Discuss

discuss@lists.surbl.org

2 participants
1870 discussions

RE: [SURBL-Discuss] Discuss: WAS: SURBL+ Checker Submission
by Chris Santerre 02 Dec '04

02 Dec '04

>-----Original Message----- >From: David B Funk [mailto:dbfunk@engineering.uiowa.edu] >Sent: Thursday, December 02, 2004 5:10 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] Discuss: WAS: SURBL+ Checker Submission > > >On Thu, 2 Dec 2004, Chris Santerre wrote: > >> I stripped the header for this discussion. Is this a spam >domain or an >> attempt to poison SURBL. It is obviously a spam, but is domain bogus? >> >> >-----Original Message----- >> *SNIP* >> >[snip..] >> >href=3D"http://hesatosser.com.info/?wid=3D100005">H= >> >ERE</a><br><br> >[snip..] >> ><a href=3D"http://hesatosser.com.info/?wid=3D100005"> >> >Get it now >[snip..] >> > href=3D"http://http://hesatosser.com.com/nomore.html">Go >> >here</a> to stop= > >Neither, it's broken spam-ware. The actual pill-spam-site >is "hesatosser .com" (which is listed in SURBL ;). > >"*.com.com" is a valid domain name, belongs to CNet, clearly >not spam. "*.com.info" isn't even a valid domain at all. > Thanks dave, that is what I thought. Helped to hear it from someone else :) --Chris

1 0

RE: What is up with surbl.org?
by Chris Santerre 02 Dec '04

02 Dec '04

>-----Original Message----- >From: Mark [mailto:admin@asarian-host.net] >Sent: Thursday, December 02, 2004 3:43 PM >To: users(a)spamassassin.apache.org >Subject: What is up with surbl.org? > > >How come surbl.org has a "Bad" status at rating.cloudmark.com? (see >below). This is not good. > Jealousy? :) Maybe they are related to that fifth dentist? Perhaps Jeff should contact them with a "What up, dude?" email? --Chris (Why won't this javalin lock on target!!!!!) NOTE: I think we should make everyone who uses SURBL buy a copy of Joint Operations and play with us ;) Halo is for small thinking people!

2 1

MISC: Is this why google is looking to hire antispam people?
by Chris Santerre 02 Dec '04

02 Dec '04

Cnet article: http://tinyurl.com/3mgxd Perhaps google should look into using SURBL? Maybe just the phishing part of it? Anyone have a google contact? " Phishers lie in wait for Google searchers Traditionally, phishing scammers have lured their victims to fraudulent Web sites by sending official-looking e-mails that are ostensibly from well-known companies asking users to 'verify' their user names and passwords. Now many are setting up legitimate looking e-commerce sites that disguise links to malicious software as pictures of goods on sale, CyberGuard said Wednesday. Paul Henry, a senior vice president at CyberGuard, said that when Web shoppers search the Internet looking for products they want to buy, they could be directed to a plausible e-commerce site that instructs them to "Click here to download images" of the product. Henry said that instead of linking to pictures of the advertised product, the links point to a self-extracting ZIP file that installs a Trojan horse on the victim's computer. The program could then steal personal and financial information. ......... ... " Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

1 0

RE: [SURBL-Discuss] What are the chances of FP on Newsletters and Order Confs.
by Paul Schwarz 02 Dec '04

02 Dec '04

I don't use SA, I use XWall for Exchange and can't set the score of a SURBL... So I only have the choice to mark the subject or just send a DSN. Right now I send a DSN b/c it's useless to forward the spams to the individuals IMHO. I'm not sure what you mean about "Confirmation emails would contain links to your own domain." Actually I'm a spam killer ninja (jr that is) Paul Schwarz Stark Truss Company, Inc. Senior Network Administrator (330) 478-2100 -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Chris Santerre Sent: Thursday, December 02, 2004 10:59 AM To: 'SURBL Discussion list' Subject: RE: [SURBL-Discuss] What are the chances of FP on Newsletters and Order Confs. >-----Original Message----- >From: Paul Schwarz [mailto:Paul.Schwarz@starktruss.com] >Sent: Thursday, December 02, 2004 10:12 AM >To: 'SURBL Discussion list' >Subject: [SURBL-Discuss] What are the chances of FP on Newsletters and >Order Confs. > > >Hi Guys, just wondered if using SURBL will block IT Dept, HR Dept and >such >newsletters that people get. We get a lot of those in our depts. > >Also what are the chances of blocking a confirmation emails for >something >someone orders, etc And also Airlines > >Just feeling a little leery of using SURBL for a risk of false >positives. >Seems like a lot of newsletters outsource to companies that could look >like spammers. > >I know it won't block and person to person email but can you help me >feel more comfortable about SURBL ? > Greetings Paul, SURBL should block NONE of these. (Well we don't block anything, we flag, but you know what I mean.) We whitelist airlines. Confirmation emails would contina links to your own domain. You are not a spammer, are you? If you aren't, you won't get listed. If it is an order from to your company it is the same. You can always lower the score of SURBL and try it out if you are worried. But you will be VERY happy with it. 4 out of 5 Dentists approve of SURBL. But we don't count the fifth one, because his parents were cousins ;) Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

RE: [SURBL-Discuss] What are the chances of FP on Newsletters and Order Confs.
by Chris Santerre 02 Dec '04

02 Dec '04

>-----Original Message----- >From: Paul Schwarz [mailto:Paul.Schwarz@starktruss.com] >Sent: Thursday, December 02, 2004 10:12 AM >To: 'SURBL Discussion list' >Subject: [SURBL-Discuss] What are the chances of FP on Newsletters and >Order Confs. > > >Hi Guys, just wondered if using SURBL will block IT Dept, HR >Dept and such >newsletters that people get. We get a lot of those in our depts. > >Also what are the chances of blocking a confirmation emails >for something >someone orders, etc And also Airlines > >Just feeling a little leery of using SURBL for a risk of false >positives. >Seems like a lot of newsletters outsource to companies that >could look like >spammers. > >I know it won't block and person to person email but can you >help me feel >more comfortable about SURBL ? > Greetings Paul, SURBL should block NONE of these. (Well we don't block anything, we flag, but you know what I mean.) We whitelist airlines. Confirmation emails would contina links to your own domain. You are not a spammer, are you? If you aren't, you won't get listed. If it is an order from to your company it is the same. You can always lower the score of SURBL and try it out if you are worried. But you will be VERY happy with it. 4 out of 5 Dentists approve of SURBL. But we don't count the fifth one, because his parents were cousins ;) Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

1 0

list of TLDs
by Daniel Quinlan 02 Dec '04

02 Dec '04

I got a long list of TLDs from John Levine, he made no promises about accuracy (quite the opposite), so I suspect there are some mistakes, but I yield it to you. Please let us know if any TLDs should be added to the SpamAssassin URIBL module, though. ;-)

4 3

using local cache?
by Ronan 02 Dec '04

02 Dec '04

hi i posted a mail similar to this on the spamassassin list but its more appropriate to this list... how do i check that my local multi.surbl.org bind file that i put into our DNS is the one being checked when doing SURIBLs lookups? Is there anyway to check who is checking DNS records? I do a spamassassin --lint -D and there is no mention of which DNS server its querying... any other hints?? ronan -- Regards Ronan McGlue ============== Analyst/Programmer Information Services Queens University Belfast BT7 1NN

1 0

RE: [SURBL-Discuss] FP: rgc3.net
by Chris Santerre 02 Dec '04

02 Dec '04

>-----Original Message----- >From: Rob McEwen (PowerView Systems) [mailto:rob@powerviewsystems.com] >Sent: Wednesday, December 01, 2004 2:19 PM >To: discuss(a)lists.surbl.org >Subject: Re: [SURBL-Discuss] FP: rgc3.net > > >RE: rgc3.net > >After looking into this some more, I also found it in the >header of a legitimate OfficeDepot newsletter > 1) Its in the header, so don't worry. 2) Total scumbags! http://spews.org/html/S975.html 3) OfficeDepot should be notified. 4) I think this was discussed on Spam-L, that they were fooling legit companies. 5) You will see om-xxxxx.rgcx.net in many headers of spam. 6) If you need more, I'd ask the Spam-L guys. RSK could educate you ;) I believe Playboy actually used them until they found out they were scum. --Chris

3 2

RE: Image Composition Analysis
by Chris Santerre 02 Dec '04

02 Dec '04

Yeah this is a definite candidate for SURBL. This is the Huntsville-consulting spam gang: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL20528 353+ domains diretly linked. This is going to be the next trend. The final destination of this pron spam was throatstuffers . com, but it used a throw away domain of marlacell . com as a forwarder. Not directly either. That domain simply hosted a mirrored page of throatstuffers . com. We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL. No biggy, the more pople that submit and manage SURBL the faster they get added. However there has been discussion on blocking the final destinations via web proxy's and host files. I think we will begin to see an increase in companies blocking these IPs or domains at the firewall or proxy server. Its actually helping some antispammers. We are able to tie more spammers together thru looking at who is trying to get passed SURBL thru throw away domains. Some of the small guys are only rogues of the bigger ones. We got people watching spammers six ways from Sunday. Funny how much they don't realise we know ;) --Chris >-----Original Message----- >From: Smart,Dan [mailto:SmartD@VMCMAIL.com] >Sent: Wednesday, December 01, 2004 4:57 PM >To: spamassassin-users(a)incubator.apache.org >Subject: RE: Image Composition Analysis > > >Attached is the spam that got through. I changed the porn URL to not >offend. It's a little mangled as it was forwarded by the user >via Outlook, >and tags got mangled by my Sanitizer. > >I capture the headers of all files, and here is what they look >like. The >bayes = 0 is what got this through. > ><<Dan>> > >======================================== >From filter Wed Nov 3 01:29:14 2004 >Return-Path: <Bebeskbs(a)kmanus.com> >Received: from great.amberalist.com (great.amberalist.com >[209.200.9.222]) > by dalton.vul.com (Vulcan E-mail Relay) with SMTP id 56BD89BB2C > for <xxxxxxx(a)vmcmail.com>; Wed, 3 Nov 2004 01:29:14 >-0600 (CST) >Received: from mail pickup service by kmanus.com with >Microsoft SMTPSVC; > Wed, 3 Nov 2004 14:17:54 -0800 >Received: from 194.3.74.35 by by7fd.bay7.kmanus.com with HTTP; > Wed, 3 Nov 2004 14:17:54 GMT >X-Originating-IP: [194.3.74.35] >X-Originating-Email: [Bebeskbs(a)kmanus.com] >X-Sender: Bebeskbs(a)kmanus.com >From: Bebe <Bebeskbs(a)kmanus.com> >To: XXXXX <XXXXXXX(a)vmcmail.com> >Subject: re: our appreciation >Date: 3 Nov 2004 14:17:54 -0500 >Mime-Version: 1.0 >Content-type: text/html >Message-ID: <SR0-81197F1166274AB5A8701DBB47173D6E(a)kmanus.com> >X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on >dalton.vul.com >X-Spam-DCC: : dalton 1182; Body=1 Fuz1=1 Fuz2=1 >X-Spam-AWL: Auto_Whitelist= >X-Spam-Status: No, hits=1.7 required=6.5 >tests=BAYES_00,CP_RANDOMWORD_10, > HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,OB_URI_RBL, > RCVD_IN_SBL,SARE_HTML_FSIZE_1ALL,WS_URI_RBL autolearn=no >version=2.64 >X-Spam-Level: * >Status: RO >X-Status: >X-Keywords: >X-UID: 1219 > >====================================== ><<Dan>> > > > > >> -----Original Message----- >> From: John Andersen [mailto:jsa@pen.homeip.net] >> Sent: Wednesday, December 01, 2004 2:45 AM >> To: spamassassin-users(a)incubator.apache.org >> Subject: Re: Image Composition Analysis >> >> On Tuesday 30 November 2004 01:27 pm, Smart,Dan wrote: >> >> > Catching image only E-mail with pornographic images is >> really difficult. >> > My users are offended when they get one, and wonder how I >> could not >> > catch it. Explaining that the document was text, filled >with bayes >> > poison, and the one porn image with no porn words in the document >> > doesn't seem to have much of an impression on them. >> >> Open the image with a text editor and challenge them to >> determine if it is spam or not. >> >> Really, people this dumb should not be turned loose on the internet. >> >> -- >> _____________________________________ >> John Andersen >> > >

3 2

FP: rgc3.net
by Rob McEwen (PowerView Systems) 01 Dec '04

01 Dec '04

Potential False Positive: If found the following in a header of an e-mail that was a legitimate Realtor.com/HomeStore newsletter: rgc3.net Examine e-mail here: http://www.pvsys.com/fp.txt (I know that SURBL is not suppose to be used to check headers... but this still raises a red flag that this domain would be found in such a legit newsletter) Thanks, Rob McEwen

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss