight.ie wrote: > Jeff Chan wrote: > > IIRC someone wrote one for Firefox, but it was implemented >> brokenly. I think a browser plug in is a great idea, but I'd be >> a little concerned about the new DNS queries it would generate. >> >> How does anyone else feel, particularly operators of our public >> nameservers? >> > > What would be the goal of a browser plugin? To warn the browser's user (me, ATM) that the site they are visiting is spamvertised and/or a reported phishing site. Useful for those who do not have control over their mail server, especially if they're using webmail. Also a proof-of-concept of the "right way" to implement a phishing blacklist -- without sacrificing user privacy. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer

5 6

RE: [SURBL-Discuss] browser plugin?
by Kristopher Austin 14 Feb '06

14 Feb '06

Matthew.van.Eerde wrote: > OK, I'll develop it for private use but keep an eye out for caching > optimizations, and see how it goes. Please keep us informed of the progress and optimizations you employ. I'm very interested in this. Thanks, Kris

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss