Discuss

discuss@lists.surbl.org

1862 discussions

domain "domain" blacklisted
by Jose Marcio Martins da Cruz 28 Oct '05

28 Oct '05

Hi, The domain "domain" 8-) is listed at jp and generated a false positive (at one of our users). Can you whitelist it please ? domain :127.0.0.64:Blocked, domain on lists [jp], See: http://www.surbl.org/lists.html Regards, Jose-Marcio -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jose-Marcio.Martins@ensmp.fr

2 2

uk DOT geocities DOT com
by Frank Ellermann 13 Oct '05

13 Oct '05

Hi, please remove uk. geocities .com from all white lists and/or add it manually to local URIBLs, it's a black hat. Bye, Frank <news://news.spamcop.net/43456728.12D5@xyzzy.claranet.de>

10 32

use of surbl to check non-body content?
by Steven Champeon 12 Oct '05

12 Oct '05

I've noticed that SURBL (and URIBL, who I will contact later) lists several domains that have appeared in spam header contents as well as in body contents. I'd like to use SURBL (probably multi) as an optional domains BL check against headers known to contain domains, such as the Message-ID, From, and Reply-To headers, a la Message-Id: <200510020442.j924gBkv021479(a)expoactive.net> From: ExpoActive <advertising(a)expoactive.net> Reply-To: advertising(a)expoactive.net From: "Steven McGuire" <stevenmcguire(a)aaaaa2.com> List-Unsubscribe: <mailto:leave-2005_1-6m_optin-10289508G@aaaaa2.com> Message-Id: <LYRIS-10289508-169-2005.10.03-20.50.13--{vic#tim}(a)aaaaa2.com> From: "iMarketing Sales Leads" <julieandrews(a)imailzone.info> Reply-To: "OAG" <club(a)reachmail.net> From: TuneUp Software Newsletter <newsletter(a)tune-up.com> Reply-To: newsletter4v2-reply(a)newsletter.tune-up.com From: "Solutions" <info(a)disklesspc.com> Reply-To: info(a)disklesspc.com From: "Millionaires Concierge" <info(a)millionaires-concierges1.com> Reply-To: info(a)millionaires-concierges1.com Message-Id: <200510020442.j924gBkv021479(a)expoactive.net> From: ExpoActive <advertising(a)expoactive.net> Reply-To: advertising(a)expoactive.net As I've only received 23 spams not otherwise classifiable as worth blocking using other means (e.g., 419 scams which can be blocked by injection IP) this /month/, having successfully blocked all the rest, I'd really like to take advantage of the realtime nature of SURBLs. I could see immediate results in the form of blocking literally 1/3 of the remaining spam I allow in here. Comments? This would be an optional configuration for my enemieslist package, which I intend to have more widespread distribution eventually but which would not represent a crushing query load at present. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

4 10

Re: [SURBL-Discuss] use of surbl to check non-body content?
by Jeff Chan 12 Oct '05

12 Oct '05

[Rob confirmed he meant to send his reply below to the list. Here's my reply to his (unintentionally) private reply.] On Wednesday, October 12, 2005, 7:14:51 AM, Rob McEwen wrote: >>Were you resolving SURBL domains >>then checking resolved IPs against header IPs? > No, I wasn't. Even though IPs on SURBL are rare, when they do occur, they > are prime candidates for FPs if/when checking headers. > Of course, SURBL FPs on the body of the message are already extremely > rare... But, even so, because we've been constantly making improvements in > that area as well, it is entirely possible that SURBL FPs when checking > against headers might be MORE rare now than in previous months... again, > this being due to our steady and constant across-the-board improvements. While it's true that many of the IPs that appear on SURBLs are probably zombies and those zombies could be used as senders, this is straying pretty far from the original purpose of the lists. Probably something like CBL or XBL would be much better general compromised sender lists to check against message headers. Even something like a Dynamic IP list like dynablock.njabl.org may be a better indicator of zombie-ness. I have not done any research, but far more of the zombies are probably on those lists than as IPs on SURBLs. BTW you sent your reply privately. May I post this? Jeff C. -- Don't harm innocent bystanders.

1 0

Geocities ( and other free/anon hosts...) treated as virtual TLDs
by Eric Montréal 10 Oct '05

10 Oct '05

Hi, I'm new here, so sorry if this have been previously debated. I have seen your discussion about blacklisting geocities. This would create so many FP it's clearly impossible, but I wonder if treating these domains as 3rd / 4th level TLD could be the way to go ... Example: This (-munged) real spammy address http://uk.geocities-munged.com/Gonzalo_Freehling/ could be translated into gonzalo_freehling.uk.geocities-munged.com and then queried ... The translation would require some specific code for these 'virtual TLD' domains in URIDNSBL.pm (for SA3) but would allow catching otherwise undetected URI, while having no FP for non spammy geocities sites. For it to work, the 'virtual TLD' domains should be flagged, either by setting a specific bit in the returned data (during normal queries to the domain) or maintaining a downloadable list. Does it make sense ?

3 2

uk.geocities-munged-.com
by Kevin A. McGrail 10 Oct '05

10 Oct '05

As a follow-up to the UK geocities issue, I fear that this may be related to spyware or a virus. Over the past few weeks, I've identified a few patterns. For example the email below contains 5 email addresses, 4 of which are quite unique. You will also note they are not indicative of a dictionary attack yet they were all email in one single SPAM. Further, at least one of the people on this list passed away over a year ago. Additionally, what I have been seeing is VERY VERY unique emails getting hammered with SPAM and I believe it must be a virus/spyware that is getting the address books off of machines because the emails are too unique to guess. I don't know what to do with this information other than put out my $0.02 that I think people are targeting address books and I can't prove it :-( Regards, KAM > ----- Original Message ----- > From: "parker hair" <lyric(a)bowiewonderworld.com> > To: "Carson Magruder" <payne(a)summerconsultants.com> > Cc: <nance(a)summerconsultants.com>; <hoffman(a)summerconsultants.com>; > <ward(a)summerconsultants.com>; <mail(a)summerconsultants.com> > Sent: Thursday, October 06, 2005 10:06 AM > Subject: bon In a relaxing ishopping mall, nail down quick alleviators. bus > > > > > > Cutback costs for real remedies. > > > > Fast effects antibiotics to allay your fever. > > It's our value that fulfils efficient shipping. > > Ours affordable because of lessen operating cost. > > > > Let our expert review your meddical profiles at zero charge. > > Thanks for facilitating gratis online consultation. Ben J --CA. > > > > http://uk.geocities-munged-.com/windsnarlgreatb/?owgroclo > >

2 1

New redirector: www.nate.com
by Richard Grabowski 07 Oct '05

07 Oct '05

Dear David, I am an attorney in California. Our firm represent ISPs and have begun to actively pursue SPAMMERS under the California fraud laws and the Federal Can SPAM act. I have been following yours and your colleague's messages on [SURBL-Discuss]. Our primary problem is identifying SPAMMERS in a way that we can start a federal action against them. "Redirect" problems add to our other problems of identifying SPAMMERS. Currently we are trying to Identify defendant's by tracking them to the retail site they represent. We then include the owner of the retail site, the registrar of the domain (in almost every case this is YES NICK LTD), and any technicians we identify along the way. Ignore the arguments you have heard about what can and cannot be brought under the current law - I really think this has been produced by attorneys who are defending SPAMMERS to get ISP's and federal/State prosecutors not to bring actions, or to set up some kind of future defense. I am looking for any help you or your associates might be able to provide. I realize you must be skeptical. Therefore you can check my credentials at the CA State Bar site (look it up on google) by doing an attorney search on my name - Richard Grabowski. I am located in Eureka, CA. In addition to being an attorney I have over 30 years experience as a technician in the IT and Telecommunications industry. I worked for GTE, DMR and BusinessEdge as a senior enterprise architect. I am looking for tools, freeware or paid, that help track domains, email servers, senders, etc. Anything that will help identify the actual source of the SPAM in a quick and efficient manner. I am working with high end technicians that have extensive experience in this area, but I am always looking for more help. We will bring actions against SPAMMERS in foreign countries. We do not actually expect them to respond to a federal complaint, so we will end up with default judgments. These are relatively cheap to pursue. We will then try to make a deal with the legal agencies in the foreign country, a percentage, to try and recover on the judgment. This may eventually make it too expensive for the SPAMMERS to continue, or it may incent the local legal agencies to actually pursue the SPAMMERS, rather than protect them. As I have said we are actively pursuing this tactic now. I am hoping that you and your colleagues will want to help. The enforcement of SPAM laws is currently being left to the FTC and State prosecutors. These agencies have little or no budget to pursue these activities. I unfortunately believe that the laws were set up limiting enforcement primarily to the FTC in order to prevent any real prosecutions. This is a tactic of some politicians to support their contributors without actually having to oppose legislation. In this case it has made enforcement of the SPAM laws very unlikely. The only case I know of is a joint action by the FTC and CA State Atty Gnl.: FTC and People of CA v. Optin Global, Inc. and Vision Media Limited, Corp. You can find the federal filing at: http://www.ftc.gov/os/caselist/0423172/050413comp0423172.pdf We are using this filing as the template for our filings. If you can help I would really like to hear from you. Thanks, Richard Grabowski rgrabows(a)pacbell.net W - 707 441-1487 C - 707 771-9585

2 1

[PLEASE NOTE] Change in location for sa-blacklist downloads
by William Stearns 29 Sep '05

29 Sep '05

Good day, all, (Summary - the sa-blacklist content is moving to new machines. If you're downloading any of the 15 versions of this list, you'll need to change the hostname you use in your download; see "What you need to do" below for instructions.) I had a chat with my ISP last week. They've known for a long time that the bandwidth spike at the top of very hour was my web server, but since they knew the sa-blacklist was hosted there and it was a public service project, they told me not to worry. Fast forward to last week. *smile* When I asked this new contact what amount of bandwidth my hosting contract would normally allow and how much bandwidth I'd actually been using over the last few months, he told me that I should be around 10G/month, but I've been using 1000G/month. Woah. Luckily, he wasn't asking me to pay 100X my current contract. *smile* They really have been great about it (I mean that sincerely), but both they and I know that's an unreasonable drain on their bandwidth and unfair to the other customers. To fix that, I'm transitioning the content to new machines with more available bandwidth. I owe a heartfelt thanks to Raymond, David, Panagiotis, Rob, Wim, Jeff, and Chris for offering to host the content at no cost on much faster lines than mine and offering suggestions on how to make the process more efficient. Their generousity makes it possible for me to continue providing this content. ==== What you need to do ==== I've already set up new hostnames (*) from which the sa-blacklist files can be pulled. If you're getting any sa-blacklist files over http, please change the hostname you use to "www.sa-blacklist.stearns.org". If you are using rsync to pull content, please use "rsync.sa-blacklist.stearns.org". If you're using ftp, please use "ftp.sa-blacklist.stearns.org". In other words, the exact same content should be viewable at http://www.sa-blacklist.stearns.org/sa-blacklist/ ftp://ftp.sa-blacklist.stearns.org/pub/wstearns/sa-blacklist/ rsync://rsync.sa-blacklist.stearns.org/wstearns/sa-blacklist/ (although this last one is commonly used by the rsync application and won't work in a web browser.) There's a real benefit to you in taking the time to make this switchover. My server was getting pegged for multiple minutes at the top of the hour, so you'll find your downloads are much faster. Because of the way the files are distributed, the content on the mirrors should always be as current as the ones on the main server. At some point in the near future, I'll be limiting access to or completely shutting down the old URLs, so it's to your advantage to switch over sooner rather than later. *smile* I'd sincerely appreciate it if you could check any automated download scripts or cron jobs and point them to these new hostnames. Sorry for the inconvenience, but because these URL's are only used for this content, you won't need to make this change again. As one last suggestion, you might want to consider using the ws.surbl.org dns lookup service which performs the same checks as sa-blacklist.current.uri.cf , but _much_ faster and with a _lot_ less memory. More information about this dns-based service is available at http://www.surbl.org/ . Cheers, - Bill * These aliases will transparently pick a random server out of the available machines, spreading out the load. As more mirrors come online you'll be sent to them automatically. --------------------------------------------------------------------------- (Referring to the 32 bit system that feeds out files for kernel.org) "We learned that the Linux load average rolls over at 1024. And we actually found this out empirically." -- Peter Anvin -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 1

sc2.surbl.org and xs.surbl.org
by Peter M. Abraham 26 Sep '05

26 Sep '05

Greetings: sc2.surbl.org and xs.surbl.org are not mentioned on http://www.surbl.org/lists.html What's the criteria for being listed in these two new ones? Are there any changes to implementation and usage of them? Thank you.

4 4

FP: Emigrant Direct
by sare＠menschel.net 25 Sep '05

25 Sep '05

The attached email hit URIBL_OB_SURBL -- it's a normal marketing email from EmigrantDirect.com, for which I signed up at the recipient email address. I've never seen any spam from EmigrantDirect. Please check into this OB entry ... should probably be removed. Bob Menschel This is a forwarded message From: EmigrantDirect(a)emigrant.com <EmigrantDirect(a)emigrant.com> To: Date: Tuesday, September 20, 2005, 5:05:54 PM Subject: Rate increase - EmigrantDirect races to 4.0% APY ===8<==============Original message text=============== Return-path: <return(a)fire2.sumnet.com> Envelope-to: emigrant(a)menschel.net Delivery-date: Tue, 20 Sep 2005 17:13:34 -0700 Received: from pascal.ctyme.com ([69.50.226.20]) by newton.ctyme.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1EHsEq-0004hA-9k for emigrant(a)menschel.net; Tue, 20 Sep 2005 17:13:30 -0700 Received: from mail by pascal.ctyme.com with ctyme-spam-scanned (Exim 4.52) id 1EHsEm-00061R-ND for emigrant(a)menschel.net; Tue, 20 Sep 2005 17:13:27 -0700 Received: from broadcast5.sumnet.com ([206.139.137.83] helo=sumnet.com) by pascal.ctyme.com with esmtp (Exim 4.52) id 1EHsEl-0005yz-JW for emigrant(a)menschel.net; Tue, 20 Sep 2005 17:13:23 -0700 Received: (from return@localhost) by sumnet.com (8.11.7p1+Sun/8.11.7) id j8L05s917331; Tue, 20 Sep 2005 20:05:54 -0400 (EDT) Date: Tue, 20 Sep 2005 20:05:54 -0400 (EDT) Message-Id: <200509210005.j8L05s917331(a)sumnet.com> From: EmigrantDirect(a)emigrant.com Subject: Rate increase - EmigrantDirect races to 4.0% APY Bcc: X-Sumid: H0000AE4 X-Mailer: Email Broacaster 1.2 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="-----00000AE3_0000001A_4330946D_000835SUM.ALT" X-Mail-from: return(a)fire2.sumnet.com X-Spamprobe: neutral ***** 0.3518373 OK X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on pascal.ctyme.com X-Spam-Level: ********** X-Spam-Status: Yes, score=10.4 required=5.0 tests=CT_APPLY,HTML_40_50, HTML_MESSAGE,LINK_PHRASE,MAILTO_LINK,MISSING_HEADERS,NO_FEE, NO_REAL_NAME,URIBL_OB_SURBL autolearn=no version=3.0.4 X-Spam-Report: * 1.0 NO_REAL_NAME From: does not include a real name * 2.0 LINK_PHRASE Phrase within link * 1.0 MISSING_HEADERS Missing To: header * 1.0 NO_FEE BODY: No Fees * 0.1 CT_APPLY BODY: Apply for Something * 0.0 HTML_40_50 BODY: Message is 40% to 50% HTML * 1.0 HTML_MESSAGE BODY: HTML included in message * 1.0 MAILTO_LINK RAW: Includes a URL link to send an email * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: emigrant-direct.com] X-Spam-filter-host: pascal.ctyme.com - http://www.junkemailfilter.com X-Spam: [SPAM] - LOW X-Spam: [SPAM] - LOW [INLINE] We are pleased to announce that effective today, Tuesday, September 20, your American Dream Savings Account from EmigrantDirect now yields 4.0% APY, the highest rate in the country with no fees and no minimums, FDIC insured. Responding immediately to the most recent news from the Federal Reserve, EmigrantDirect is pleased to be able to offer this unmatched rate to our loyal customers. You may wish to take this opportunity to put all your available funds to work for you. If you have deposits earning less interest at other institutions, now is a good time to consolidate those savings at EmigrantDirect. Electronic transfers into and out of your account are free and our new 4.0% APY is guaranteed through December 31, 2005 (subject to upward adjustments only). Additionally, we are also pleased to announce the upcoming launch of a no-fee credit card from EmigrantDirect offering the highest cash back rebate in the country on all your purchases - from the first dollar spent on your card to the very last. This revolutionary credit card featuring platinum-level benefits will be offered only to EmigrantDirect customers and be available before yearend. Cash back amounts will be deposited into your American Dream Savings Account automatically not once, but twice a year for added convenience. If you would like to be sent a priority invitation to apply for the card once it becomes available, please send a quick email with your name and email address to [1]emigrantdirect(a)emigrant.com. We hope that you will become a cardholder and discover yet another way that EmigrantDirect serves and rewards its customers with outstanding value. Sincerely, [INLINE] Howard P. Milstein Co-Chairman, President and CEO Emigrant Savings Bank Emigrant Bancorp, Inc. [INLINE] Subject to applicable terms and conditions and account disclosures as set out at EmigrantDirect.com. No minimum balance required. All rights reserved. You are receiving this email in accordance with the terms and conditions of your account with EmigrantDirect. If you do not wish to receive general informational or promotional emails from EmigrantDirect about products and services that might be of interest to you, [2]click here. References 1. mailto:emigrantdirect@emigrant.com 2. mailto:emigrantdirect@emigrant.com?subject=Unsubscribe ===8<===========End of original message text===========

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss