Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

Re: [SURBL-Discuss] Re: SURBL: sc2 vs sc?
by Jeff Chan 06 Aug '05

06 Aug '05

On Thursday, August 4, 2005, 7:36:11 AM, Bil Cook wrote: > Have yet to hit a FP on SC2 and that is over almost three weeks now On Thursday, August 4, 2005, 5:29:00 AM, Rob McEwen wrote: > Last night, I ran SC2 against a corpus of 119,000 messages consisting of > about 97-99% ham. This was a corpus of mostly ham mail which had made it > past my filter over the past few months. (BTW, my percentages keep getting > better, so most of that small percentage of spam in this corpus was from a > few months ago). > SC2 caught about 150 messages from this corpus. ALL of these caught messages > were spam. It did NOT "block" a single ham. Thanks much for the feeback Bil, Rob and others earlier and off-list. If the SA folks don't have time to do a corpus check on SC2, then maybe we should go ahead and put SC2 into production. I'd still feel better with a large ham check from them before doing it though. Jeff C. -- Don't harm innocent bystanders.

3 5

Re: [SURBL-Discuss] Why you should check Phish IPs first :/
by List Mail User 06 Aug '05

06 Aug '05

>... >In today's spamtrap take, I got a phish targeting eBay that >contained a link to the following IP: > >66.135.192.124 > >The link was inside a JavaScript and looked, at first and second >glance, like a link to a phish site. As a habit, I do an rDNS >on all IPs, however, before listing them. That's fortunate, in >this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine >eBay IP pointing to a genuine eBay server, one that has nothing >to do with the phish, of course. > >The actual phish link in this spam was: > >http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcag… > >It appeared well down the spam, after not one, but two, decoy >links to the eBay IP above. > >By the way, I'm not listing doje.de as a Phish Domain either. >It's a Chinese language web site (yes, at a German national >domain, probably something for expatriates), and the format >of the URL suggests that the phisher exploited an insecure >web BBS package. This is one where blocking on the URL is >the appropriate approach. <sigh> > >Posted because I'm seeing quite a few phishes with this sort >of decoy information/links lately. :/ Phishers are clearly >trying to poison the blocklisting process. We have to be >careful. > > >-- >Catherine Hampton <ariel(a)spambouncer.org> >The SpamBouncer * <http://www.spambouncer.org/> >Personal Home Page * <http://www.devsite.org/> >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > I think it is Korean, not Chinese. Paul Shupak track(a)plectere.com

1 0

SURBL: sc2 vs sc?
by Jeff Chan 04 Aug '05

04 Aug '05

It's sounding like the sc2 list is catching 10-15% more spam than the sc list, based on some early reports of SA users. Is anyone else getting some results? Are there differences in ham hits? Has anyone been able to run them through their test corpora? How about xs.surbl.org? Jeff C. -- Don't harm innocent bystanders.

5 7

Re: [SURBL-Discuss] RFC: Adding SpamBouncer phishing data to ph.surbl.org
by List Mail User 02 Aug '05

02 Aug '05

Steve, I'm not a procmail user and nearly all your expressions look good except a few. If you have any users into genealogy the next~of~kin pair may give you problems; I get mail like this from family members who are "into" that sort of thing. Also, my accountants will sometimes send me emails with urgent_response and/or urgent_reply in them. All the rest seem to match what I have seen in 419s only - a really good list overall. (BTW. Bayes is good at catching these too. How often does an American even see or hear the word "barrister"? Ouside of the Commonwealth or old Commonwealth countries, I doubt the work gets any use except on PBS; And who *really* wants to hear from a lawyer anyway:-)) Paul Shupak track(a)plectere.com

2 1

RFC: Adding SpamBouncer phishing data to ph.surbl.org
by Jeff Chan 02 Aug '05

02 Aug '05

Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss list Catherine!) is kindly making available her carefully checked phishing domains and IPs for our inclusion in the SURBL phishing list. They're not currently added to ph.surbl.org, but the hooks are in place to make it live after some discussion here. Catherine's data come from antiphishing.org plus her own trapped phishes. All are hand checked about once a day. When I reviewed a recent snapshot of the data: http://www.spambouncer.org/dist/standalone/phishdata/current.txt I found that 124 of the 193 domains were already listed on various SURBLs. The other new 69 looked quite phishy and probably ok to list. For the IPs, we had 22 of the 74 listed, and I'll assume the others are probably zombies, etc. as Catherine suggested. Generally speaking there's little harm in listing IPs since most legitimate sites don't get referenced by IP, so there's good upside and little downside for listing them. Please take a look at the data for yourself and comment. Regarding expiring the data, Catherine told me: > I expire "Phish IP" listings every month. Phishers move around a > LOT, probably because most of the IPs are on compromised or trojaned > hosts and tend to get fixed within a couple of weeks. > > I don't expire Phish domains formally right now, although eventually > I plan to run them through regular "has this domain expired and not > been renewed" checks. Since I only list domains designed specifically > for phishing and used only by phishers as "Phish domains", they aren't > likely to be used for anything else. (Domains like paypalll.com > don't seem to have much legitimate use to me.) which sound like reasonable policies to me. Does anyone have comments on adding these to the PH list? Am I forgetting anything Catherine? :-) Jeff C. -- Don't harm innocent bystanders.

6 7

RE: Adding SpamBouncer phishing data to ph.surbl.org
by Greg Allen 02 Aug '05

02 Aug '05

I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL. People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows. Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.) >And by the way: I REALLY appreciate your SURBL lists and hard >work even if I think other tools supplement and help make your >stuff even better. > >My security principles include (but are not limited to): > > 1) Stop as much as possible at the outer perimeter > (earlier the better) > > 2) Defense in depth > >For us, the virus scanning happens before the Spam tests; >early is good. > >-- >Herb Martin

4 10

Re: Adding SpamBouncer phishing data to ph.surbl.org
by Jeff Chan 01 Aug '05

01 Aug '05

On Sunday, July 31, 2005, 3:52:53 AM, Herb Martin wrote: > Presumably -- now you have me interested so I am going to check > -- ClamAV does more than a naive pattern match on the URI and > apparently they even have (had) endless debates in the ClamAV > newsgroups/lists on this subject. Sure, and any additional pattern matching is probably useful for detecting phishes, but every phish I've seen has tried to direct someone to a fake web site. Web sites mentioned in spams, including phishing spams, are *precisely* what SURBLs are designed to detect. SURBLs are not designed to detect viruses at all, just web sites. Phishes don't usually have viruses, but they do have web sites. Draw your own conclusions.... :-) > And by the way: I REALLY appreciate your SURBL lists and hard > work On behalf of the many people helping out with the SURBL project in various ways, thanks for your kind words. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 0

Please test sc2.surbl.org (and xs.surbl.org)
by Chris 31 Jul '05

31 Jul '05

Jeff, did this come out any better? ---------- Forwarded Message ---------- Email: 148 Autolearn: 0 AvgScore: 19.63 AvgScanTime: 6.54 sec Spam: 103 Autolearn: 0 AvgScore: 32.95 AvgScanTime: 6.39 sec Ham: 45 Autolearn: 0 AvgScore: -10.87 AvgScanTime: 6.88 sec Time Spent Running SA: 0.27 hours Time Spent Processing Spam: 0.18 hours Time Spent Processing Ham: 0.09 hours TOP SPAM RULES FIRED ------------------------------------------------------------ RANK RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM ------------------------------------------------------------ 1 PYZOR_CHECK 103 5.70 69.59 100.00 100.00 2 DIGEST_MULTIPLE 93 5.15 62.84 90.29 4.44 3 RAZOR2_CF_RANGE_51_100 89 4.93 60.14 86.41 0.00 4 RAZOR2_CHECK 88 4.87 59.46 85.44 0.00 5 BAYES_99 87 4.81 58.78 84.47 0.00 6 DCC_CHECK 61 3.38 41.22 59.22 4.44 7 URIBL_SC2_SURBL 59 3.27 39.86 57.28 0.00 8 URIBL_JP_SURBL 57 3.15 38.51 55.34 0.00 9 URIBL_SC_SURBL 56 3.10 37.84 54.37 0.00 10 URIBL_OB_SURBL 55 3.04 37.16 53.40 0.00 11 URIBL_AB_SURBL 53 2.93 35.81 51.46 0.00 12 HTML_MESSAGE 53 2.93 35.81 51.46 2.22 13 URIBL_XS_SURBL 51 2.82 34.46 49.51 0.00 14 RCVD_IN_XBL 45 2.49 30.41 43.69 0.00 15 URIBL_WS_SURBL 40 2.21 27.03 38.83 0.00 16 RCVD_IN_BL_SPAMCOP_NET 40 2.21 27.03 38.83 0.00 17 URIBL_SBL 34 1.88 22.97 33.01 0.00 18 RCVD_IN_DSBL 31 1.72 20.95 30.10 0.00 19 RCVD_IN_SORBS_DUL 26 1.44 17.57 25.24 0.00 20 MIME_HTML_ONLY 26 1.44 17.57 25.24 2.22 ------------------------------------------------------------ TOP HAM RULES FIRED ------------------------------------------------------------ RANK RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM ------------------------------------------------------------ 1 PYZOR_CHECK 45 25.14 30.41 100.00 100.00 2 BAYES_00 39 21.79 26.35 0.97 86.67 3 AWL 29 16.20 19.59 2.91 64.44 4 SPF_HELO_PASS 11 6.15 7.43 0.97 24.44 5 SPF_PASS 6 3.35 4.05 0.00 13.33 6 USER_IN_WHITELIST 5 2.79 3.38 0.00 11.11 7 RCVD_BY_IP 4 2.23 2.70 7.77 8.89 8 NO_REAL_NAME 4 2.23 2.70 10.68 8.89 9 BAYES_50 4 2.23 2.70 5.83 8.89 10 SPF_SOFTFAIL 3 1.68 2.03 15.53 6.67 11 DNS_FROM_RFC_POST 3 1.68 2.03 17.48 6.67 12 DCC_CHECK 2 1.12 1.35 59.22 4.44 13 RCVD_IN_BSP_TRUSTED 2 1.12 1.35 0.00 4.44 14 DIGEST_MULTIPLE 2 1.12 1.35 90.29 4.44 15 RCVD_IN_BSP_OTHER 2 1.12 1.35 0.00 4.44 16 DNS_FROM_RFC_WHOIS 2 1.12 1.35 6.80 4.44 17 USER_IN_DEF_WHITELIST 2 1.12 1.35 0.00 4.44 18 MIME_HTML_ONLY 1 0.56 0.68 25.24 2.22 19 PLING_QUERY 1 0.56 0.68 0.97 2.22 20 HTML_MESSAGE 1 0.56 0.68 51.46 2.22 ------------------------------------------------------------ ------------------------------------------------------- -- Chris Registered Linux User 283774 http://counter.li.org 15:24:08 up 6 days, 16:25, 2 users, load average: 0.50, 0.16, 0.11 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I read the newspaper avidly. It is my one form of continuous fiction. -- Aneurin Bevan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2 2

Re: RFC: Adding SpamBouncer phishing data to ph.surbl.org
by Frank Ellermann 31 Jul '05

31 Jul '05

Jeff Chan wrote: > Catherine's data come from antiphishing.org plus her own Sometimes I use antiphishing.org for "manual" reports in addition to SC. > Does anyone have comments on adding these to the PH list? Sounds good, bye, Frank

1 0

Please test sc2.surbl.org (and xs.surbl.org)
by Jeff Chan 29 Jul '05

29 Jul '05

sc2.surbl.org, the improved version of the SpamCop SURBL list, is ready for testing. So is the new version of xs.surbl.org, which is now more accurate, has far fewer FPs, etc. sc2 adds resolved IP checks, meaning sites hosted on the same networks are detected immediately upon the first report. It also means that folks should continue to use SpamCop reporting if they want to contribute to a very powerful SURBL list. Your SpamCop reports now have even more power in sc2. In cases of the worst spammers, SpamCop reporting leads to essentially immediate listing in sc2. sc2 is on about 15 public nameservers and xs is on 22. That's probably not enough for running large production servers on, but it should be plenty for corpus checks and mail servers with small to medium message volumes. If you have rsync access to the SURBL zone files you can also mirror the files locally for testing of course. The sc2 and xs zones are currently available via rsync. (If you have a large volume mail server, please apply for rsync access so that you can mirror the zone files locally: http://www3.surbl.org/rsync-signup.html and offload the public nameservers.) After sc2 is tested for a while we will turn it into the production sc.surbl.org list, assuming it has better performance than the current list, which seems quite likely. At that point sc2 will go away, since it will have become sc. xs may go into the 128th bit of multi.surbl.org if it tests well. Please test sc2 and the revised xs and let us know how they perform for you. Those with large spam and ham corpora (such as the SpamAssassin developers) are encouraged to test and please let us know. Here are SpamAssassin 3.0.1 and later configs for using these two lists: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflags URIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org. body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflags URIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 SpamAssassin 2.64 rules and scores using SpamCopURI 0.22 or later look like this: uri SC2_URI_RBL eval:check_spamcop_uri_rbl('sc2.surbl.org','127.0.0.2') describe SC2_URI_RBL Has URI in SC2 at http://www.surbl.org/lists.html tflags SC2_URI_RBL net score SC2_URI_RBL 3.0 uri XS_URI_RBL eval:check_spamcop_uri_rbl('xs.surbl.org','127.0.0.2') describe XS_URI_RBL Has URI in XS - Testing tflags XS_URI_RBL net score XS_URI_RBL 2.0 Jeff C. -- Don't harm innocent bystanders.

5 8

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss