Discuss

discuss@lists.surbl.org

1862 discussions

Policy Triggers
by Dave Doucette 16 Feb '14

16 Feb '14

I am interested in RPZ and am wondering what policy triggers are supported. Is it just QNAME, or is IP, NSIP and NSDNAME also included. Dave

2 1

domains listed
by Jason van Wyk 03 Feb '14

03 Feb '14

Hi can someone please explain to me why all new domains we register are automatically listed with SUBRL - JP. Thanks Jason

3 7

Re: [SURBL-Discuss] How to figure out the virtual host, containing malware
by Michele Neylon - Blacknight 23 Sep '13

23 Sep '13

They publish feeds by AS number and you can also check blocks of IPs Sorry on mobile so I can't provide the link ------------------------ Mr. Michele Neylon Blacknight http://Blacknight.tel Via iPhone so excuse typos and brevity > On 21 Sep 2013, at 12:11, "Neil Schwartzman" <neil(a)cauce.org> wrote: > > >> On Sep 20, 2013, at 6:47 AM, Michele Neylon - Blacknight <michele(a)blacknight.com> wrote: >> >> Roger >> >> Check the Google feeds - they specify the URL / domain that's being abused > > michelle - interesting. but which google feeds? > >> >> Regards >> >> Michele >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Domains >> http://www.blacknight.co/ >> http://blog.blacknight.com/ >> http://mneylon.tel/ >> Intl. +353 (0) 59 9183072 >> Locall: 1850 929 929 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 1 4811 763 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty >> Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> >> ________________________________________ >> From: Roger Schreiter [roger(a)planinternet.de] >> Sent: 20 September 2013 14:06 >> To: discuss(a)lists.surbl.org >> Subject: [SURBL-Discuss] How to figure out the virtual host, containing malware >> >> Hello, >> >> we are operating email servers and approx 100 virtual web servers on the >> same machine. >> >> Some email receivers do block our emails, because our server >> seems to distribute malware on a virtual webserver and is now listed >> on surbl.org. >> >> Ok, now I have to figure out, which of our 100 customers is hosting >> a malware on his virtual webserver, most like without knowledge >> and being victime of a spyware or an unsecure CMS. (The latter should >> be of course removed asap from our server.) >> >> I wonder, how can I get a hint, which customer's web space is >> affected? Is there any mean to get more details from surbl.org, >> about the malware source? Domainname or addidional even a filename would >> be very helpful. >> >> Thanks for any hints! >> Roger. >> >> -- >> Roger Schreiter >> Lutherstr. 9 >> D-71576 Burgstetten >> Tel.: +49 7191 8929678 >> >> _______________________________________________ >> Discuss mailing list >> Discuss(a)lists.surbl.org >> http://lists.surbl.org/mailman/listinfo/discuss >> >> _______________________________________________ >> Discuss mailing list >> Discuss(a)lists.surbl.org >> http://lists.surbl.org/mailman/listinfo/discuss > > > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss

2 1

Re: [SURBL-Discuss] How to figure out the virtual host, containing malware
by Michele Neylon - Blacknight 21 Sep '13

21 Sep '13

Roger Check the Google feeds - they specify the URL / domain that's being abused Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ________________________________________ From: Roger Schreiter [roger(a)planinternet.de] Sent: 20 September 2013 14:06 To: discuss(a)lists.surbl.org Subject: [SURBL-Discuss] How to figure out the virtual host, containing malware Hello, we are operating email servers and approx 100 virtual web servers on the same machine. Some email receivers do block our emails, because our server seems to distribute malware on a virtual webserver and is now listed on surbl.org. Ok, now I have to figure out, which of our 100 customers is hosting a malware on his virtual webserver, most like without knowledge and being victime of a spyware or an unsecure CMS. (The latter should be of course removed asap from our server.) I wonder, how can I get a hint, which customer's web space is affected? Is there any mean to get more details from surbl.org, about the malware source? Domainname or addidional even a filename would be very helpful. Thanks for any hints! Roger. -- Roger Schreiter Lutherstr. 9 D-71576 Burgstetten Tel.: +49 7191 8929678 _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

3 2

How to figure out the virtual host, containing malware
by Roger Schreiter 20 Sep '13

20 Sep '13

Hello, we are operating email servers and approx 100 virtual web servers on the same machine. Some email receivers do block our emails, because our server seems to distribute malware on a virtual webserver and is now listed on surbl.org. Ok, now I have to figure out, which of our 100 customers is hosting a malware on his virtual webserver, most like without knowledge and being victime of a spyware or an unsecure CMS. (The latter should be of course removed asap from our server.) I wonder, how can I get a hint, which customer's web space is affected? Is there any mean to get more details from surbl.org, about the malware source? Domainname or addidional even a filename would be very helpful. Thanks for any hints! Roger. -- Roger Schreiter Lutherstr. 9 D-71576 Burgstetten Tel.: +49 7191 8929678

1 0

fly1above.com / 216.185.152.155 blocked
by Nick Llewellin 19 Jul '13

19 Jul '13

Hi Guys We are using the URL Sensor policy in MailMarshal which I understand uses the SURBL list. I have used the SURBL Analysis tool on the website which shows fly1above.com and 216.185.152.155 as not blacklisted but whenever the user from this domain attempts to send an email to our customer URL Sensor marks the email as spam. Is anyone able to advise ? If more information is required please let me know. Thanks ! Nick Llewellin Helpdesk Support Representative Microsoft Certified Professional Optimus Systems Ltd DDI: +64 9 3599337 Email: nick(a)optimus.co.nz<mailto:nick@optimus.co.nz> PO Box 68-667, Newton, Auckland, 1145, New Zealand Ground Floor, 20 Beaumont Street, Freemans Bay, Auckland, New Zealand Helpdesk: +64 9 359 9337 | Fax: +64 9 281 2339 | Web: www.optimus.co.nz

3 3

one-time access to rbldnsd/rpz data for testing
by Brent Bice 18 Jun '13

18 Jun '13

Hey guys. I was just looking over the service (sounds promising) but before I start using an RBL (or similar service), especially one we have to pay for access to, I always run some tests first. In this case, I'd take a few months worth of DNS query logs and run that through a perl script to see which hostnames would be caught by the RPZ. Obviously, I'd only do this if I had the data mirrored locally so I'm not beating up on anyone else's DNS servers. :-) So... Is there a way I can get one-time access to the RPZ and rbldnsd formatted data just so I can run some sanity checks? If I can quantify the number of URLs the users here queried for that the RPZ would otherwise have blocked (we run our own in-house RPZ too), I could then do a cost/benefit analysis for the folks who pay the bills, assuming it was catching stuff our own RPZ isn't. Possible? I'd only run it on one, non-production DNS server here for testing and would toss the data when I was finished, unless we decided to use it in production and pay for access... Brent

2 1

Hello SURBL discussion board!
by Ryan Harris 04 Apr '13

04 Apr '13

Hello, Thank you for having me on your discussion forum. SendGrid monitors outgoing links and checks with SURBL listings. We noticed yesterday several emails being flagged because emailonacid.com was listed by SURBL. I wanted to inquire about this and to hopefully gain some insight on why this domain was listed. Is there anything that SendGrid should be concerned about in regards to emailonacid.com. Today I don't see emails with this link being flagged, has the initial issue been resolved with emailonacid.com? Thank you for your time and your help. Ryan Harris Lead Abuse Engineer

4 3

Re: [SURBL-Discuss] Hello SURBL discussion board!
by Michele Neylon :: Blacknight 04 Apr '13

04 Apr '13

Ryan It's a mailing list not a discussion forum .. Anyway .. this isn't really the place where you're going to get answers on specific issues .. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ________________________________________ From: Ryan Harris [ryan(a)sendgrid.com] Sent: 03 April 2013 16:15 To: discuss(a)lists.surbl.org Subject: [SURBL-Discuss] Hello SURBL discussion board! Hello, Thank you for having me on your discussion forum. SendGrid monitors outgoing links and checks with SURBL listings. We noticed yesterday several emails being flagged because emailonacid.com was listed by SURBL. I wanted to inquire about this and to hopefully gain some insight on why this domain was listed. Is there anything that SendGrid should be concerned about in regards to emailonacid.com. Today I don't see emails with this link being flagged, has the initial issue been resolved with emailonacid.com? Thank you for your time and your help. Ryan Harris Lead Abuse Engineer _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

5 5

Re: [SURBL-Discuss] Heads-up: m.surbl.org
by Steve Freegard 14 Mar '13

14 Mar '13

Hi Jeff, On 14/03/13 12:36, Jeff Chan wrote: > > Thanks much Steve, > I can duplicate the results, but it's actually for m4.surbl.org and > related nameservers. We've undelegated those until they can be fixed. > > Just got another report of this: [root@mx1 ~]# host -a msft.net.multi.surbl.org m.surbl.org. Trying "msft.net.multi.surbl.org" Using domain server: Name: m.surbl.org. Address: 216.143.70.135#53 Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31832 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;msft.net.multi.surbl.org. IN ANY ;; ANSWER SECTION: msft.net.multi.surbl.org. 180 IN A 127.0.0.4 msft.net.multi.surbl.org. 180 IN TXT "on lists [jp], See: http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http://www" Received 325 bytes from 216.143.70.135#53 in 46 ms I'm still seeing m.surbl.org in the NS list - I also note that the TTL means that it would take 24 hours for a change to be reflected anyway: [root@mx1 ~]# dig +trace multi.surbl.org ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> +trace multi.surbl.org ;; global options: printcmd . 6936 IN NS b.root-servers.net. . 6936 IN NS c.root-servers.net. . 6936 IN NS d.root-servers.net. . 6936 IN NS e.root-servers.net. . 6936 IN NS f.root-servers.net. . 6936 IN NS g.root-servers.net. . 6936 IN NS h.root-servers.net. . 6936 IN NS i.root-servers.net. . 6936 IN NS j.root-servers.net. . 6936 IN NS k.root-servers.net. . 6936 IN NS l.root-servers.net. . 6936 IN NS m.root-servers.net. . 6936 IN NS a.root-servers.net. ;; Received 332 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS c0.org.afilias-nst.info. ;; Received 435 bytes from 192.228.79.201#53(b.root-servers.net) in 43 ms surbl.org. 86400 IN NS ns100.surbl.org. surbl.org. 86400 IN NS ns101.surbl.org. surbl.org. 86400 IN NS ns200.surbl.org. surbl.org. 86400 IN NS ns201.surbl.org. surbl.org. 86400 IN NS ns300.surbl.org. surbl.org. 86400 IN NS ns301.surbl.org. surbl.org. 86400 IN NS ns302.surbl.org. ;; Received 341 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 23 ms multi.surbl.org. 86400 IN NS l.surbl.org. multi.surbl.org. 86400 IN NS h.surbl.org. multi.surbl.org. 86400 IN NS b.surbl.org. multi.surbl.org. 86400 IN NS c.surbl.org. multi.surbl.org. 86400 IN NS k.surbl.org. multi.surbl.org. 86400 IN NS f.surbl.org. multi.surbl.org. 86400 IN NS a.surbl.org. multi.surbl.org. 86400 IN NS i.surbl.org. multi.surbl.org. 86400 IN NS n.surbl.org. multi.surbl.org. 86400 IN NS g.surbl.org. multi.surbl.org. 86400 IN NS m.surbl.org. multi.surbl.org. 86400 IN NS j.surbl.org. multi.surbl.org. 86400 IN NS e.surbl.org. multi.surbl.org. 86400 IN NS d.surbl.org. ;; Received 481 bytes from 94.228.131.210#53(ns100.surbl.org) in 123 ms multi.surbl.org. 180 IN SOA dev.null. zone.surbl.org. 1363274558 180 180 604800 180 ;; Received 82 bytes from 211.29.132.122#53(l.surbl.org) in 190 ms I also notice the zone serial is different across some of the mirrors (not sure if this is normal or not): [root@mx1 ~]# for i in `echo a b c d e f g h i j k l m n`; do echo -en "$i.surbl.org: "; host -t SOA multi.surbl.org $i.surbl.org | tail -n1; done a.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275315 180 180 604800 180 b.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 c.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 d.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275315 180 180 604800 180 e.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275315 180 180 604800 180 f.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 g.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 h.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 i.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 j.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 k.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275105 180 180 604800 180 l.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 m.surbl.org: Host multi.surbl.org not found: 5(REFUSED) n.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 Cheers, Steve.

2 2

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss