Good morning, all,
On Tue, 17 Jan 2006, Darrell (support@invariantsystems.com) wrote:
Jeff/others,
Did some issue occur to cause the domains listed below to be populated in SURBL?
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com To: sniffer@sortmonster.com Sent: Tuesday, January 17, 2006 4:27 AM Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam providres.
Hello Sniffer Folks,
Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers.
As a result, many of these were tagged by our bots due to spam arriving at our system with those domains and IPs. Most IPs and domains for these services are coded with "nokens" in our system to prevent this kind of thing, but a few slipped through.
We are aggressively hunting any more that might have arrived.
You may want to temporarily reduce the weight of the experimental IP and experimental ad-hoc rule groups until we have identified and removed the bad rules we don't know about yet.
Please also do your best to report any false positives that you do identify so that we can remove any bad rules. I don't expect that there will be too many, but I do want to clear them out quickly if they are there.
Please also, if you haven't already, review the false positive procedures: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
Pay special attention to the rule-panic procedure and feature in case you are one of the services hit by these bad entries.
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
It's not clear yet how large the problem is, but I'm sure it will be resolved soon.
Hope this helps,
Thanks, _M
Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com)
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
ws.surbl.org does not have these domains, and it appears none of the other surbls does either. From http://www.rulesemporium.com/cgi-bin/uribl.cgi :
SURBL+ Checker Query Results
declude.com is 63.246.13.88 [ rbl lookup ] domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: not listed [ report ] * URIBL: multi.uribl.com: not listed [ report ]
usinternet.com is 216.17.3.239 [ rbl lookup ] domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: not listed [ report ] * URIBL: multi.uribl.com: not listed [ report ]
w3.org is 128.30.52.46 [ rbl lookup ] domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: not listed [ report ] * URIBL: multi.uribl.com: not listed [ report ]
Pete, could you recheck these at your end? If you have dig available, please try:
dig declude.com.multi.surbl.org. A
Cheers, - Bill
--------------------------------------------------------------------------- "A 'No' uttered from deepest conviction is better and greater than a 'Yes' merely uttered to please, or what is worse, to avoid trouble." -- Mahatma Ghandi (Courtesy of Adrian Bunk bunk@fs.tum.de) -------------------------------------------------------------------------- William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------