Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

RE: [SURBL-Discuss] Re: Leaving SURBL
by Chris Santerre 06 Apr '05

06 Apr '05

>-----Original Message----- >From: Frank Ellermann [mailto:nobody@xyzzy.claranet.de] >Sent: Wednesday, April 06, 2005 3:55 PM >To: discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] Re: Leaving SURBL > > >Chris Santerre wrote: > >> As of today, I am leaving SURBL for private reasons. > >That's sad, why not do your own thing with your own zone, >but otherwise stay here (= SURBL ML) and share your ideas ? Yeah, I'm going to stay on this mailing list as well. Someones got to bring the funny! > >> they will not be affiliated with SURBL > >If you have an idea which doesn't fit into multi.* you could >still use the existing infrastruture in a cs.surbl.org zone, >in theory. In practice you apparently came to the conclusion >that that's not what you want... Without draggin out the details, I would have liked to work under the surbl.org zone. but ..... > (or that Jeff hates the idea). *cough* --Chris (He said it! I didn't!) :)

1 0

Re: [SURBL-Discuss] More spams with Zdnet redirector
by List Mail User 06 Apr '05

06 Apr '05

>... > >Replying to my own mail, Zdnet finally seems to have taken care of its >redirector. The link >"http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo" that appeared in >the spam is now not being redirected it shows a message > >"Forbidden to relay request through this server" > >finally they seem to have taken care of this. > > >Rakesh wrote: > >> Guys >> >> Seems Zdnet doesn't bothers about its open redirectors as yet. This is >> a spam that I trapped just 5 mins back. Spammers are enjoying using >> these openredirectors. >> >> Can any one send a reminder to Zdnet of this redirector. >> >> The Spam ....... >> >> Hi, >> >> Wanna get up 4 times in one night, well we've got the answer for you, >> check >> us out at http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo >> >> > > >-- >Regards, >Rakesh B. Pal >Emergic CleanMail Team. >Netcore Solutions Pvt. Ltd. > >-- >Revolutions do not require corporate support. > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > I have to repeat, send copies of your spam to the editors They are now applying an proprietary spam filter to the redirector. Try http://chkpt.zdnet.com/chkpt/howbad/www.google.com/ or for the more daring Try http://chkpt.zdnet.com/chkpt/howbad/www.wiurrc.mfdi.beeiturmoi.com/ (drug spam - no porn - no pictures -- but "kiddie porn" at Yahoo! works also) and watch it work. They have stated that they "are providing a service". Until we all trust that their spam filtering is as good as any that anyone of us might do, they are basically an open relay and should be treated as such! Jeff, please reconsider and list them until it is REALLY fixed. As far as I can tell, they only block the sites which they have received specific complaints about. This policy SUCKS. Paul Shupak track(a)plectere.com Closing the door after the animals are already free *does not* count!

1 0

Re: [SURBL-Discuss] More spams with Zdnet redirector
by List Mail User 06 Apr '05

06 Apr '05

>... > >On Tuesday, April 5, 2005, 10:19:27 AM, List User wrote: >> I hate to repeat myself, but... > >> Please, just forward any spam arriving in this fashion to a list of >> the various editors at Cnet. Then, and only then will the problem be addressed. >> Right now they consider this to be a "service" that they offer! > > >> Paul Shupak >> track(a)plectere.com > >I don't think it's right to spam other people. Report them to >their abuse address, the media, slashdot, etc. > >Jeff C. >-- >"If it appears in hams, then don't list it." > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Jeff, In general, I agree with your statement. Maybe I should have said to send a note, and append the spam. This is I feel a special case, because CNet *is* the media! Sending mail to abuse@, slashdot, etc. will likely be ignored as long as they consider this a service (from a telephone call to them - a low level tech. who "asked" a supervisor, and didn't want to forward me - seem quite bothered by the whole process and left a bad taste in my mouth). It seems that the editors are *exactly* the people to send copies to. I did originally note that I left off the list the names and email addresses of executives as they did not seem appropriate (corporate types are neither the "media" or technical staff - so here we agree on at least part). Beside, if you add a note, you are not spamming them, but merely "informing the media" just as you recommend:) I'll give this more though (I have only gotten one so far). Bye, Paul Shupak track(a)plectere.com

1 0

RE: [SURBL-Discuss] More spams with Zdnet redirector
by List Mail User 06 Apr '05

06 Apr '05

>... > >I thought they fixed this????? > >--Chris > >>-----Original Message----- >>From: Rakesh [mailto:rakesh@netcore.co.in] >>Sent: Tuesday, April 05, 2005 9:19 AM >>To: SURBL Discussion list >>Subject: [SURBL-Discuss] More spams with Zdnet redirector >> >> >>Guys >> >>Seems Zdnet doesn't bothers about its open redirectors as yet. >>This is a >>spam that I trapped just 5 mins back. Spammers are enjoying >>using these >>openredirectors. >> >>Can any one send a reminder to Zdnet of this redirector. >> >>... I hate to repeat myself, but... Please, just forward any spam arriving in this fashion to a list of the various editors at Cnet. Then, and only then will the problem be addressed. Right now they consider this to be a "service" that they offer! Paul Shupak track(a)plectere.com

2 1

RE: [SURBL-Discuss] More spams with Zdnet redirector
by Chris Santerre 05 Apr '05

05 Apr '05

I thought they fixed this????? --Chris >-----Original Message----- >From: Rakesh [mailto:rakesh@netcore.co.in] >Sent: Tuesday, April 05, 2005 9:19 AM >To: SURBL Discussion list >Subject: [SURBL-Discuss] More spams with Zdnet redirector > > >Guys > >Seems Zdnet doesn't bothers about its open redirectors as yet. >This is a >spam that I trapped just 5 mins back. Spammers are enjoying >using these >openredirectors. > >Can any one send a reminder to Zdnet of this redirector. > >The Spam ....... > >Hi, > >Wanna get up 4 times in one night, well we've got the answer >for you, check >us out at http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo > > >-- >Regards, >Rakesh B. Pal >Emergic CleanMail Team. >Netcore Solutions Pvt. Ltd. > >-- >Revolutions do not require corporate support. > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

2 1

Yet another redirector
by Alex Broens 29 Mar '05

29 Mar '05

Good Morning! New redir? ------ For more information or to have a broker contact you please visit: http://g.msn.com/0MNBUS00/1?http://ok-ref-now.com No future contact: http://g.msn.com/0MNBUS00/1?http://ok-ref-now.com/gone.asp -- Does anybody know soemone @msn? mailing abuse is like... forget it thanks Alex // Pls bare my mood - I'm wearing a Nicotin patch //

3 3

use of caching proxy's data
by Alain 26 Mar '05

26 Mar '05

Hi Have you thought about using the logdata from caching proxy's to check against this data and the other SURBL lists? The caching proxy's logfiles contain a very good view on which domains are used while surfing. While not all domains that are used are legit, I would be surprised if active spam domains were frequently visited over a period in the past. Those frequently surfed to domains shouldn't be whitelisted by default, but it could be a trigger to have a closer look before placing them on a list. A very nice thing about this data is that it has a long period of usefulness even data from a few months ago will be very usefull, if not more usefull than the data of today or from the past week. A caching proxy could also make good use from the surbl lists. Not caching spammers domains or even adding a delay of several seconds (or even adding a warning page) before returning the page could be usefull. Especially in non ISP use (organisations, companies,etc...) where there are less problems with blocking content. Alain

2 1

Re: [SURBL-Discuss] Re: New redirector: www.nate.com
by List Mail User 25 Mar '05

25 Mar '05

>... >To: discuss(a)lists.surbl.org >From: Frank Ellermann <nobody(a)xyzzy.claranet.de> >Date: Fri, 25 Mar 2005 11:51:55 +0100 >... > >List Mail User wrote: > >> gabia.com-munged >> http://www.rfc-ignorant.org/tools/lookup.php?domain=gabia.com > >ACK, that's also the first time that I heard about any "ICANN >10 years limit" for the expiration of com-domains. And here >it's apparently the reason for a whois-RFCI-entry, which RfC >could that be ? Not RfC 1591 or RfC 1032 (looking for "exp"). > >> Its good to know people do read > >I'm a RFCI+SURBL+SPF-fan ;-) Bye, Frank > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Frank, It has been a hectic couple of days and now my in-laws arrive today, but it is not in an RFC (though it is an invalid expiration date), but in an ICANN document. Later, I'll look for the ICANN rule document which applies, the same holds for .net and .org domains - I don't remember if .edu's are covered or not; It is a *very* old rule and does not hold true for some of the country specific TLDs (and maybe not even for things like .ws, .biz, etc. - though from bad memory I think .info's have a five year limit) - I'll try to find at least one example of those also. If you want to start searching yourself first, check the standard registrar agreements on the ICANN site. The "easy" evidence is to look at how long reputable registrars will allow a renewal for (try NetSol - they suck, but do basically do follow the rules - also Joker and GoDaddy, both whom I think better of, go strictly by what is allowed). More later after I find it, Paul Shupak track(a)plectere.com (lots of emails - different for SURBL and the RFCI-Discuss lists).

1 0

Re: [SURBL-Discuss] Re: New redirector: www.nate.com
by List Mail User 25 Mar '05

25 Mar '05

>... >To: discuss(a)lists.surbl.org >From: Frank Ellermann <nobody(a)xyzzy.claranet.de> >Date: Wed, 23 Mar 2005 07:41:13 +0100 >... >Subject: [SURBL-Discuss] Re: New redirector: www.nate.com >... > >List Mail User wrote: > >> The rfci whois listing for gambia.com-munged is one of my >> favorites, because it is the only time I have seem that >> particular violation. > >What are you talking about ? `rxwhois -a gambia.com` says: > >| gambia.com not found at .rfc-ignorant.org or .multi.surbl.org >| whois -h whois.abuse.net gambia.com >| postmaster(a)gambia.com (default, no info) > >And there's no old RFCI entry for gambia.com (except from the >bad day when TLD .com had no working whois server). Bye, Frank > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > My mistake, typo and cut-and-paste made it worse. gabia.com-munged http://www.rfc-ignorant.org/tools/lookup.php?domain=gabia.com-munged and http://www.rfc-ignorant.org/tools/detail.php?domain=gabia.com-munged&submit… (of course kill the "-munged"'s) Thank for catching me - Its good to know people do read and check. Bye, Paul Shupak track(a)plectere.com P,S, dyslexia and bad typing strike again.

2 1

RFC: New SURBL based on exploited senders?
by Jeff Chan 25 Mar '05

25 Mar '05

We've been in contact with the operators of a large trap which feeds lists of exploited hosts into RBLs, inquiring if they'd be able to provide URI domains from some of the spams they receive. The idea is to try to find URIs that are specifically sent through zombies and other exploited hosts on the concept that only the worst spammers use zombies and brute force to try to go around RBLs to deliver their spam. The trap operators are able to extract some URI hosts for us, but for now can't afford much more CPU than to use a PERL script calling the Email::MIME module to grab URI domains from about 60k messages. (There's not enough spare CPU to use a program like SpamAssassin, which would likely have more success extracting URIs, but is much more resource intensive.) They may be able to process up to a hundred times as many of their messages for us (i.e. 6M a day) if this moves forward, though even that would be only a small fraction of their trap hits. At my request they are including a count of the number of appearances of each URI domain name or IP so that we can rank them in order of frequency of appearance on the theory that the bigger spammers may appear more often. Based on that test run and some tweaking of the scripts on their side and ours, we got the following table of percentiles of hits, resulting output record counts, hits against existing SURBLs, hits against the SURBL whitelist, and new records (i.e., in neither our black or white lists): 100th percentile, 1293 records, 732 blacklist hits, 112 whitelist hits, 449 novel 99th percentile, 844 records, 549 blacklist hits, 81 whitelist hits, 214 novel 98th percentile, 653 records, 461 blacklist hits, 67 whitelist hits, 125 novel 97th percentile, 548 records, 397 blacklist hits, 54 whitelist hits, 97 novel 96th percentile, 481 records, 352 blacklist hits, 48 whitelist hits, 81 novel 95th percentile, 433 records, 320 blacklist hits, 42 whitelist hits, 71 novel 94th percentile, 396 records, 298 blacklist hits, 40 whitelist hits, 58 novel 93th percentile, 362 records, 287 blacklist hits, 39 whitelist hits, 36 novel 92th percentile, 332 records, 263 blacklist hits, 38 whitelist hits, 31 novel 91th percentile, 307 records, 251 blacklist hits, 29 whitelist hits, 27 novel 90th percentile, 286 records, 231 blacklist hits, 29 whitelist hits, 26 novel 89th percentile, 267 records, 218 blacklist hits, 25 whitelist hits, 24 novel 88th percentile, 250 records, 202 blacklist hits, 25 whitelist hits, 23 novel 87th percentile, 235 records, 188 blacklist hits, 25 whitelist hits, 22 novel 86th percentile, 221 records, 177 blacklist hits, 23 whitelist hits, 21 novel 85th percentile, 209 records, 170 blacklist hits, 22 whitelist hits, 17 novel 84th percentile, 197 records, 161 blacklist hits, 20 whitelist hits, 16 novel 83th percentile, 186 records, 155 blacklist hits, 18 whitelist hits, 13 novel 82th percentile, 176 records, 148 blacklist hits, 16 whitelist hits, 12 novel 81th percentile, 167 records, 140 blacklist hits, 16 whitelist hits, 11 novel 80th percentile, 159 records, 135 blacklist hits, 14 whitelist hits, 10 novel 79th percentile, 152 records, 130 blacklist hits, 13 whitelist hits, 9 novel 78th percentile, 145 records, 124 blacklist hits, 13 whitelist hits, 8 novel 77th percentile, 139 records, 118 blacklist hits, 13 whitelist hits, 8 novel 76th percentile, 133 records, 112 blacklist hits, 13 whitelist hits, 8 novel 75th percentile, 127 records, 107 blacklist hits, 12 whitelist hits, 8 novel 74th percentile, 122 records, 102 blacklist hits, 12 whitelist hits, 8 novel 73th percentile, 116 records, 98 blacklist hits, 11 whitelist hits, 7 novel 72th percentile, 112 records, 95 blacklist hits, 11 whitelist hits, 6 novel 71th percentile, 107 records, 91 blacklist hits, 11 whitelist hits, 5 novel 70th percentile, 103 records, 88 blacklist hits, 10 whitelist hits, 5 novel For this sample, the 96th or 97th percentile appears to be an inflection point of expectedly Zipfian-looking data. (I.e. just a few URI hosts appear many times, and many URI hosts appear just a few times.) Even after whitelisting there are still a few legitimate-looking domains coming through, so one idea would be to list the records up to the 96th or 97th percentile, but for the remaining ones with fewer hits, only list those that also appeared in existing SURBLs, or resolved into sbl.spamhaus.org, or where the sending software was clearly spamware. Hopefully that would reduce FPs in these records with fewer hits, but still let us "pull some useable data out of the noise" and list some of the less frequently appearing records. Does anyone have any comments on this? IMO what makes these data somewhat unique is that it's an early look at the content which exploited hosts are sending into very large traps. The benefit is that it helps us potentially catch up to a few hundred otherwise unlisted domains sooner, and helps reduce the usefulness of those domains in future zombie usage, etc. In other words it potentially improves the detection rates of SURBLs and increases the usefulness of traps feeding traditional RBLs. Comments? Jeff C. -- "If it appears in hams, then don't list it."

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss