Discuss

discuss@lists.surbl.org

1862 discussions

RE: Adding SpamBouncer phishing data to ph.surbl.org
by Greg Allen 02 Aug '05

02 Aug '05

I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL. People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows. Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.) >And by the way: I REALLY appreciate your SURBL lists and hard >work even if I think other tools supplement and help make your >stuff even better. > >My security principles include (but are not limited to): > > 1) Stop as much as possible at the outer perimeter > (earlier the better) > > 2) Defense in depth > >For us, the virus scanning happens before the Spam tests; >early is good. > >-- >Herb Martin

4 10

Re: Adding SpamBouncer phishing data to ph.surbl.org
by Jeff Chan 01 Aug '05

01 Aug '05

On Sunday, July 31, 2005, 3:52:53 AM, Herb Martin wrote: > Presumably -- now you have me interested so I am going to check > -- ClamAV does more than a naive pattern match on the URI and > apparently they even have (had) endless debates in the ClamAV > newsgroups/lists on this subject. Sure, and any additional pattern matching is probably useful for detecting phishes, but every phish I've seen has tried to direct someone to a fake web site. Web sites mentioned in spams, including phishing spams, are *precisely* what SURBLs are designed to detect. SURBLs are not designed to detect viruses at all, just web sites. Phishes don't usually have viruses, but they do have web sites. Draw your own conclusions.... :-) > And by the way: I REALLY appreciate your SURBL lists and hard > work On behalf of the many people helping out with the SURBL project in various ways, thanks for your kind words. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 0

Please test sc2.surbl.org (and xs.surbl.org)
by Chris 31 Jul '05

31 Jul '05

Jeff, did this come out any better? ---------- Forwarded Message ---------- Email: 148 Autolearn: 0 AvgScore: 19.63 AvgScanTime: 6.54 sec Spam: 103 Autolearn: 0 AvgScore: 32.95 AvgScanTime: 6.39 sec Ham: 45 Autolearn: 0 AvgScore: -10.87 AvgScanTime: 6.88 sec Time Spent Running SA: 0.27 hours Time Spent Processing Spam: 0.18 hours Time Spent Processing Ham: 0.09 hours TOP SPAM RULES FIRED ------------------------------------------------------------ RANK RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM ------------------------------------------------------------ 1 PYZOR_CHECK 103 5.70 69.59 100.00 100.00 2 DIGEST_MULTIPLE 93 5.15 62.84 90.29 4.44 3 RAZOR2_CF_RANGE_51_100 89 4.93 60.14 86.41 0.00 4 RAZOR2_CHECK 88 4.87 59.46 85.44 0.00 5 BAYES_99 87 4.81 58.78 84.47 0.00 6 DCC_CHECK 61 3.38 41.22 59.22 4.44 7 URIBL_SC2_SURBL 59 3.27 39.86 57.28 0.00 8 URIBL_JP_SURBL 57 3.15 38.51 55.34 0.00 9 URIBL_SC_SURBL 56 3.10 37.84 54.37 0.00 10 URIBL_OB_SURBL 55 3.04 37.16 53.40 0.00 11 URIBL_AB_SURBL 53 2.93 35.81 51.46 0.00 12 HTML_MESSAGE 53 2.93 35.81 51.46 2.22 13 URIBL_XS_SURBL 51 2.82 34.46 49.51 0.00 14 RCVD_IN_XBL 45 2.49 30.41 43.69 0.00 15 URIBL_WS_SURBL 40 2.21 27.03 38.83 0.00 16 RCVD_IN_BL_SPAMCOP_NET 40 2.21 27.03 38.83 0.00 17 URIBL_SBL 34 1.88 22.97 33.01 0.00 18 RCVD_IN_DSBL 31 1.72 20.95 30.10 0.00 19 RCVD_IN_SORBS_DUL 26 1.44 17.57 25.24 0.00 20 MIME_HTML_ONLY 26 1.44 17.57 25.24 2.22 ------------------------------------------------------------ TOP HAM RULES FIRED ------------------------------------------------------------ RANK RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM ------------------------------------------------------------ 1 PYZOR_CHECK 45 25.14 30.41 100.00 100.00 2 BAYES_00 39 21.79 26.35 0.97 86.67 3 AWL 29 16.20 19.59 2.91 64.44 4 SPF_HELO_PASS 11 6.15 7.43 0.97 24.44 5 SPF_PASS 6 3.35 4.05 0.00 13.33 6 USER_IN_WHITELIST 5 2.79 3.38 0.00 11.11 7 RCVD_BY_IP 4 2.23 2.70 7.77 8.89 8 NO_REAL_NAME 4 2.23 2.70 10.68 8.89 9 BAYES_50 4 2.23 2.70 5.83 8.89 10 SPF_SOFTFAIL 3 1.68 2.03 15.53 6.67 11 DNS_FROM_RFC_POST 3 1.68 2.03 17.48 6.67 12 DCC_CHECK 2 1.12 1.35 59.22 4.44 13 RCVD_IN_BSP_TRUSTED 2 1.12 1.35 0.00 4.44 14 DIGEST_MULTIPLE 2 1.12 1.35 90.29 4.44 15 RCVD_IN_BSP_OTHER 2 1.12 1.35 0.00 4.44 16 DNS_FROM_RFC_WHOIS 2 1.12 1.35 6.80 4.44 17 USER_IN_DEF_WHITELIST 2 1.12 1.35 0.00 4.44 18 MIME_HTML_ONLY 1 0.56 0.68 25.24 2.22 19 PLING_QUERY 1 0.56 0.68 0.97 2.22 20 HTML_MESSAGE 1 0.56 0.68 51.46 2.22 ------------------------------------------------------------ ------------------------------------------------------- -- Chris Registered Linux User 283774 http://counter.li.org 15:24:08 up 6 days, 16:25, 2 users, load average: 0.50, 0.16, 0.11 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I read the newspaper avidly. It is my one form of continuous fiction. -- Aneurin Bevan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2 2

Re: RFC: Adding SpamBouncer phishing data to ph.surbl.org
by Frank Ellermann 31 Jul '05

31 Jul '05

Jeff Chan wrote: > Catherine's data come from antiphishing.org plus her own Sometimes I use antiphishing.org for "manual" reports in addition to SC. > Does anyone have comments on adding these to the PH list? Sounds good, bye, Frank

1 0

Please test sc2.surbl.org (and xs.surbl.org)
by Jeff Chan 29 Jul '05

29 Jul '05

sc2.surbl.org, the improved version of the SpamCop SURBL list, is ready for testing. So is the new version of xs.surbl.org, which is now more accurate, has far fewer FPs, etc. sc2 adds resolved IP checks, meaning sites hosted on the same networks are detected immediately upon the first report. It also means that folks should continue to use SpamCop reporting if they want to contribute to a very powerful SURBL list. Your SpamCop reports now have even more power in sc2. In cases of the worst spammers, SpamCop reporting leads to essentially immediate listing in sc2. sc2 is on about 15 public nameservers and xs is on 22. That's probably not enough for running large production servers on, but it should be plenty for corpus checks and mail servers with small to medium message volumes. If you have rsync access to the SURBL zone files you can also mirror the files locally for testing of course. The sc2 and xs zones are currently available via rsync. (If you have a large volume mail server, please apply for rsync access so that you can mirror the zone files locally: http://www3.surbl.org/rsync-signup.html and offload the public nameservers.) After sc2 is tested for a while we will turn it into the production sc.surbl.org list, assuming it has better performance than the current list, which seems quite likely. At that point sc2 will go away, since it will have become sc. xs may go into the 128th bit of multi.surbl.org if it tests well. Please test sc2 and the revised xs and let us know how they perform for you. Those with large spam and ham corpora (such as the SpamAssassin developers) are encouraged to test and please let us know. Here are SpamAssassin 3.0.1 and later configs for using these two lists: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflags URIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org. body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflags URIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 SpamAssassin 2.64 rules and scores using SpamCopURI 0.22 or later look like this: uri SC2_URI_RBL eval:check_spamcop_uri_rbl('sc2.surbl.org','127.0.0.2') describe SC2_URI_RBL Has URI in SC2 at http://www.surbl.org/lists.html tflags SC2_URI_RBL net score SC2_URI_RBL 3.0 uri XS_URI_RBL eval:check_spamcop_uri_rbl('xs.surbl.org','127.0.0.2') describe XS_URI_RBL Has URI in XS - Testing tflags XS_URI_RBL net score XS_URI_RBL 2.0 Jeff C. -- Don't harm innocent bystanders.

5 8

Re: [SURBL-Discuss] Joe Wein has a new friend?
by List Mail User 25 Jul '05

25 Jul '05

>> FWIW Joe's getting jobbed: > >Hi Jeff, > >I had three joe jobs against me between December 2003 and February 2004. >Since then it had been quiet, but I must say I wasn't entirely surprized >that it continued, especially after a PayPal joe job less than two months >ago. > >> Return-Path: <bouteille(a)kinki-kids.com> >> Received: from dbzmail.com ([61.85.57.209]) >> by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id >j6P3ZTlx009677 >> for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) >> Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com >[64.62.181.92]) >> by dbzmail.com (Postfix) with ESMTP id E5A841602F >> for <x>; Sun, 24 Jul 2005 00:39:14 -0500 >> From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com> > >This seems to be a bulkmailer that inserts fake Outblaze references into the >headers to obscure the broadband hosts that are the real sources (or >proxies). I've seen other examples with other bogus Outblaze maildomains for >the fake sender. According to one admin who monitored the Joe job sources >from their site the hosts are running something called "DMS Revolution proxy >spam engine". > >Joe > >>... DMS is Alexey Panov's bulk mailer product. That and porn sites are his main stock in trade see the Spamhaus listings (currently #6, down for #5 since Kuvayev made #3). More info on Panov available is you ask. So now we know who you pissed off - and why it "looks" like a porn site. Paul Shupak track(a)plectere.com

1 0

Joe Wein has a new friend?
by Jeff Chan 25 Jul '05

25 Jul '05

FWIW Joe's getting jobbed: __ Return-Path: <bouteille(a)kinki-kids.com> Received: from dbzmail.com ([61.85.57.209]) by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677 for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92]) by dbzmail.com (Postfix) with ESMTP id E5A841602F for <x>; Sun, 24 Jul 2005 00:39:14 -0500 From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com> To: Info <x> Subject: Hi dear Date: Sun, 24 Jul 2005 00:39:14 -0500 Message-ID: <100101c59012$879febec$06412c2e(a)kinki-kids.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-GMX-Antivirus: 0 (no virus found) X-UIDL: K,H!!c%?"!Fde!!XT9"! Hi Try jwSpamSpy, our spam filter for POP3 mailboxes. We use it to track spammers and scammers. Free full featured 30 day evaluation version available! http://www.joewein.de/ -- Don't harm innocent bystanders.

5 6

Re: [SURBL-Discuss] Joe Wein has a new friend?
by List Mail User 25 Jul '05

25 Jul '05

>... > >FWIW Joe's getting jobbed: >__ > >Return-Path: <bouteille(a)kinki-kids.com> >Received: from dbzmail.com ([61.85.57.209]) > by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677 > for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) >Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92]) > by dbzmail.com (Postfix) with ESMTP id E5A841602F > for <x>; Sun, 24 Jul 2005 00:39:14 -0500 >From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com> >To: Info <x> >Subject: Hi dear >Date: Sun, 24 Jul 2005 00:39:14 -0500 >Message-ID: <100101c59012$879febec$06412c2e(a)kinki-kids.com> >MIME-Version: 1.0 >Content-Type: text/plain >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook, Build 10.0.2605 >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 >X-GMX-Antivirus: 0 (no virus found) >X-UIDL: K,H!!c%?"!Fde!!XT9"! > >Hi >Try jwSpamSpy, our spam filter for POP3 mailboxes. >We use it to track spammers and scammers. >Free full featured 30 day evaluation version available! > >http://www.joewein.de/ > >... kinki-kids.com is actually a quite legitimate Outblaze customer. Every forgery or it I have seen is for CP or at least "std." pornography. So maybe Joe can guess at who he pissed off. The sender's IP 61.85.57.209 seems to be a comprimised Windows box on DSL at Kornet - Dynamic address too. The IP is only listed at five-ten, SORBS, NOMOREFUNN, and NJABL; In other words, not really listed or listable (except as dynamic or for full Korean blockage). If it is still the same machine connected at that IP, the entrance was probably the wide open UPnP port or the IIS running. Backdoor installed on port 123 (ntp) UDP - machine is "0wn3d". Also, the routing takes an "interesting" side trip by way fo Kornet -> TONEK (China) the back -> Kornet. Maybe a very good hack at the router level (AS4766 to AS17431 back to AS4766) - Not many people capable of that. I doubt many people running any BLs would list Joe. Paul Shupak track(a)plectere.com

1 0

GoDaddy's take on Google patent (fwd)
by Justin Mason 24 Jul '05

24 Jul '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 not sure how useful this may be, but fyi... - --j. - ------- Forwarded Message > Date: Fri, 22 Jul 2005 22:11:13 -0600 > From: Marcia Blake > > This comes to us fresh from the July GoDaddy.com newsletter (naturally, > in a bit trying to sell longer domain registration terms on > GuessWhere): > > Google recently filed United States Patent Application 20050071741. As > part of that application, Google made apparent its efforts to wipe out > search engine spam, stating: > > "Valuable (legitimate) domains are often paid for several years in > advance, while doorway (illegitimate) domains rarely are used for more > than a year. Therefore, the date when a domain expires in the future > can be used as a factor in predicting the legitimacy of a domain and, > thus, the documents associated therewith." > > Domains registered for longer periods give the indication, true or > not, that their owner is legitimate. Google uses a domain's length of > registration when indexing and ranking a Web site for inclusion in > their organic search results. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFC4pFrMJF5cimLx9ARAt0CAJ0Rjjd7Owx/ba4AhZzZc1NdmQI6xACeI0L9 FVY5zV+kY5cQuVH/VpEEYrQ= =w9zn -----END PGP SIGNATURE-----

3 3

Help checking domains
by Jeff Chan 20 Jul '05

20 Jul '05

Some of these were blacklisted recently, but perhaps shouldn't be. Do you have any information about these domains? tim.com.br 7 year old domain, but I can't read Portugese. What do they do? Is it possibly legitimate? callin.net Korean tech site of some kind. 5.5 years old. ivyro.net Korean, 2.5 years old. drugstorebestbuys.com Sells prescription drugs. Obviously very high spam potential, but has been around for about 4 years. bgreetings.com Greeting cards. Also potentially spammy, but more than 4 years old. Jeff C. -- Don't harm innocent bystanders.

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss