This is a forwarded message
From: Catherine Hampton <ariel(a)spambouncer.org>
To: Jeff Chan <jeffc(a)surbl.org>
Date: Thursday, March 23, 2006, 12:37:24 PM
Subject: Please pass on to SURBL lists...
===8<==============Original message text===============
I don't think I'm subscribed to the lists that should see
this soonest. Thanks!
=-=-=-=-=-=-=-=-=-=
Today I've seen a massive spam run on some of my domains,
older domains that have a lot of spamtraps. The spams are
all sent via open proxies/forged headers/etc., have subject
lines of something along the lines of "for investors",
"best way to invest", "do you want to invest", etc.
The message bodies are pure text, two lines long, and consist
of URLs at legitimate domain registrars and other companies
not involved in the spam. Here are a few sample message bodies:
=-=-=-=-=-=-=-=-=-=
We offer best way for investment.
http://godaddy.com/investdot.com
We offer best way for investment.
http://enom.com/talkgold.com
We offer best way for investment.
http://1BLU.DE/SX-INVEST.COM
Do you want to invest your money ? Ask me how
http://www.moneymakergroup.com/
[Is this one legit? I don't know. But it's part of the same
pattern.]
Don't lose your chance to make really good investor carier!
http://www.mailer.vascoinvestment.com
[Not sure about this one either.]
400% profit per month is TRUE! Visit our site.
http://everydns.net/privateopps.com
Don't lose your chance to make really good investor carier!
http://namecheap.com/talkgold.com
=-=-=-=-=-=-=-=-=-=
I noticed that vascoinvestment.com is already listed in URIBL,
and moneymakergroup.com is in SURBL (William Stearns). Just
in case people hadn't noticed, I wanted to point out that we
need to be careful about listing domains from these emails.
It's perfectly possible, of course, that some of them are spammy
and the others are being used as camoflauge, to slow down the
SURBL and URIBL volunteers, and to cause FPs and make those
blocklists less effective. It's also possible that *all* of them
are legitimate/innocent. In either case, I think blocklists, and
particularly SURBL and URIBL, are the targets of this attack.
So please be careful and don't let the idiots win!
--
Catherine Hampton <ariel(a)spambouncer.org>
The SpamBouncer * <http://www.spambouncer.org/>
Personal Home Page * <http://www.devsite.org/>
===8<===========End of original message text===========
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
I'm having issues running rbldnsd (rbldnsd-0.996) on Linux.
Tried two different varients (SUSE 10.0 & RH 4 AS) and both
lock up if I use the '-f' option, no problem with '-f' when
running on HP-UX.
The problem occurs during a zone data reload, the parent forks
off a child to answer requests while it reloads (what the -f does)
then when it's done and tries to reap the child it goes into
a spin-loop.
Anybody else seen this, know of a solution other than the workaround
of not using the '-f' option?
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
A co-worker of mine just pointed this out to me today. He tested it in
Thunderbird and I tested it in OE6. It warrants serious attention.
Ignoring the munged part, this would trick a very savvy internet user that
allows HTML email, clicks on a link and doesn't check the browser address
line.
Any input on rules or techniques to block this nasty fellow?
Sincerely,
KAM
> I just received a phishing e-mail claiming to be from eBay. All of the
> links LOOKED legit, including what displayed in the status bar when you
> moused over a link. I knew this was not legit, so I looked in the
> source code and found this:
>
> <div><a
href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_p
artnerId=2&siteid=0"><table><caption><a
href="http://211.254.130.108-MUNGED/...../"><u style="cursor: pointer"><font
color="#008000">eBay Update
Center</font></u></a></caption></table></a></div>
>
> Note the double use of an a href tag, one inside a caption tag, one
outside. The outside a href displays, while the a href within the caption
tag is what would actually be triggered.
> Interesting way of masking the true URL.
Hey there,
I was noticing in SpamAssassin dev rule files there's:
urirhsbl T_URIBL_XS_SURBL xs.surbl.org. A
body T_URIBL_XS_SURBL eval:check_uridnsbl('T_URIBL_XS_SURBL')
it doesn't seem to be a used list, according to the SURBL website, but the
results are semi-decent:
1.896 2.2832 0.0000 1.000 0.86 0.01 T_URIBL_XS_SURBL
What are the plans for this list going forward? I'd like to either drop the test
rule if XS isn't going anywhere, or promote it to an actual rule (preferably
through multi) if it's going to stick around.
Thoughts? Thanks. :)
--
Randomly Generated Tagline:
This score just in - Deep Space 9, Babylon 5.
For anyone who remembers the issues surrounding Inphonic about
9 months ago, the following link might be of interest:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL37812
It would seem there is no doubt any longer. I certainly can't
recommend them any more (and couldn't after their lame excuses last year).
Paul Shupak
track(a)plectere.com
Dear Mr. Stearns,
I have sent three emails to Mr. Stearns with the information listed below below to remove hccs.com from you blocklist. I have had no response. Can someone help us?
Thanks,
Richard Haber
hccs
Company Name: Health Care Compliance Strategies, Inc.
Address: 30 Jericho Executive Plaza, Suite 400C
Jericho, New York 11753
Phone: 516 478-4100
Fax: 516-478-6773
URI Information: hccs.com is 155.212.86.67 [ rbl lookup ]
domain registered: unknown [ full whois ]
RBL: skipping uri lookups on ip-based RBLs
URIBL: multi.surbl.org: listed [Blocked, hccs.com on lists [ws], See: http://www.surbl.org/lists.html]
URIBL: multi.uribl.com: not listed [ report ]
Company Description: http://www.hccs.com/about.html
Anti-Spam Policy : Health Care Compliance Strategies, Inc. ("hccs") Unsolicited Bulk Email Policy:
hccs specifically does not authorize the use of its proprietary computers, servers, routers and computer network (the "hccs Property") to accept, transmit or distribute unsolicited bulk e-mail sent from the Internet to others. It is also a violation of hccs policy, and the law, to send or cause to be sent to, or through, hccs Property email that makes use of or contains invalid or forged headers, invalid or non-existent domain names or other means of deceptive addressing. hccs considers such email to be unlawful and a violation of our policy, and any attempt to send or cause such email to be sent to, or through, hccs Property is unauthorized. Moreover, any email relayed from a third party's mail servers without the permission of that third party, or any email that hides or obscures, or attempts to hide or obscure, the source of an email also constitutes an unauthorized use of hccs Property. Email sent or caused to be sent to hccs Property that violates any agreement with hccs is also unauthorized.
hccs reserves the right to take all legal and technical steps available to prevent unsolicited bulk email or other unauthorized email from entering, utilizing or remaining within hccs Property. Such action may include, without limitation, the use of filters or other network devices, immediate termination of hccs service, and prosecution of offenders through criminal or civil proceedings. Nothing in this policy shall be construed to grant any right to transmit or send email to, or through, hccs Property, and in no event shall any failure by hccs to enforce this policy constitute a waiver of hccs' rights.
Unauthorized use of hccs Property in connection with the transmission of unsolicited bulk email, including the transmission of counterfeit email, may result in civil and criminal penalties against the sender, including those provided by the Computer Fraud and Abuse Act (18 U.S.C. § 1030 et seq.); and various state laws.
Hello!
Can anyone help me? I'm relatively new with surbl.org lists.
Can someone instruct me how to request a domain removal from ws.surbl.org? I
have sent yesterday an email at wstearns(a)pobox.com but nothing changed until
now.
The domain is nbg.gr and is National Bank of Greece. It is black listed by
one of our products that uses surbl.org lookups. The situation has become
very very messy.
Also the customer has sent email to Bill Stearns but to no avail.
Thank you
Costas
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This message has been checked for Content Security and Computer Viruses by MIMEsweeper and F-Secure Anti Virus
**********************************************************************
-------------------------------------------------------------------------------------------------------------
Ask for our new Security Training Program!
Inter Engineering - World of Data Security!
F-Secure Certified Anti Virus Center
Certified Mimesweeper Distributor
Mimesweeper Authorized Training Center
Anti Virus - Cryptography - Access Control -
Content Security - Biometrics - Consulting -
Security Training - Special Projects
P.O. Box 1626, 410 02 Larissa, Greece
Tel. +30.2410.670030
Fax. +30.2410.670006
Visit our website http://www.inter.gr
Michele Neylon:: Blacknight.ie wrote:
> Jeff Chan wrote:
> > IIRC someone wrote one for Firefox, but it was implemented
>> brokenly. I think a browser plug in is a great idea, but I'd be
>> a little concerned about the new DNS queries it would generate.
>>
>> How does anyone else feel, particularly operators of our public
>> nameservers?
>>
>
> What would be the goal of a browser plugin?
To warn the browser's user (me, ATM) that the site they are visiting is spamvertised and/or a reported phishing site. Useful for those who do not have control over their mail server, especially if they're using webmail.
Also a proof-of-concept of the "right way" to implement a phishing blacklist -- without sacrificing user privacy.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
Matthew.van.Eerde wrote:
> OK, I'll develop it for private use but keep an eye out for caching
> optimizations, and see how it goes.
Please keep us informed of the progress and optimizations you employ.
I'm very interested in this.
Thanks,
Kris