I agree, we definitely need SURBL black lists. They have helped tremendously
against spam! I just feel that it would be chasing one's tail a bit to try
to catch phishing in SURBL.
People who do phishing are going to change their IP address (IP where the
actual target/sucker is sent) frequently. They are also probably going to
use random and ever changing computer IPs outside the US for obvious legal
reasons. Maybe zombies even, who knows.
Any domain names in a phishing email code are most likely going to be legit
domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc..
These are the domains visible to the target/sucker.
So it just seems to me that an antivirus program is better for detecting
HTML code patter of these schemes rather than the IP address of the day/week
that they would be sending from in South Korea, Russia or China, etc. There
is a very simple ClamAV plugin that does this (see the SA Wiki). I am using
it on my SA system and it does the job of sending it on to my next
downstream systems marked as spam. I have more antivirus on downstream
systems that will delete real viruses as well since I just use ClamAV for
spam tagging for simplicity sake. (I don't want to put a ton of programs on
the computer to call SA, such as Amavis-new, etc., so that is why I do
this.)
>And by the way: I REALLY appreciate your SURBL lists and hard
>work even if I think other tools supplement and help make your
>stuff even better.
>
>My security principles include (but are not limited to):
>
> 1) Stop as much as possible at the outer perimeter
> (earlier the better)
>
> 2) Defense in depth
>
>For us, the virus scanning happens before the Spam tests;
>early is good.
>
>--
>Herb Martin
On Sunday, July 31, 2005, 3:52:53 AM, Herb Martin wrote:
> Presumably -- now you have me interested so I am going to check
> -- ClamAV does more than a naive pattern match on the URI and
> apparently they even have (had) endless debates in the ClamAV
> newsgroups/lists on this subject.
Sure, and any additional pattern matching is probably useful for
detecting phishes, but every phish I've seen has tried to direct
someone to a fake web site. Web sites mentioned in spams,
including phishing spams, are *precisely* what SURBLs are designed
to detect.
SURBLs are not designed to detect viruses at all, just web sites.
Phishes don't usually have viruses, but they do have web sites.
Draw your own conclusions.... :-)
> And by the way: I REALLY appreciate your SURBL lists and hard
> work
On behalf of the many people helping out with the SURBL project
in various ways, thanks for your kind words.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Jeff Chan wrote:
> Catherine's data come from antiphishing.org plus her own
Sometimes I use antiphishing.org for "manual" reports in
addition to SC.
> Does anyone have comments on adding these to the PH list?
Sounds good, bye, Frank
sc2.surbl.org, the improved version of the SpamCop SURBL list, is
ready for testing. So is the new version of xs.surbl.org, which
is now more accurate, has far fewer FPs, etc.
sc2 adds resolved IP checks, meaning sites hosted on the same
networks are detected immediately upon the first report. It also
means that folks should continue to use SpamCop reporting if they
want to contribute to a very powerful SURBL list. Your SpamCop
reports now have even more power in sc2. In cases of the worst
spammers, SpamCop reporting leads to essentially immediate
listing in sc2.
sc2 is on about 15 public nameservers and xs is on 22. That's
probably not enough for running large production servers on, but
it should be plenty for corpus checks and mail servers with small
to medium message volumes.
If you have rsync access to the SURBL zone files you can also
mirror the files locally for testing of course. The sc2 and xs
zones are currently available via rsync. (If you have a large
volume mail server, please apply for rsync access so that you can
mirror the zone files locally: http://www3.surbl.org/rsync-signup.html
and offload the public nameservers.)
After sc2 is tested for a while we will turn it into the
production sc.surbl.org list, assuming it has better performance
than the current list, which seems quite likely. At that point
sc2 will go away, since it will have become sc.
xs may go into the 128th bit of multi.surbl.org if it tests well.
Please test sc2 and the revised xs and let us know how they
perform for you. Those with large spam and ham corpora (such as
the SpamAssassin developers) are encouraged to test and please
let us know.
Here are SpamAssassin 3.0.1 and later configs for using these two lists:
urirhsbl URIBL_SC2_SURBL sc2.surbl.org.
body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL')
describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html
tflags URIBL_SC2_SURBL net
score URIBL_SC2_SURBL 3.0
urirhsbl URIBL_XS_SURBL xs.surbl.org.
body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL')
describe URIBL_XS_SURBL Has URI in XS - Testing
tflags URIBL_XS_SURBL net
score URIBL_XS_SURBL 2.0
SpamAssassin 2.64 rules and scores using SpamCopURI 0.22 or later look like this:
uri SC2_URI_RBL eval:check_spamcop_uri_rbl('sc2.surbl.org','127.0.0.2')
describe SC2_URI_RBL Has URI in SC2 at http://www.surbl.org/lists.html
tflags SC2_URI_RBL net
score SC2_URI_RBL 3.0
uri XS_URI_RBL eval:check_spamcop_uri_rbl('xs.surbl.org','127.0.0.2')
describe XS_URI_RBL Has URI in XS - Testing
tflags XS_URI_RBL net
score XS_URI_RBL 2.0
Jeff C.
--
Don't harm innocent bystanders.
>> FWIW Joe's getting jobbed:
>
>Hi Jeff,
>
>I had three joe jobs against me between December 2003 and February 2004.
>Since then it had been quiet, but I must say I wasn't entirely surprized
>that it continued, especially after a PayPal joe job less than two months
>ago.
>
>> Return-Path: <bouteille(a)kinki-kids.com>
>> Received: from dbzmail.com ([61.85.57.209])
>> by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id
>j6P3ZTlx009677
>> for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT)
>> Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com
>[64.62.181.92])
>> by dbzmail.com (Postfix) with ESMTP id E5A841602F
>> for <x>; Sun, 24 Jul 2005 00:39:14 -0500
>> From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com>
>
>This seems to be a bulkmailer that inserts fake Outblaze references into the
>headers to obscure the broadband hosts that are the real sources (or
>proxies). I've seen other examples with other bogus Outblaze maildomains for
>the fake sender. According to one admin who monitored the Joe job sources
>from their site the hosts are running something called "DMS Revolution proxy
>spam engine".
>
>Joe
>
>>...
DMS is Alexey Panov's bulk mailer product. That and porn sites
are his main stock in trade see the Spamhaus listings (currently #6, down
for #5 since Kuvayev made #3). More info on Panov available is you ask.
So now we know who you pissed off - and why it "looks" like a
porn site.
Paul Shupak
track(a)plectere.com
FWIW Joe's getting jobbed:
__
Return-Path: <bouteille(a)kinki-kids.com>
Received: from dbzmail.com ([61.85.57.209])
by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677
for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT)
Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92])
by dbzmail.com (Postfix) with ESMTP id E5A841602F
for <x>; Sun, 24 Jul 2005 00:39:14 -0500
From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com>
To: Info <x>
Subject: Hi dear
Date: Sun, 24 Jul 2005 00:39:14 -0500
Message-ID: <100101c59012$879febec$06412c2e(a)kinki-kids.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2605
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
X-GMX-Antivirus: 0 (no virus found)
X-UIDL: K,H!!c%?"!Fde!!XT9"!
Hi
Try jwSpamSpy, our spam filter for POP3 mailboxes.
We use it to track spammers and scammers.
Free full featured 30 day evaluation version available!
http://www.joewein.de/
--
Don't harm innocent bystanders.
>...
>
>FWIW Joe's getting jobbed:
>__
>
>Return-Path: <bouteille(a)kinki-kids.com>
>Received: from dbzmail.com ([61.85.57.209])
> by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677
> for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT)
>Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92])
> by dbzmail.com (Postfix) with ESMTP id E5A841602F
> for <x>; Sun, 24 Jul 2005 00:39:14 -0500
>From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com>
>To: Info <x>
>Subject: Hi dear
>Date: Sun, 24 Jul 2005 00:39:14 -0500
>Message-ID: <100101c59012$879febec$06412c2e(a)kinki-kids.com>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook, Build 10.0.2605
>Importance: Normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
>X-GMX-Antivirus: 0 (no virus found)
>X-UIDL: K,H!!c%?"!Fde!!XT9"!
>
>Hi
>Try jwSpamSpy, our spam filter for POP3 mailboxes.
>We use it to track spammers and scammers.
>Free full featured 30 day evaluation version available!
>
>http://www.joewein.de/
>
>...
kinki-kids.com is actually a quite legitimate Outblaze customer.
Every forgery or it I have seen is for CP or at least "std." pornography.
So maybe Joe can guess at who he pissed off. The sender's IP 61.85.57.209
seems to be a comprimised Windows box on DSL at Kornet - Dynamic address
too. The IP is only listed at five-ten, SORBS, NOMOREFUNN, and NJABL;
In other words, not really listed or listable (except as dynamic or for
full Korean blockage). If it is still the same machine connected at that
IP, the entrance was probably the wide open UPnP port or the IIS running.
Backdoor installed on port 123 (ntp) UDP - machine is "0wn3d". Also, the
routing takes an "interesting" side trip by way fo Kornet -> TONEK (China)
the back -> Kornet. Maybe a very good hack at the router level (AS4766 to
AS17431 back to AS4766) - Not many people capable of that.
I doubt many people running any BLs would list Joe.
Paul Shupak
track(a)plectere.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
not sure how useful this may be, but fyi...
- --j.
- ------- Forwarded Message
> Date: Fri, 22 Jul 2005 22:11:13 -0600
> From: Marcia Blake
>
> This comes to us fresh from the July GoDaddy.com newsletter (naturally,
> in a bit trying to sell longer domain registration terms on
> GuessWhere):
>
> Google recently filed United States Patent Application 20050071741. As
> part of that application, Google made apparent its efforts to wipe out
> search engine spam, stating:
>
> "Valuable (legitimate) domains are often paid for several years in
> advance, while doorway (illegitimate) domains rarely are used for more
> than a year. Therefore, the date when a domain expires in the future
> can be used as a factor in predicting the legitimacy of a domain and,
> thus, the documents associated therewith."
>
> Domains registered for longer periods give the indication, true or
> not, that their owner is legitimate. Google uses a domain's length of
> registration when indexing and ranking a Web site for inclusion in
> their organic search results.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFC4pFrMJF5cimLx9ARAt0CAJ0Rjjd7Owx/ba4AhZzZc1NdmQI6xACeI0L9
FVY5zV+kY5cQuVH/VpEEYrQ=
=w9zn
-----END PGP SIGNATURE-----
Some of these were blacklisted recently, but perhaps shouldn't
be. Do you have any information about these domains?
tim.com.br
7 year old domain, but I can't read Portugese.
What do they do? Is it possibly legitimate?
callin.net
Korean tech site of some kind. 5.5 years old.
ivyro.net
Korean, 2.5 years old.
drugstorebestbuys.com
Sells prescription drugs. Obviously very high spam potential,
but has been around for about 4 years.
bgreetings.com
Greeting cards. Also potentially spammy, but more than 4 years old.
Jeff C.
--
Don't harm innocent bystanders.