Rakesh Pal wrote:
> I have been bugged a lot by embedded image spams recently, although some
> of these spams got trapped due URI checks, some managed to pass as well
> as the url wasn't yet blocked in the SURBLs.
and Jeff Chan wrote:
> Please provide the URI and the timestamp it was first seen.
> We can use that information to see if we can get them into SURBLs
> sooner.
Hello ---
I've been diligently sending full message sources of similar spam to
submit.[code](a)spam.spamcop.net these past several days. My account there is
set up as a mole to minimze the chance of being joe-jobbed. My
understanding is that spamcop adds a point for that URI in spamcop's
database, until it exceeds the threshold needed for inclusion in sc.surbl.
Then, by way of the URIBL_SC_SURBL rule in SA 3.0.3, more of these things
will be caught as spam, since SA assigns >= 3.8 points to each such spam.
Am new to these tools, so I hope I've understood the docs and faq pages
correctly ...
Jeff, I can send you a zip file with a bunch of these recent message sources
(my email client is OE6). Or, do you just need a bunch of Date: /
Message-ID: / Content-ID: triplets?
Sean S.
www.twin-dad.com
belgischelotto.be appeared in a 419 scam. Anyone (especially in
Europe) know if this is a legitimate domain?
Jeff C.
--
Don't harm innocent bystanders.
>...
>
>Jeff Chan wrote:
>
>> Pardon the dramatic title, but hopefully it got your attention.
>>
>> This guy's domain got listed by Outblaze, we removed it, and as
>> thanks this guy paints us as irresponsible. Please help us
>> straighten him out, gently:
>>
>> http://blog.holtz.com/index.php/weblog/comments/blacklisting_blogs/
>>
>> I gave it my shot.
>>
>> Jeff C.
>> --
>> Don't harm innocent bystanders.
>
>The way I read his response is that he stands against
>SPAM and in favor of anti SPAM measures ...
>
>*provided* he is not inconvenienced.
>
>
I guess its a good thing he didn't try my servers - Seems we have
another user of midphase. com (i.e. his FORIMMEDIATERELEASE. BIZ domain),
and since midphase seems to condone spamming - he would never had made it
through my servers anyway.
Also, while he is unlikely a "criminal" spammer, his "newletters",
if uninvited, contain lots of questionable commercial hype. SURBL or not,
my machines won't accept his email newletter.
Seems consistant - if you use midphase, you just don't "get it".
If he doesn't understand that he doesn't even "own" the domain, he probably
can't understand any explaination either.
Paul Shupak
track(a)plectere.com
P.S. For anyone who cares, www.openrbl.org is back up as of a few hours ago.
I am trying to use SURBL with spamassassin 3.0.2 but, even though
there seems to be an otherwise unusual length of time to process a
message, it is definitely not picking up the
http://surbl-org-permanent-test-point.com/ or http://127.0.0.2/ test URLs
that I put into a test message.
I use a local caching nameserver (djbdns).
I invoke spamd with "-d -m5 -s local4 -u smtpd -x" and I have
restarted the daemon.
My /etc/mail/spamassassin/init.pre contains this line:
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
My /etc/mail/spamassassin/local.cf contains the following, with
explanations afterwards:
=========================================================================
required_score 12 # new
#fold_headers 0
allow_user_rules 0
report_safe 0
use_auto_whitelist 0
auto_whitelist_factor 0
use_dcc 0
use_pyzor 0
use_razor2 0
use_bayes 0
use_bayes_rules 0
bayes_auto_learn 0
skip_rbl_checks 0 # normally 1
check_mx_attempts 0
dns_available yes # normally no
# URIDNSBL - We don't want the standard URIDNSBLs to be used
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
score URIBL_AB_SURBL 13
score URIBL_OB_SURBL 13
score URIBL_PH_SURBL 13
score URIBL_SBL 13
score URIBL_SC_SURBL 13
score URIBL_WS_SURBL 13
#uridnsbl URIBL_MULTI multi-surbl.org. TXT
#body URIBL_MULTI eval:check_uridnsbl('URIBL_MULTI')
#describe URIBL_MULTI Contains URL In MULTI Blocklist
#tflags URIBL_MULTI net
#score URIBL_MULTI 13
endif # Mail::SpamAssassin::Plugin::URIDNSBL
=========================================================================
Explanation: I am not using any of the features in the first part
of the list as you can tell by the "0". In addition, I normally do not use
any of the network features, so I have explicitly turned off all of the
DNSBL checks by setting the scores to "0" for each of them. All I want to
do is run SURBL and do some specific filtering.
I have tried the URIDNSBL stuff two different ways. First, I had
set the included tests to score "0" and used my own definition, then I
changed it to what you see now, to use the stock definitions.
Questions: Do I have something defined incorrectly? Have I missed
a definition? Anything else?
Thanks for any help.
Hi
I have been bugged a lot by embedded image spams recently, although some
of these spams got trapped due URI checks, some managed to pass as well
as the url wasn't yet blocked in the SURBLs.
I probably found something tht i wanted to share with u guys and try and
see if we can trap those spams further on the basis of tht. I have
classified those embedded image spams into two classes. Class 1 of image
of fulllist of viagra and other meds and Class 2 of image of one liner
information on cheap softwares or viagra. I was thinking of if possibly
we can understand a common pattern and try and make a ruleset on top of
tht so tht we dont have to wait for updates at URIbl, then it would be
really some thing good. These image only spams apparently have a prob
tht we can trap on :). The loophole is in most of the cases the message
id of the mail and the content id or cid of the embedded image is
exactly same.
For e.g.
Message-ID: <1066724820.2422(a)boschkitchencentre.com>
Content-ID: <1066724820.2422(a)boschkitchencentre.com>
some variations also had something like this
Message-ID: <1064962549.5961(a)cal.cybersurf.net>
Content-ID: <sivjxu_onzvh_dzdohvo>
But thts applicable to class1 of the spams and in class 2 which are
just images containing oneliners has some variations. In some cases the
content id is smartly tampered but again there is a loophole and here is
an example of tht
Message-ID: <525F074E3524$72BF31B3$02605c3b(a)comcast.net>
Content-ID: <e102605c3b(a)comcast.net>
the message id and the content id both contain the domain name of the
sending server. And a valid mail that had embedded image in it but was
sent from outlook had details something like this
From Outlook
Message-ID: <002101c55c2f$b3f540a0$bdc809c0@cg>
Content-ID: <image001.jpg(a)01C55C5D.CB204210>
Frankly I haven't seen how content id appears when images are embedded
using other valid email clients like netscape or thunderbird. But if we
compare the above set of patterns, what appears is tht if a image is
embedded using a client like outlook then "@" appears in the content id
of the attachment but the latter part of @ is not the domain name, but
has the name of the attachment itself and the messageid is different
from the content id, whereas incase of the spammers content ids that
appear are either exactly same to tht of the message id, or doesnt have
a @ or has the domain name of the server as a latter part of the @ in
content id.
So my question is can we have rulesets in spamassassin that can compare
the sending host domain with the latter part of @ of content id or look
for @ in the content id.
Any suggestions ? comments ?
--
Regards,
Rakesh B. Pal
Project Leader
Emergic CleanMail Team.
Netcore Solutions Pvt. Ltd.
========================================================
Success is how high you reach after you hit the bottom.
========================================================
----------------------------------------------------------
Netcore Solutions Pvt. Ltd.
Website: http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
----------------------------------------------------------
>...
>Give this a try:
>
>> http://openrbl.org/
>
>
>It worked for me this morning.
>
>Dan Zachary
>
>
>>(BTW my favorite rbl checker openrbl.org seems gone. :-( )
>>...
Worked last night, but not now. The domain is in good standing,
as is the "feeder" domain orbl.net. But the DNS records show a change as
of yesterday (serial number date encoding method vs. the seconds since epoch
that SURBL uses), and the 'A' record is gone. Most of the listed name
servers seem down also.
They alway had a problem with timeouts, but I used them a lot too.
Current DNS appended (note the use of an unlisted name server to get anything).
Paul Shupak
track(a)plectere.com
--------------------------------------------------------------------------------
% dig openrbl.org any @y.orbl.net
; <<>> DiG 9.3.0 <<>> openrbl.org any @y.orbl.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60077
;; flags: qr aa rd; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;openrbl.org. IN ANY
;; ANSWER SECTION:
openrbl.org. 43200 IN NS a.orbl.net.
openrbl.org. 43200 IN NS b.orbl.net.
openrbl.org. 43200 IN NS c.orbl.net.
openrbl.org. 43200 IN NS d.orbl.net.
openrbl.org. 43200 IN NS e.orbl.net.
openrbl.org. 43200 IN NS f.orbl.net.
openrbl.org. 43200 IN NS g.orbl.net.
openrbl.org. 43200 IN NS h.orbl.net.
openrbl.org. 43200 IN NS i.orbl.net.
openrbl.org. 43200 IN NS j.orbl.net.
openrbl.org. 2700 IN MX 999 relay.serv.ch.
openrbl.org. 3600 IN SOA g.orbl.net. openrbl.org. 2005052422 2400 600 2419200 300
;; Query time: 190 msec
;; SERVER: 80.190.246.92#53(y.orbl.net)
;; WHEN: Wed May 25 13:41:00 2005
;; MSG SIZE rcvd: 262
As a job recruiter, I am intimately familiar with posting a job and then
getting hammered with SPAM from companies and recruiting firms.
In the past 5 minutes, I've gotten two. One from BobAJobs-munged.com and
one from http://ad1.geowebsv48a-munged.com/recruiting_service.html.
How would these type of spam's be viewed for addition to SURBL?
Regards,
KAM
> -----Original Message-----
> From: Kevin A. McGrail [mailto:kmcgrail@pccc.com]
> Sent: Tuesday, May 24, 2005 2:55 PM
> To: discuss(a)lists.surbl.org
> Cc: daniel.swartz(a)thoughtworthy.com
> Subject: [SURBL-Discuss] Job Recruiter SPAMmers
>
>
> As a job recruiter, I am intimately familiar with posting a
> job and then
> getting hammered with SPAM from companies and recruiting firms.
>
> In the past 5 minutes, I've gotten two. One from
> BobAJobs-munged.com and
> one from http://ad1.geowebsv48a-munged.com/recruiting_service.html.
>
> How would these type of spam's be viewed for addition to SURBL?
>
> Regards,
> KAM
I add them to black.uribl.com I can't stand these guys. The whole
ihirexxxxxxxxx.com have already been added.
--Chris
> Message: 4
> Date: Mon, 23 May 2005 05:17:31 +0200 (CEST)
> From: Raymond Dijkxhoorn <raymond(a)surbl.org>
> Subject: Re[2]: [SURBL-Discuss] whitelist: accuradio.com
> To: SURBL Discussion list <discuss(a)lists.surbl.org>
> Hi bob,
>>>> Reviewing this week's emails looking for candidates for my SA
>>>> whitelist.cf, I saw that an email from accuradio.com, with a URI to
>>>> www.accuradio.com, had hit URIBL_OB_SURBL. ...
>>
>>>> Submitting the whitelist now.
>>
> Care to share? Perhaps more listed that that we should look into ?
> Bye,
> Raymond.
Sure:
# Domains I personally guarantee do not send spam:
menschel.net
robert.menschel.name
choctaw-crafts.orgxeper.orgxeper.nettempleofset.orgsetian.org
balanone.info
contractorswarehouse.comcwbo.comcwikship.com
# Trusted domains
jeld-wen.compythagoras.orgtrapezoid.org
# domain that looks like it might be spammy, but a user has intentionally flagged email as NOT being spam.
freelanceworkexchange.com
# Added May 22 2005
AccuRadio.com
Bob Menschel
Just a quick note:
Reviewing this week's emails looking for candidates for my SA
whitelist.cf, I saw that an email from accuradio.com, with a URI to
www.accuradio.com, had hit URIBL_OB_SURBL.
I just did a SURBL check, and it's not there now, so I'm guessing it
was a temporary fluke. However, since in three years I've received
emails from accuradio only to the specific email address I supplied
them, not to any other, and have not receiving any emails from anyone
else to that address, I believe this domain worth whitelisting to
avoid future similar events.
Submitting the whitelist now.
Bob Menschel