Hi All,
I've written a basic Sendmail milter in Perl using Sendmail::PMilter
which uses the SpamAssassin libraries with just the 20_uri_tests.cf
rules file (so it is relatively light) to strip the URI's from a message
and then check them against multi.surbl.org and black.uribl.com and
reject any messages that contains blacklisted URI's.
It's rough code at the moment - there's no whitelisting or any
start/stop scripts for it yet and this is my first attempt at anything
in Perl - I've been running it on our spam trap for a while now and it's
worked very well, I have not tried it on a production system yet.
I'm posting it here in case anyone finds this useful and for comment -
It can be downloaded from http://www.fsl.com/support/milter-uri.pl --
installation instructions are in the file.
Finally - I'd like to say thanks to everyone involved in both SURBL and
URIBL projects, you all do an excellent job of making lives difficult
for the spammers :-)
Kind regards,
Steve.
--
Steve Freegard
Development Director
Fort Systems Ltd.
Skype: smfreegard
I am out of the office April 10th - April 22nd. I will have limited access to voicemail and e-mail. If you need assistance please contact Dave at aginet(a)aginet.com or 252-255-5557.
Scott Wolf
Aginet
Nathan Barham wrote:
> I received a phishing scam yesterday where the domain part of the evil
> link was in html hex code. This seems to defeat any SURBL listing.
> I'm using a postfix body check to handle it now, but does anyone have
> a better idea?
It could be worse. They could be using javascript to factor a given product of large primes, and then using the factors to build the IP address.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
Hello list,
I received a phishing scam yesterday where the domain part of the evil
link was in html hex code. This seems to defeat any SURBL listing. I'm
using a postfix body check to handle it now, but does anyone have a
better idea?
Thanks.
Hello,
Has anyone figured out how to pull this spam in.
The only common factor in the GIF hex file is GIF87a !
Look forward to your comments
Regards
Warren Robinson
This is a forwarded message
From: Catherine Hampton <ariel(a)spambouncer.org>
To: Jeff Chan <jeffc(a)surbl.org>
Date: Thursday, March 23, 2006, 12:37:24 PM
Subject: Please pass on to SURBL lists...
===8<==============Original message text===============
I don't think I'm subscribed to the lists that should see
this soonest. Thanks!
=-=-=-=-=-=-=-=-=-=
Today I've seen a massive spam run on some of my domains,
older domains that have a lot of spamtraps. The spams are
all sent via open proxies/forged headers/etc., have subject
lines of something along the lines of "for investors",
"best way to invest", "do you want to invest", etc.
The message bodies are pure text, two lines long, and consist
of URLs at legitimate domain registrars and other companies
not involved in the spam. Here are a few sample message bodies:
=-=-=-=-=-=-=-=-=-=
We offer best way for investment.
http://godaddy.com/investdot.com
We offer best way for investment.
http://enom.com/talkgold.com
We offer best way for investment.
http://1BLU.DE/SX-INVEST.COM
Do you want to invest your money ? Ask me how
http://www.moneymakergroup.com/
[Is this one legit? I don't know. But it's part of the same
pattern.]
Don't lose your chance to make really good investor carier!
http://www.mailer.vascoinvestment.com
[Not sure about this one either.]
400% profit per month is TRUE! Visit our site.
http://everydns.net/privateopps.com
Don't lose your chance to make really good investor carier!
http://namecheap.com/talkgold.com
=-=-=-=-=-=-=-=-=-=
I noticed that vascoinvestment.com is already listed in URIBL,
and moneymakergroup.com is in SURBL (William Stearns). Just
in case people hadn't noticed, I wanted to point out that we
need to be careful about listing domains from these emails.
It's perfectly possible, of course, that some of them are spammy
and the others are being used as camoflauge, to slow down the
SURBL and URIBL volunteers, and to cause FPs and make those
blocklists less effective. It's also possible that *all* of them
are legitimate/innocent. In either case, I think blocklists, and
particularly SURBL and URIBL, are the targets of this attack.
So please be careful and don't let the idiots win!
--
Catherine Hampton <ariel(a)spambouncer.org>
The SpamBouncer * <http://www.spambouncer.org/>
Personal Home Page * <http://www.devsite.org/>
===8<===========End of original message text===========
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
I'm having issues running rbldnsd (rbldnsd-0.996) on Linux.
Tried two different varients (SUSE 10.0 & RH 4 AS) and both
lock up if I use the '-f' option, no problem with '-f' when
running on HP-UX.
The problem occurs during a zone data reload, the parent forks
off a child to answer requests while it reloads (what the -f does)
then when it's done and tries to reap the child it goes into
a spin-loop.
Anybody else seen this, know of a solution other than the workaround
of not using the '-f' option?
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
A co-worker of mine just pointed this out to me today. He tested it in
Thunderbird and I tested it in OE6. It warrants serious attention.
Ignoring the munged part, this would trick a very savvy internet user that
allows HTML email, clicks on a link and doesn't check the browser address
line.
Any input on rules or techniques to block this nasty fellow?
Sincerely,
KAM
> I just received a phishing e-mail claiming to be from eBay. All of the
> links LOOKED legit, including what displayed in the status bar when you
> moused over a link. I knew this was not legit, so I looked in the
> source code and found this:
>
> <div><a
href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_p
artnerId=2&siteid=0"><table><caption><a
href="http://211.254.130.108-MUNGED/...../"><u style="cursor: pointer"><font
color="#008000">eBay Update
Center</font></u></a></caption></table></a></div>
>
> Note the double use of an a href tag, one inside a caption tag, one
outside. The outside a href displays, while the a href within the caption
tag is what would actually be triggered.
> Interesting way of masking the true URL.
Hey there,
I was noticing in SpamAssassin dev rule files there's:
urirhsbl T_URIBL_XS_SURBL xs.surbl.org. A
body T_URIBL_XS_SURBL eval:check_uridnsbl('T_URIBL_XS_SURBL')
it doesn't seem to be a used list, according to the SURBL website, but the
results are semi-decent:
1.896 2.2832 0.0000 1.000 0.86 0.01 T_URIBL_XS_SURBL
What are the plans for this list going forward? I'd like to either drop the test
rule if XS isn't going anywhere, or promote it to an actual rule (preferably
through multi) if it's going to stick around.
Thoughts? Thanks. :)
--
Randomly Generated Tagline:
This score just in - Deep Space 9, Babylon 5.
For anyone who remembers the issues surrounding Inphonic about
9 months ago, the following link might be of interest:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL37812
It would seem there is no doubt any longer. I certainly can't
recommend them any more (and couldn't after their lame excuses last year).
Paul Shupak
track(a)plectere.com