Hi,
I just got the message below containing a URL referring a subdomain of overhand1383biz-MUNGED.us.
As it didn't hit any SURBL list, I promptly checked it in http://www.rulesemporium.com/cgi-bin/uribl.cgi in order to submit it for ws.surbl.org... Much to my surprise, it said it is already listed in ws.surbl.org as well as in ob.surbl.org...
Checking my dns logs (it actually was today about 1:15 AM (UTC-03:00)) it doesn't show a problem with DNS, but actual NXDOMAIN answers:
07-08 01:14:04 query 121975 \ 127.0.0.1:4497:52051 a overhand1383biz-MUNGED.us.ob.surbl.org. 07-08 01:14:04 tx 0 a overhand1383biz-MUNGED.us.ob.surbl.org. \ ob.surbl.org. \ 209.234.97.11 62.58.50.220 66.251.133.4 66.59.111.182 \ 152.20.240.35 64.21.208.212 193.95.141.43 216.58.97.21 \ 128.255.17.20 66.170.2.50 213.132.0.70 130.161.128.84 \ 128.255.17.19 69.10.169.115 194.109.9.8 66.170.2.60 07-08 01:14:04 nxdomain 209.234.97.11 3600 \ overhand1383biz-MUNGED.us.ob.surbl.org.
07-08 01:14:05 query 121978 \ 127.0.0.1:4497:52054 a overhand1383biz-MUNGED.us.ws.surbl.org. 07-08 01:14:05 tx 0 a overhand1383biz-MUNGED.us.ws.surbl.org. \ ws.surbl.org. \ 213.132.0.70 128.255.17.19 66.170.2.50 193.95.141.43 \ 209.204.159.15 64.21.208.212 208.201.249.238 128.255.17.20 \ 130.161.128.84 139.130.4.5 62.58.50.220 66.59.111.182 \ 209.234.97.11 66.170.2.60 66.251.133.4 194.109.9.8 07-08 01:14:05 nxdomain 213.132.0.70 3600 \ overhand1383biz-MUNGED.us.ws.surbl.org.
maybe they were added between 1:00 AM and 9:00 AM? It'd be nice to have a kind of timestamp in entries (at least when checking them via web).
Thanx for a great job!!
############ ORIGINAL SPAM (DOMAIN MUNGED) WITH HEADERS ########
Received: from [218.79.131.116] ([218.79.131.116]:23567 "HELO fishingfan.com" whoson: "-unregistered-") by dedos.pert.com.ar with SMTP id <S185399AbUGHEOG>; Thu, 8 Jul 2004 01:14:06 -0300 Message-ID: 41692037.13C92E2@fishingfan.com Date: Thu, 08 Jul 2004 13:41:31 +1000 Reply-To: "jake edgar" herminiacottmtin@fishingfan.com From: "jake edgar" herminiacottmtin@fishingfan.com User-Agent: Foxmail 4.2 [cn] X-Accept-Language: en-us MIME-Version: 1.0 To: "morgan hubert" baby@baby.com.ar Subject: Aydhkli Prescriptions 0vernighted To Your Doorstep..Val1um Etc.. Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MailScanner: Se encontro limpio X-MailScanner-SpamAssassin: ham, SpamAssassin-2.63 (puntaje=4.404, requerido 5, DRUGS_ANXIETY 0.01, DRUGS_ANXIETY_OBFU 1.00, J_CHICKENPOX_45 0.60, RATWR10_MESSID 0.11, RCVD_IN_RFCI 0.10, SARE_RECV_IP_218079 1.67, SARE_USERAG_SPAM0 0.92) Return-Path: herminiacottmtin@fishingfan.com
maalderij onderzoeksinspanningen koortjes
Our online shop is your source for locating many presscription drugs without a prior presscription in comp1iance with FDA regulations.
B`uy V@L|UM, X@NA.X O`n1ine For Less
Safe & Secure Ordering!
W C http://i.rcg.overhand1383biz-MUNGED.us/f74/
Illness, injury, love, lost moments of true greatness, and sheer stupidity all occur to test the limits of your soul. Without these small tests, whatever they may be, life would be like a smoothly paved straight flat road to nowhere. It would be safe and comfortable, but dull and utterly pointless. Having a secret is so fantastically sustaining and comforting, especially when teenage turbulence squalls up. My parents bought the records, but I was totally convinced that only I had the monopoly of true understanding. When I heard her belt through gotta move, I seriously thought this gal must be psychic. forada2arnillo08boyuno,depuratorio despreciador.
-- Mariano Absatz El Baby ---------------------------------------------------------- Conjecture: All odd numbers are prime. Mathematician's Proof: 3 is prime. 5 is prime. 7 is prime. By induction, all odd numbers are prime. Physicist's Proof: 3 is prime. 5 is prime. 7 is prime. 9 is experimental error. 11 is prime. 13 is prime ... Engineer's Proof: 3 is prime. 5 is prime. 7 is prime. 9 is prime. 11 is prime. 13 is prime ... Computer Scientists's Proof: 3 is prime. 3 is prime. 3 is prime. 3 is prime...
At 10:09 2004-07-08 -0300, Mariano Absatz wrote:
As it didn't hit any SURBL list, I promptly checked it in http://www.rulesemporium.com/cgi-bin/uribl.cgi in order to submit it for ws.surbl.org... Much to my surprise, it said it is already listed in ws.surbl.org as well as in ob.surbl.org... <...> maybe they were added between 1:00 AM and 9:00 AM? It'd be nice to have a kind of timestamp in entries (at least when checking them via web).
I agree.
As it is now, except for AB, it's impossible to find out if the reason that a spam with a currently listed domain got through during recent hours was due to detection problems or just that it's a very recent listing.
Either having an "Added:" timestamp in the TXT data, or a web page where you can look up an ip and get information on when and why it was added, like many RBLs have, would be a great addition.
Even a basic recent additions history page like the one AB has at http://spamvertised.abusebutler.com/ would help a lot.
Thanks,
Patrik
On Sunday, July 11, 2004, 7:08:10 AM, Patrik Nilsson wrote:
At 10:09 2004-07-08 -0300, Mariano Absatz wrote:
As it didn't hit any SURBL list, I promptly checked it in http://www.rulesemporium.com/cgi-bin/uribl.cgi in order to submit it for ws.surbl.org... Much to my surprise, it said it is already listed in ws.surbl.org as well as in ob.surbl.org... <...> maybe they were added between 1:00 AM and 9:00 AM? It'd be nice to have a kind of timestamp in entries (at least when checking them via web).
I agree.
As it is now, except for AB, it's impossible to find out if the reason that a spam with a currently listed domain got through during recent hours was due to detection problems or just that it's a very recent listing.
Either having an "Added:" timestamp in the TXT data, or a web page where you can look up an ip and get information on when and why it was added, like many RBLs have, would be a great addition.
Even a basic recent additions history page like the one AB has at http://spamvertised.abusebutler.com/ would help a lot.
Thanks,
Patrik
It may be of interest that there is a timestamped log of sc blocklist additions at:
http://spamcheck.freeapp.net/top-sites-domains.new.log
and a much shorter log of sc whitelist hits at:
http://spamcheck.freeapp.net/whitelist-hits.new.log
Jeff C.