On Monday, March 7, 2005, 9:07:37 PM, Steven Champeon wrote:
Speaking of anti-SURBL tactics, I got this turdlet today (snippet of HTML email below):
<DIV>We are giving out Free Import / Export / Wholesales/ Distributers / Retailers Contact Database</DIV> <DIV> </DIV> <DIV>If You interested Pls get at Following URL</DIV> <DIV> </DIV> <DIV><A onmouseover="window.status='http://www.impexp-data.com';return true;" onmouseout="window.status=' ';return true;" href="http://indigisys.com/chawla1/open.htm" target=_blank>Business = Database</A> </DIV> <DIV> </DIV> <DIV>Free Business / Marketing Tools ( Free SMS to All over world Unl= imited ) </DIV> <DIV><A onmouseover="window.status='http://www.impexp-data.com/sms';return true;" onmouseout="window.status=' ';return true;" href="http://indigisys.com/chawla1/open.htm" target=_blank>FREE SMS = Tools </A></DIV>
It *looks* like whoever owns indigisys.com wants to hide the fact that they're actually indigisys.com by pretending to be impexp-data.com, which doesn't exist. Does SURBL's lookup code catch this?
SpamAssassin 2.64 running SpamCopURI seems to check both domains:
debug: checking url: http://indigisys.com/chawla1/open.htm debug: returning cached data : indigisys.com.multi.surbl.org -> ARRAY(0x9351f4c) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 32 debug: no match
debug: checking url: http://www.impexp-data.com%27;return debug: returning cached data : impexp-data.com.multi.surbl.org -> ARRAY(0x9386f58) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 32
As does SpamAssassin 3.0.1:
debug: URIDNSBL: query for indigisys.com took 0 seconds to look up (multi.surbl.org.:indigisys.com) debug: URIDNSBL: query for impexp-data.com took 0 seconds to look up (multi.surbl.org.:impexp-data.com)
Those are the only SURBL applications I have easy access to, so I don't know how others may handle them. SpamAssassin does the right thing. :-)
Jeff C. -- "If it appears in hams, then don't list it."