Hey all,
I'm getting a lot of single-link spam from Yahoo -- seems to be via
compromised accounts, mostly (as in, via an account that my address would
be in the addressbook of). It's coming through legitimately via the
Yahoo servers, with DKIM signatures intact and all. As the message body
is purely a link (at least, the text-plain portion is), this is an ideal
job for SURBL and pretty hard for most other content matching.
One such example (spaces added by me):
http://dark turn ip.com/sxduvb/dgemdczfcmc/lzuc.php
Yahoo seem to be absolutely braindead about spam reporting on these
compromised accounts. So much so that I wrote a blog about it:
http://gushi.livejournal.com/588829.html
I could easily create a SpamAssassin or Procmail rule to block these
messages, but I think it makes sense to make better use of this data.
I often report things that get through SpamAssassin to SpamCop, which I
understand feeds SURBL, but as SpamCop has to wait for me to go hit their
webpage, this introduces a lag that need not be present, ergo I'm happy to
feed traps directly from my system procmailrc -- where I have a couple
hundred friends-and-family domains.
Anyone interested?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Hi surbl,
I have an inquiry regarding my domain pabular.com. I don't know if this is
the right place to ask, so bare with me if this is off topic.
I recently launched a website on the domain pabular.com, and it was brought
to my attention that my site has a very low Web Of Trust (WOT) score. Upon
visiting the WOT website I could see that my site had been added to the
SURBL Outblast URI blacklist, on October 6. 2012. So I went to the
surbl.orgwebsite and made a lookup of the domain, only to find that
the domain is
not blacklisted.
So I have the following questions:
1) I have never hosted any malware, and the only http server the domain has
ever pointed to in the years I have owned it, are the google app engine
servers. I don't remember the exact date when I set up DNS to point to the
google app engine servers, but it might have been around October 6. Is it a
known issue that domains pointing to google app engine servers are
blacklisted for hosting malware?
2) WOT tell me that they update so-called scorecard within 24 hours of
being notified about a removal from a list. This has not happened for my
domain, so I'm interested in knowing when my domain was removed from the
Outblast URI blacklist.
Thank you for any information you can provide on this issue.
Kind regards,
Klaus Byskov Hoffmann
I am making this available in the event it is interesting or useful to
someone. It is a really rough first effort, and I expect to do
something more useful with it as time goes on.
With the caveat that this should be considered "experimental data", I
have finally begun to publish some abuse data. This data is presently
re-generated hourly.
http://tighturl.com/tighturl-abuse-ips.csvhttp://tighturl.com/tighturl-abuse-domains.csv
The IP addresses are those that have submitted URLs that have been
banned at tighturl.com within the last 7 days. They are in the format:
unixtimestamp,IPv4address
The domains are base domains[1] that have been banned from tighturl.com
or have been submitted by currently banned IP addresses within the last
7 days. They are in the format:
unixtimestamp,basedomain
I have not found over time that an IP address that submits abuse also
submits non-abuse.
I'm interested in comments or suggestions.
- Ron
[1] Based upon http://www.surbl.org/tld/two-level-tlds and
http://www.surbl.org/tld/three-level-tlds
Anybody have experience running rbldnsd (serving surbl zones) on
IPv6 addresses?
Clearly the data -in- the zones are IPv4 values but the servers
can communicate using IPv6 addresses.
I'm in the process of a general config refresh & IPv6 deployment
and noticed that the surbl dns servers lists that my copies are in
(a.surb.org & b.surbl.org) only contain IPv4 addrs (A records), no
AAAA records.
So is this just inertial or is there a reason for not listing IPv6
addrs for rbldnsd servers? I did a local test with rbldnsd-0.996b
on SLES11-SP1 and it seems to run/answer on IPv6 just fine.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Hi,
We've just submitted a removal request for our domain aldaniti.net using
lookup page in surbl.com.
We send an email with all the information about our company and we
explain that we do e-mail marketing actively for those who previously
agreed and accepted to receive this kind of e-mail.
But our domain is still in the blacklist.
Is there anyway to know why are we being listed in ws.surbl.org blacklist?
How long will it take for our domain to be removed from the list?
In case we will be delisted, will there be any email notification?
Regards,
Aldaniti Team.
I am getting this message from a few recipients
X-Supplementary-Info: < c2bthomr14.btconnect.com #5.2.0 SMTP; 550
5.7.1 Rejected - listed at SURBL/CURBL>
any suggestions!!
Dean Harvey
Factory Furniture Ltd - specialist street furniture designers and
manufacturers with in-house production facilities.
FSC Chain of custody certification No.CU-COC-806405. For further
information on Forestry Stewardship Council certified timbers http://www.fsc-uk.info/
The information in this e-mail and any attachments is confidential and
is intended for the addressee only. Unless stated to the contrary, any
opinions or comments are personal to the writer and do not represent
the official view of Factory Furniture Ltd
I run the URL shortener dft.ba. SURBL keeps sending out emails to us saying our shortener is being used for spam links. So far I have been sent around 50 of these messages, out of those messages most of them are for links that not only return a 404 error but were never even created in the first place. The other few all point to URLs which, although are correctly identified as spam manually, when querying the domains using the tool at http://www.surbl.org/surbl-analysis (And subsequently the system we use in our site) return as 'not blacklisted'.
Our application integrates with both SURBL and WebOfTrust to get reputation for URLs and automatically removes all links we detect as spammy. But what are we to do when SURBL is informing us and our ISP of URLs that don't exist or are not even blacklisted in SURBL itself. An example of this is
--
Please remove the abused shortner:
http://dft dot ba /-qTY
[etc]
--
This URL has never existed, not 'did exist but has now been deleted' because we don't fully delete things from our database just mark them deleted, this URL has never forwarded to anything other than our 404 page.
Another example of the other behaviour is this
--
Please remove the abused shortner:
http://dft dot ba /-NqD
[etc]
--
This URL did exist (but has now manually been deleted), but forwards to the domain 'li.ru', not blacklisted by SURBL. Trying to access the URL by any methods from our server (CURL, WGET etc.) returns a 500 server error so it looks like the site has blocked us from automatically figuring out where the URLs are redirecting to (I guess on an IP based block, it works from other servers). If SURBL isn't going to blacklist sites why are we being alerted that the link is being abused.
Our web host says SURBL often generates "false positives that should be ignored" but I'm trying to avoid our site getting blacklisted/flagged etc.
Any suggestions?
-Sam