Discuss

discuss@lists.surbl.org

1867 discussions

FP: vmobile.us
by Joe Wein 15 Oct '04

15 Oct '04

Got email from vmobile.us today. It's listed on [WS] and [JP]. I checked the evidence and it's kind of flakey. The mail in question was mailing by wirelessdealernetwork.com. WDN has 2 NANAS sightings to it, both dated 2004-09-19 and posted by the same guy. Registered on 2004-06-08, NS blacklisted, listed on SURBL [WS], [OB], [JP]. Whether the recipient opted-in or not is not quite clear, but he's telecom-related. It may be spam, it may be not. In any case, vmobile.us was registered on 2004-05-12 and blacklisted by me on 2004-09-14. I shouldn't have blacklisted at that age without further evidence / checks. The NS is not blacklisted, no Google hits for spam other than my own listing. Oops! The domain of the owning company, usa-telecom.net, is two years old. So I think [WS] should probably also unlist vmobile.us, as I will do. My lesson: Just because the mailing list may be spammy and the TLD notorious doesn't mean a domain mentioned deserves listing on SURBL. Joe

2 3

Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Jeff Chan 15 Oct '04

15 Oct '04

On Friday, October 15, 2004, 4:26:09 AM, Tony RT wrote: > Thank you for your suggestions. I will look to implement, at least a few of > them, in the near future in hopes of stopping some of the FPs. Execellent! I hope they can help. (Referring to http://www.surbl.org/policy.html ) > In the meantime, feel free to let the mailing list know that > postmaster(a)outblaze.com works and gets reasonably fast response if they notice > anything that looks like an FP. > Cheers, > TonyB Done. :-) Jeff C. -- "If it appears in hams, then don't list it."

1 0

Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Jeff Chan 15 Oct '04

15 Oct '04

[forwarding my reply to Tony at Outblaze with his permission] On Thursday, October 14, 2004, 8:34:41 PM, Tony RT wrote: > [jeffc(a)surbl.org - Thu Oct 14 14:00:25 2004]: >> Thanks Tony. >> >> May I suggest that you consider checking a domain before >> listing it? Just because a few customers consider it spam >> doesn't necessarily mean other customers might not want to >> get it. I ask because there seem to be some legitimate >> sites getting onto your lists which some customers may >> legitimately want to get. For example none of the recent >> FPs have had to do with pills, mortgages, warez, etc. >> >> Another recent example is browsehappy.com run by the Web >> Standards Project: >> >> http://webstandards.org/act/campaign/happy/ >> >> which seem pretty unlikely to be professional or even >> casual spammers, no matter what users may report. Users >> are sometimes wrong, so data should be checked, IMO. >> >> Jeff C. > Jeff, browsehappy.com problem was reported back to us by schampeon and > immediately removed. > The approach we take (if its new and appears in reported spam) does have FPs, I > agree - but we havent been able to find a good way to "check". > We do look (cursory) at all the blocked domains per day and if anything obvious > shows up we do remove them. The problem is that detailed looking by a human is > not really practical given the volume of domains we block by day. > As you know/see, we are very responsive and remove very quickly. > If you have any suggestions on how to improve the process, I'm all ears and > will implement your suggestions as long as it doesnt consume too much human > time (checking 100s of domains 1 by 1 is just not practical). > Cheers, > TB Hi Tony, Thanks indeed for your responsiveness in removing FPs, and addressing the concerns of us and your users. Regarding some checks that can be done on the incoming data, many of the suggestions in our draft policy for manual lists can be automated: http://www.surbl.org/policy.html and some of those may perhaps be useful for your checking of incoming suspected spam domains. What I'd suggest is perhaps using these to score new domains and to flag ones that rise above a certain score. For example, any domain in SBL probably can be blacklisted immediately. Any domain not in SBL probably begins to add to a ham score, though not 100%. If you have access to the headers, and the senders are in xbl.spamuahs.org, then the domain should probably be listed. Any sender IP not in XBL probably should get ham points. Any domain with few or zero NANAS hits may be hammy, Domains in DMOZ, Wikipedia, etc should perhaps get ham points since it's unlikely the human editors of those would add or allow spam domains, etc. Obviously most of the spam domains we get are fully spammy. Perhaps some of these metrics can help flag ones that are less spammy and worthy of a little further checking? Your feedback, comments, questions, etc would be welcomed since we intend to use a policy like this for our own manual list, ws.surbl.org. We may adopt other parts of this for our automated lists also. Cheers, Jeff C. P.S. Do you mind if I publish this response on our SURBL discussion list? -- "If it appears in hams, then don't list it."

1 0

Child porn URLs
by Mariano Absatz 15 Oct '04

15 Oct '04

Hi, I just reported this mail with its 3 URLs to spamcop and ws.surbl... I urge other list mantainers to add them since it contains disgusting child pornography... For what I can understand in http://www.sg.st, although sg.st is not an 'official' 2LD of st, it seems that this is a bulk registry for the domains HK.ST - CN.ST - TW.ST - SG.ST. The official NIC for st (São Tomé & Principe) seems to be http://www.nic.st. As I undertand it, the SG.ST domain should be whitelisted... Regards. Received: from c-24-12-31-157.client.comcast.net (HELO smtp.hotpop.com) (24.12.31.157) by mail.example.com with SMTP; 13 Oct 2004 20:17:24 -0000 Date: Fri, 15 Oct 2004 22:56:09 +0000 From: mangled <mangled(a)example.com> Subject: Hi. To: FILE <mangled(a)example.com> References: <mangled(a)example.com> In-Reply-To: <mangled(a)example.com> Message-ID: <mangled(a)example.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Hey, I've found true BL Hits! Over 12000 users here. http://pbfiles.sg.st and http://ggboys.sg.st Giant Lo collection here: http://ptz-portal.sg.st Best, Michael Berkly. p.s. looking for your quickest reply. -- Mariano Absatz - El Baby el (dot) baby (AT) gmail (dot) com el (punto) baby (ARROBA:@) gmail (punto) com

5 11

WS FP
by Daniel Kleinsinger 15 Oct '04

15 Oct '04

freepichosting . com In a craigslist email. Thanks, Daniel

2 2

FP?: ultimatebizsource.biz
by Joe Wein 15 Oct '04

15 Oct '04

ultimatebizsource.biz claims to be an opt-in list with 55,000 subscribers. It's currently listed on [WS] and [JP] but not my personal list. I know, the name alone sounds like your typical spammer domain, but is it? Today the owner of getyoursiteongoogle.info mailed me, since I had blacklisted their domain. Turns out the evidence was a mailing from ultimatebizsource.biz which was listed on WS and JP. Since the recipient was a third party from the Prolocation feed, I could not easily verify if it was indeed unsolicited, but I checked what I could check quickly. To my surprize the outgoing mailserver's IP is not listed on any of the RBLs and neither are the name servers or the resolved name. There is only 1 NANAS sighting for this almost one year old domain. That posting is an automated one, and probably related to an ahbl.org listing mentioned in the SA-tags added to the evidence mail. I can find no listing for them at ahbl.org now. A web search for the domain name returns a single hit: http://www.google.com/search?q=ultimatebizsource.biz+spam That looks too little for 55,000 mails per day for one year. Joe

2 1

Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Jeff Chan 14 Oct '04

14 Oct '04

On Thursday, October 14, 2004, 5:20:56 AM, Tony RT wrote: > [jeffc(a)surbl.org - Thu Oct 14 12:10:09 2004]: >> > In this months Microsoft Security update mailout there is a domain >> > mentioned in the credits, persiax.com. Web version includes the same >> > domain... >> Outblaze Postmaster, >> Can you tell us why persiax.com is listed? > Jeff, > If our spamtraps or our users report spam, we scan the body. > If we find domains that are "new" in the body, the domain gets blocked. > persiax.com is now removed. > TonyB Thanks Tony. May I suggest that you consider checking a domain before listing it? Just because a few customers consider it spam doesn't necessarily mean other customers might not want to get it. I ask because there seem to be some legitimate sites getting onto your lists which some customers may legitimately want to get. For example none of the recent FPs have had to do with pills, mortgages, warez, etc. Another recent example is browsehappy.com run by the Web Standards Project: http://webstandards.org/act/campaign/happy/ which seem pretty unlikely to be professional or even casual spammers, no matter what users may report. Users are sometimes wrong, so data should be checked, IMO. Jeff C. -- "If it appears in hams, then don't list it."

1 0

FP in OB ?
by Joseph Burford 14 Oct '04

14 Oct '04

Guys, not sure what the criteria for listing/de-listing in OB is. In this months Microsoft Security update mailout there is a domain mentioned in the credits, persiax.com. Web version includes the same domain... http://www.microsoft.com/technet/security/bulletin/MS04-oct.mspx This is a new domain, about a month old, 0 NANAS, looks like a personal site with 0 content, some guy in Iran who was about to get his 15mins of fame :) Not a whitelist candidate IMHO but am curious why it's in there. Regards, Joseph

2 1

FP on WS
by Joseph Burford 14 Oct '04

14 Oct '04

Hi All, bluedomino.com In my mind a FP on the WS list. Domain age in days: 2168 Associated with CoffeeCup, the age old HTML editing software. Only place I've seen it mentioned is in the normal mailouts from CoffeeCup to people who have downloaded their software or who are on the mailing list. NANAS sightings about 10, some are just reports of customers they host, nothing really recent. I'd be intrigued to know how it got on WS. Regards, Joseph

2 4

Doesn't multi contain everything from WS and others?
by Thomas Johnson 14 Oct '04

14 Oct '04

(Sorry about that - hit send a little too early). Perhaps I'm confused, but shouldn't something listed in WS and JP also be in multi? Here's a domain from an email that made it through our filters: http://y.net.mystuffsupplyMUNGED.com?f4=T12k62 # dig +short @localhost mystuffsupplyMUNGED.com.ws.surbl.org 127.0.0.2 # dig +short mystuffsupplyMUNGED.com.multi.surbl.org <nothing> Am I missing something?

3 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss