Discuss

discuss@lists.surbl.org

1862 discussions

Fw: Account Verification
by Kevin A. McGrail 21 Feb '05

21 Feb '05

This is a follow-up to my initial discovery that eBay has it's own redirector and this redirector was now showing up in Phishing scams. Despite my adamant, fervent & rabid inquiries, eBay has done nothing. With the rise of the use of the redirector on eBay and this more obscure url now being used, I believe even more phish-aware users would be caught: http://cgi4-munged.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDoma… Anyone who knows anyone at eBay that understands security should email them and tell them to turn this redirector OFF. In the meantime, here's an SA Rule to help catch it which I would appreciate feedback about: # This rule is to mark emails using the exploit of the eBay redirector uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i describe KAM_EBAYREDIR Attempted use of eBay redirector - high probability of fraud score KAM_EBAYREDIR 7.0 More posted at: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf Regards, KAM

2 2

RE: [SURBL-Discuss] Is something wrong with SURBL-checker?
by Chris Santerre 18 Feb '05

18 Feb '05

> >Jeff Chan wrote: > >> I'm not getting matches either. Let's ask Dallas to please look >> into it for us. > >Alright! I noticed spam got hits from SURBL-lists anyway (as >you pointed >out in your other message). > >I'll wait report my spam-mails until the problems are solved. > I sent the Ninja in charge an email. We recently did an update that may have messed up the public one. --Chris

2 1

RE: [SURBL-Discuss] Fw: TKO Notice: Urgent Fraud Investigation
by Matthew.van.Eerde＠hbinc.com 17 Feb '05

17 Feb '05

Rob McEwen wrote: >> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&Doma >> inUrl=http://mymt.co.kr/.cgi-bin/eBaySuspension/signin.ebay.com/aw->cgi/sec > ure/eBayISAPI.dllSignIn-ssPageName->hhsin.php?MfcISAPICommand=SignInFPP&Usin > gSSL=1&email= > >> Erm, it's called a redirector. Did you try the >> URL? ebay's site redirects >> to the URL in the DomainURL parameter. > > Whatever you call it, it's bad news for any parser which might not > grab and extract the referenced URL for SURBL checking. > > Also, this leads to additional questions: > > (1) Are there legitimate "business purposes" for ebay to have such a > redirector in the first place? To a certain limited extent, yes > (2) If so, are there legitimate reasons for such a redirector to EVER > show up in legitimate e-mails? To that extent, yes > (3) If not, does anyone know of a "clearinghouse" page where ALL such > types of redirectors are listed so that rules could be built to block > e-mails containing these (using rules-based blocking)? Also, are > there already SA rules for such? > > Rob McEwen eBay should certainly realize that they are imparting a degree of authority to URLs that are redirected in this manner. They may even be liable for damages. Best practices probably dictate that they keep a list of URLs that are legitimate redirection destinations, and limit redirection to those URLs - on attempts to feed the redirector any other URL, they should pop up big ugly error messages saying "someone's trying to phish you (or maybe we forgot to update our list)" Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

1 0

Is something wrong with SURBL-checker?
by Martin 15 Feb '05

15 Feb '05

Hi, Is there something wrong with the SURBL-checker at http://www.rulesemporium.com/cgi-bin/uribl.cgi ? I get no matches of any domains i'm testing. Even with spam-domains that hits the multi-list isn't listed as blocked. Is this problem related to the "FP-rate" thread? / Martin

2 3

RE: [SURBL-Discuss] FP rate?
by Chris Santerre 14 Feb '05

14 Feb '05

>-----Original Message----- >From: Fred [mailto:tech2@i-is.com] >Sent: Monday, February 14, 2005 1:26 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] FP rate? > > >Chris Santerre wrote: >> Can we trust the FP rate with the current bug in SA? > >Not taking sides but it might be a bug in Net::DNS, the SA >devs have not >exactly tied down what was causing this issue. There was talk >of re-write >in the way they use Net::DNS to possibly fix this issue but >I'm pretty sure >this was not SA specific. > >http://bugzilla.spamassassin.org/show_bug.cgi?id=3997 > Oh I agree. I don't know what is causing it, but I know it must be throwing off the reported FP rate. Although proably for all the URIRBLs. I'd love to get a monthly report from DQ on his rates. But I know he is busy. --Chris

4 3

RE: [SURBL-Discuss] FP rate?
by Chris Santerre 14 Feb '05

14 Feb '05

Can we trust the FP rate with the current bug in SA? -_Chris

2 1

Re: [SURBL-Discuss] ANN: new surbl client (still beta)
by Jeff Chan 14 Feb '05

14 Feb '05

On Saturday, February 12, 2005, 3:36:11 AM, Alain Alain wrote: > Hi Jeff >> On Saturday, February 12, 2005, 2:34:20 AM, Alain Alain wrote: >> >> Generally speaking it may be better to apply this kind of >> >> filtering at the server level since there are economies of scale, >> >> especially in terms of things like DNS lookups and caching. If >> >> we suddenly get 100k more DNS clients, that could tax the name >> >> servers somewhat. If those same 100k users were using 100 >> >> servers instead, the DNS loading would be quite a bit less. In >> >> that sense centralization is desirable. >> >> > Mmmm isn't the dns server from the ISP caching the dns requests? I >> > would think it doesn't make a big difference (except when a server is >> > rsync'ing). The difference could be that end users check their e-mail >> > not when arriving on the MTA, but later. >> >> One difference is that the ISP's mail server may see many of the >> same spams within a short period of time, and the lookups would >> probably tend to be cached over that time span. Individual users >> may POP or IMAP their messages at any random time, so the DNS >> cache hit rate may be lower for them. > This will only the case for spam e-mail, not for domains inside ham e-mail. But most well-written applications, e.g. SpamAssassin, are already ignoring most ham URIs due to local whitelisting, so it's spam URI domain caching that's the main issue. >> I think we're agreeing, but I've never tried to quantify the >> difference between these. We can propose that there's some >> difference but how much is unknown. I would suggest a pretty >> strong cache effect for mail servers however. > But the good news is : The more users, the more caching. So the > burden on the nameservers will grow slower. The SURBL zone files have a minimal 15 minute TTL, so in order for ISP resolver hits to be cached, the queries will need to occur within some 15 minutes, which seems less likely at MUA download time than at MTA processing time. MTAs probably see similar spam over a short period of time whereas MUA clients can download at any later time. In this case, I don't think your argument applies. For something like caching yahoo domains, or any with "normal" longer TTLs, it probably applies more strongly. Jeff C. -- "If it appears in hams, then don't list it."

2 2

Re: [SURBL-Discuss] FP rate?
by Alain 13 Feb '05

13 Feb '05

Hi Jeff > >> > I know that not all FP's are reported and there are > >> > probably no exact numbers, but it should give a good idea. Or am I > >> > wrong? > >> > >> The FP reports are probably too few overall to be meaningful in > >> terms of differentiating performance between lists. There just > >> aren't that many, maybe a few a day on average. > >> > > > Yes, but I wasn't thinking on differentiating between the lists, there > > are other results for. What I was thinking on was the number of FP's > > that exists on more than one list. This is very usefull information > > when combining lists. If almost no FP's do occur on more than one > > list (at the same time) requiring appearance on at least 2 lists > > would be a very safe one. > > Good point. Anecdotally, FPs don't tend to appear on multiple > lists very often, at least the FPs we've seen reported. This is > unmeasured, just a subjective opinion. If we had some of the > list data in combined form as I had proposed then we could test > it better. I suppose I could just do it. ;-) > I f the reported one's are very rare, this would probably even more the case for the not reported one's. If there's a FP the chance for being reported will grow if on more than one list. Mmm the combined lists just have to be available to someone with a big ham corpus, to test it. Personaly knowing the results for "at least 2" or "at least 3" , would be nice. It also would be nice to know how those combination would result inside : http://www.surbl.org/permuted-hits.out.txt Alain

3 5

Re: [SURBL-Discuss] ANN: new surbl client (still beta)
by Jeff Chan 13 Feb '05

13 Feb '05

On Saturday, February 12, 2005, 2:41:36 AM, Alain Alain wrote: >> >> - I've added a local skiplist with about top half of the public >> >> "whitelist", no need to query those. >> >> When you say half, that may be more than optimal (should be about >> 5000 records). SpamAssassin is using the top 125, which worked >> out to about the 50%th percentile of all whitelist hits when we >> first set this up. (Now that result is skewed *because* >> SpamAssassin isn't checking those 125 any more, but their >> snapshot of the 125 is still probably useful. >> >> I'd say anything between 100 and 1000 would probably be a good >> compromise between list size and coverage. > The only disadvantage I see from a bigger local skiplist is some local > CPU usage for every uri in a email. Most pc's have plenty of CPU > power ;-) If this could become a problem, I can lower or optimise the > local checking. Are there any other disadvantages? One reason SpamAssassin didn't want to hard code too many domains into their local whitelist was in case we needed to withdraw any, i.e. because they started spamming. The time between code releases can be many months, and some people may never update, so they wanted to be sure to get very hammy domains into that list. (While Yahoo and Microsoft probably aren't going to start spamming any time soon, that may be less certain about some of the less commonly seen domains.) But I'm glad that you're trying to minimize the DNS queries. Jeff C. -- "If it appears in hams, then don't list it."

2 2

Re: [SURBL-Discuss] FP rate?
by Jeff Chan 12 Feb '05

12 Feb '05

On Saturday, February 12, 2005, 3:09:46 AM, Alain Alain wrote: >> > I know that not all FP's are reported and there are >> > probably no exact numbers, but it should give a good idea. Or am I >> > wrong? >> >> The FP reports are probably too few overall to be meaningful in >> terms of differentiating performance between lists. There just >> aren't that many, maybe a few a day on average. >> > Yes, but I wasn't thinking on differentiating between the lists, there > are other results for. What I was thinking on was the number of FP's > that exists on more than one list. This is very usefull information > when combining lists. If almost no FP's do occur on more than one > list (at the same time) requiring appearance on at least 2 lists > would be a very safe one. Good point. Anecdotally, FPs don't tend to appear on multiple lists very often, at least the FPs we've seen reported. This is unmeasured, just a subjective opinion. If we had some of the list data in combined form as I had proposed then we could test it better. I suppose I could just do it. ;-) Jeff C. -- "If it appears in hams, then don't list it."

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss