Discuss

discuss@lists.surbl.org

1862 discussions

RE: Scheduled, Distributed Email Stream Monitoring
by Chris Santerre 11 Feb '05

11 Feb '05

Wow I just read this :) I'm Top posting so SARE knows who the heck its coming from :) Not all of SARE is involved in SURBL. We've had to split our time up. I myself have put way more time into SURBL then SARE the last several months. Thankfully those ninjas keep on trucking! (I've got a ruleset in development, I swear!!) :) There are some test going on with automation of some of the processes. However it does result in a 'few' FPs that we don't like. It is still being tweaked. Personally I spend about 1-3 hours a day on SURBL, sometimes more. But I go way beyond the simple listing of domains. Researching the data brings forth much more info. Listing domains can be quite fast if you throw out the questionible ones. The main problem is trust. We simply need to keep SURBL contributors to a choice few. FPs are our enemy, more so then the actual spam :) There are plenty of people we trust, but few who have the time. I like your solution, but it might be just as easy to add 2 more trusted contributors. --Chris >-----Original Message----- >From: Matthew Wilson [mailto:matthew@boomer.com] >Sent: Wednesday, February 09, 2005 9:17 PM >To: SURBL Discussion list >Subject: Scheduled, Distributed Email Stream Monitoring > > >For the SARE and SURBL folks - > >I would love to decrease the delay between when a spammy URL appears in >the message stream and when it's submitted to the WS SURBL gods for >blacklisting. Here is an idea that may have been discussed before; if >so, just ignore it. :) > >Currently, the SARE guys have some kind of rotating schedule of who >checks the WS submissions, correct? > >Wouldn't it be nice if there were some kind of similar volunteer-based >rotating schedule that listed who would be responsible for monitoring >the raw message stream and submitting unlisted spam domains? This kind >of anonymous schedule handled through rulesemporium.com, and if you had >some sort of accountability enforcement. > >For instance, each submitter could log in with an account, so the >validity of their WS SURBL submissions could be tracked by the SARE >folks. If they're submitting a bunch of bogus domains or non-spam >domains, their account would be disabled. > >Each submitter could sign up for a 15-minute slice of time per week >(dividing the week into 672 timeslots), and of course more than 1 >submitter could take a timeslot, and each submitter could take >more than >one timeslot. > >Each submitter's "record" (domains successfully submitted and >blacklisted) would be *anonymously* available to the public through >rulesemporium.com, as a form of reputation incentive. > >Benefits: > >1. The SURBL community would have the confidence that the >message stream >is being monitored by *someone* at all times. > >2. Each individual member of the SURBL community would have a higher >incentive to sacrifice some of each's time to submit spammed domains. >The higher incentive is the knowledge the the community is (in a sense) >depending on them to submit spammed domains within that certain period >of time. The additional incentive to report would come from a decent >assurance that it is far less likely that someone else is reporting the >same domain, and hence it's less likely that any given submission would >be a duplicate. > >3. WS SURBL's reporting latency would hopefully decrease, because more >people would be submitting. > >My Motivation: >What prompted me to write this was the fact that some of my customers >were complaining that lots of spams were slipping through, so I spent >about 30 minutes looking at the false negatives, and all of the domains >but 1 of the ones I looked at were not yet listed in SURBL. So I >submitted 10-15 domains, and thought to myself... I would do this more >often and on a regular schedule if only I knew that others were also >willing to sacrifice 15-30 minutes out of their week to the same >cause...... > >Thanks for taking the time to read this suggestion. > >Matthew Wilson >matthew(a)boomer.com > >

2 1

Pfizer and Microsoft sue Viagra spammers
by Jeff Chan 11 Feb '05

11 Feb '05

http://news.yahoo.com/news?tmpl=story&u=/ap/20050210/ap_on_hi_te/viagra_spa… NEW YORK (AP) - Pfizer Inc. and Microsoft Corp. are teaming up to fight the slew of spam e-mails hawking Viagra [...] The companies said Thursday they had filed a total of 17 lawsuits __ http://www.reuters.com/newsArticle.jhtml?type=domesticNews&storyID=7598201&… Pfizer, Microsoft Sue Web Sites Over Illegal Viagra Thu Feb 10, 2005 03:30 PM ET By Bill Berkrot NEW YORK (Reuters) - Pfizer Inc. and Microsoft Corp. said on Thursday they filed parallel lawsuits against Web site operators and spam advertisers that sell illegal versions of Pfizer's Viagra. The companies said the lawsuits follow a seven-month investigation to discover the identity of two Web site operators together with those advertising them via spam e-mails. Pfizer has filed suit against CanadianPharmacy and E-Pharmacy Direct, while Microsoft has filed civil actions against the spam advertisers for the Web sites. Microsoft has also filed three suits against spam advertisers who advertise unauthorized or counterfeit versions of Viagra on other online pharmacies under such names as Discount RX, Virtual RX, and EzyDrugStore.com. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

1 0

Surbl getting tripped, but I can't figure out why
by Alden Levy 11 Feb '05

11 Feb '05

Maybe I'm dense (or haven't been paying too much attention to SA/MS/SURBL, because they've been working so well), but I received a few emails this AM from clients and vendors who have sent us emails before that were marked as spam. For example, I received an email from blinkingeyemedia .com (NOT listed in SURBL), but the SA header section listed: X-E9-MailScanner-SpamCheck: spam, SpamAssassin (score=10.401, required 5, BAYES_00 -2.60, URIBL_OB_SURBL 4.00, URIBL_PH_SURBL 5.00, URIBL_SC_SURBL 4.00) The only URLs in the whole email were blinkingeyemedia (in a sig) and engineno9inc .com (my domain) in a mailto: from a response. This happened twice with this particular correspondent, but other emails got through just fine (with the same URLs and at roughly the same time)! A client sent an email to one of my domains, jksevents .com (not listed), and the only url in the email was jksevents in a mailto:. Similar response from SURBL. Has anyone seen this? Do I need to post more info? Does someone need to see the email off list? I've had this happen before, but they were one offs, and when they occurred, I checked the lookup, scratched my head when the URLs didn't show, and promptly put them on the back burner. Thanks! Alden

2 2

Passive DNS replication
by Jeff Chan 10 Feb '05

10 Feb '05

I think this idea may have been mentioned before, but it's a useful way to find domains associated with an IP address, etc. http://www.enyo.de/fw/software/dnslogger/ http://cert.uni-stuttgart.de/stats/dns-replication.php (The links were forwarded to me.) It's probably similar to what whois.sc is doing for their fee-based reverse IP lookup service. But they probably have more sensors. http://www.whois.sc/reverse-ip/ Jeff C. -- "If it appears in hams, then don't list it."

2 1

rsync
by Adam Bayless 09 Feb '05

09 Feb '05

I've got a pretty busy mail system (about 600k messages a day) so I sent an rsync request earlier this week but I haven't heard back yet. I also sent subscription requests on the announce and zones mailing lists and haven't heard anything on those. All of these requests came from support(a)fiber.net. If anyone can offer some advice it will be greatly appreciated. Thanks! -Adam

2 1

Re: Open redirector @yahoo
by Terry Sullivan 09 Feb '05

09 Feb '05

Raymond Dijkxhoorn wrote: >Obviously open redirectors like this are not really handy. >Well, for spammers they are, but ... > >Anyone with contacts at Yahoo? Based on conversations I've had, Yahoo is aware of this issue, but they believe (or at least profess) that there are one or more compelling reasons to leave these services active. Of course, it's a trivial thing to ignore redirectors completely simply by parsing URLs back-to-front, instead of front-to-back.

2 1

rule for mixed case URI scheme
by Daniel Quinlan 09 Feb '05

09 Feb '05

Something close to this will be in 3.1, so you'll want to remove the rule then, maybe name it something else too. uri URI_SCHEME_MIXED_CASE /^(?![a-z]{3,6}:|[A-Z]{3,6})[A-Za-z]{3,6}:\// describe URI_SCHEME_MIXED_CASE URI scheme has mixed uppercase and lowercase The mass-check results are good, hits about 1% of spam with basically no false positives in 92,000 hams from 6 people. Daniel -- Daniel Quinlan http://www.pathname.com/~quinlan/

2 2

Reminder: JP out of WS
by Jeff Chan 08 Feb '05

08 Feb '05

We have taken the JP data out of WS. If you don't already have a rule or configuration to use the JP data, please add one. Some sample rules for SA are at: http://www.surbl.org/quickstart.html (When you upgrade to SA 3.1, it will ship with a separate rule for JP, so you may need to remove the custom JP rule you add for versions before 3.1.) A good reason to use JP separately is that it hits on a lot of spam and has a low FP rate. Here are some results from Raymond's systems: SpamAssassin tag hits: (top 100) #1 149058 URIBL_JP_SURBL #2 147873 URIBL_SBL #3 134187 URIBL_OB_SURBL #4 117296 HTML_MESSAGE #5 115780 BAYES_99 #6 111612 RCVD_IN_BL_SPAMCOP_NET #7 103114 URIBL_WS_SURBL #8 98778 URIBL_SC_SURBL #9 70540 MIME_HTML_ONLY #10 57549 URIBL_AB_SURBL #11 43752 URIBL_AH_DNSBL #12 35201 RCVD_IN_XBL #13 32712 RCVD_IN_NJABL_PROXY #14 31342 DRUGS_ERECTILE #15 29829 RCVD_IN_SBL #16 29205 RCVD_IN_SORBS_SPAM #17 27917 RCVD_IN_SORBS_WEB #18 27787 RATWARE_ZERO_TZ #19 27301 MIME_BASE64_TEXT #20 26780 MIME_BOUND_DD_DIGITS Jeff C. -- "If it appears in hams, then don't list it."

1 0

surbl and spamassassin questions
by Dave Harris 08 Feb '05

08 Feb '05

hi, i am a sysadmin at a small isp and have several questions to ask. please bear with me, my questions are probably very basic. i have implemented spamassassin 3.x and want to activate surbls. our mailserver is running on RH linux with sendmail/open webmail, as well as pop clients. 1. how do i tell if Net::DNS is installed? 2. how do i make sure "network tests" are enabled? 3. how do i tell if "Mail::SpamAssassin::Plugin::URIDNSBL" is present and loaded? if it isn't present by default, i think i found the URIDNSBL plugin code on the surbl.org site but i don't know how to install it. 4. what needs to be done in the /etc/mail/spamassassin/local.cf file to get surbls working? 5. how can i tell if surbl is working once everything is in place? ------------------------------- i'm sure these are all very basic setup issues but to me, i'm at a bit of a loss. any help is greatly appreciated. tia, dave ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca

3 3

MISC: Humor
by Chris Santerre 07 Feb '05

07 Feb '05

Interesting cartoon in my inbox this early Monday morning. http://tinyurl.com/62tlr Made me laugh, then made me sad :) :( Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss