Jeff/others,
Did some issue occur to cause the domains listed below to be populated in SURBL?
Darrell ------------------------------------------------------------------------ Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com To: sniffer@sortmonster.com Sent: Tuesday, January 17, 2006 4:27 AM Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam providres.
Hello Sniffer Folks,
Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers.
As a result, many of these were tagged by our bots due to spam arriving at our system with those domains and IPs. Most IPs and domains for these services are coded with "nokens" in our system to prevent this kind of thing, but a few slipped through.
We are aggressively hunting any more that might have arrived.
You may want to temporarily reduce the weight of the experimental IP and experimental ad-hoc rule groups until we have identified and removed the bad rules we don't know about yet.
Please also do your best to report any false positives that you do identify so that we can remove any bad rules. I don't expect that there will be too many, but I do want to clear them out quickly if they are there.
Please also, if you haven't already, review the false positive procedures: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
Pay special attention to the rule-panic procedure and feature in case you are one of the services hit by these bad entries.
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
It's not clear yet how large the problem is, but I'm sure it will be resolved soon.
Hope this helps,
Thanks, _M
Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com)
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Darrell (support@invariantsystems.com) wrote:
Did some issue occur to cause the domains listed below to be populated in SURBL?
I do not see any of w3.org, declude.com or usinternet.com listed in any SURBL list at this time.
John.
Darrell (support@invariantsystems.com) quoted:
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
Murphy can strike everywhere, but those three aren't on SURBL from my POV. Besides w3.org is the second example on the page http://www.surbl.org/faq.html#local-whitelist
I've no idea how to check SURBL's WL: That might be a case of security by obscurity, but AFAIK w3.org is "whitelisted" by SC, so even if SURBL screws up w3.org shouldn't reach sc.surbl.org
Bye, Frank
On Tuesday 17 January 2006 13:46, Frank Ellermann wrote:
Darrell (support@invariantsystems.com) quoted:
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
Murphy can strike everywhere, but those three aren't on SURBL from my POV. Besides w3.org is the second example on the page http://www.surbl.org/faq.html#local-whitelist
I've no idea how to check SURBL's WL: That might be a case of security by obscurity, but AFAIK w3.org is "whitelisted" by SC, so even if SURBL screws up w3.org shouldn't reach sc.surbl.org
This smells like the DNS corruption bug that occurred in some versions of the DNS library used by SpamAssassin.
On Tuesday, January 17, 2006, 5:07:19 AM, Darrell (support@invariantsystems.com) wrote:
Jeff/others,
Did some issue occur to cause the domains listed below to be populated in SURBL?
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com To: sniffer@sortmonster.com Sent: Tuesday, January 17, 2006 4:27 AM Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam providres.
Hello Sniffer Folks,
Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers.
[...]
This seems unlikely, since we 100% audit all new additions to all SURBL lists every day.
It might be useful to have one confirmed example.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan a écrit :
This seems unlikely, since we 100% audit all new additions to all SURBL lists every day.
It might be useful to have one confirmed example.
I once had bind 8 (didn't see that with 9 yet) claim that my own IP was in sbl. of course, checking outside showed this to be a local error (dns poison attack?). time for djbdns...
Good morning, all,
On Tue, 17 Jan 2006, Darrell (support@invariantsystems.com) wrote:
Jeff/others,
Did some issue occur to cause the domains listed below to be populated in SURBL?
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com To: sniffer@sortmonster.com Sent: Tuesday, January 17, 2006 4:27 AM Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam providres.
Hello Sniffer Folks,
Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers.
As a result, many of these were tagged by our bots due to spam arriving at our system with those domains and IPs. Most IPs and domains for these services are coded with "nokens" in our system to prevent this kind of thing, but a few slipped through.
We are aggressively hunting any more that might have arrived.
You may want to temporarily reduce the weight of the experimental IP and experimental ad-hoc rule groups until we have identified and removed the bad rules we don't know about yet.
Please also do your best to report any false positives that you do identify so that we can remove any bad rules. I don't expect that there will be too many, but I do want to clear them out quickly if they are there.
Please also, if you haven't already, review the false positive procedures: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
Pay special attention to the rule-panic procedure and feature in case you are one of the services hit by these bad entries.
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
It's not clear yet how large the problem is, but I'm sure it will be resolved soon.
Hope this helps,
Thanks, _M
Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com)
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
ws.surbl.org does not have these domains, and it appears none of the other surbls does either. From http://www.rulesemporium.com/cgi-bin/uribl.cgi :
SURBL+ Checker Query Results
declude.com is 63.246.13.88 [ rbl lookup ] domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: not listed [ report ] * URIBL: multi.uribl.com: not listed [ report ]
usinternet.com is 216.17.3.239 [ rbl lookup ] domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: not listed [ report ] * URIBL: multi.uribl.com: not listed [ report ]
w3.org is 128.30.52.46 [ rbl lookup ] domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: not listed [ report ] * URIBL: multi.uribl.com: not listed [ report ]
Pete, could you recheck these at your end? If you have dig available, please try:
dig declude.com.multi.surbl.org. A
Cheers, - Bill
--------------------------------------------------------------------------- "A 'No' uttered from deepest conviction is better and greater than a 'Yes' merely uttered to please, or what is worse, to avoid trouble." -- Mahatma Ghandi (Courtesy of Adrian Bunk bunk@fs.tum.de) -------------------------------------------------------------------------- William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------
On Tuesday, January 17, 2006, 10:15:51 AM, William wrote:
WS> ws.surbl.org does not have these domains, and it appears none of WS> the other surbls does either. From WS> http://www.rulesemporium.com/cgi-bin/uribl.cgi :
WS> SURBL+ Checker Query Results
WS> declude.com is 63.246.13.88 [ rbl lookup ] WS> domain registered: unknown [ full whois ]
WS> * RBL: skipping uri lookups on ip-based RBLs WS> * URIBL: multi.surbl.org: not listed [ report ] WS> * URIBL: multi.uribl.com: not listed [ report ]
WS> usinternet.com is 216.17.3.239 [ rbl lookup ] WS> domain registered: unknown [ full whois ]
WS> * RBL: skipping uri lookups on ip-based RBLs WS> * URIBL: multi.surbl.org: not listed [ report ] WS> * URIBL: multi.uribl.com: not listed [ report ]
WS> w3.org is 128.30.52.46 [ rbl lookup ] WS> domain registered: unknown [ full whois ]
WS> * RBL: skipping uri lookups on ip-based RBLs WS> * URIBL: multi.surbl.org: not listed [ report ] WS> * URIBL: multi.uribl.com: not listed [ report ]
WS> Pete, could you recheck these at your end? If you have dig WS> available, please try:
WS> dig declude.com.multi.surbl.org. A
I'm seeing no answer for this now. It may have been a short-lived phenomena. I wasn't able to catch it at the moment it happened.
I'm continuing to research the problem.
For now our automated systems are off-line.
Thanks,
_M
On Tuesday, January 17, 2006, 5:07:19 AM, Darrell (support@invariantsystems.com) wrote:
Jeff/others,
Did some issue occur to cause the domains listed below to be populated in SURBL?
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
None of those domains has ever been on any SURBL list. The error may be on their end.
Jeff C. -- Don't harm innocent bystanders.
On Tue, 17 Jan 2006, Jeff Chan wrote:
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
None of those domains has ever been on any SURBL list. The error may be on their end.
Jeff C.
True, but after being hit by back-scatter Brain-Dead anti-virus bounces from declude protected systems with that inane message:
The Declude Virus software on our mail server detected a virus If your mail server had virus protection, it would have prevented this.
I almost consider declude.com to be worthy of a spammer listing. ;( (I have resisted the temptation to nominate but I do have a custom SA rule to hit that garbage with a high score ;).
Dave
----- Original Message ----- From: "David B Funk" dbfunk@engineering.uiowa.edu
On Tue, 17 Jan 2006, Jeff Chan wrote:
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
None of those domains has ever been on any SURBL list. The error may be on their end.
Jeff C.
True, but after being hit by back-scatter Brain-Dead anti-virus bounces from declude protected systems with that inane message:
The Declude Virus software on our mail server detected a virus If your mail server had virus protection, it would have prevented this.
I almost consider declude.com to be worthy of a spammer listing. ;( (I have resisted the temptation to nominate but I do have a custom SA rule to hit that garbage with a high score ;).
Dave
That is not Declude's fault, that is a configuration problem with the customer that is running the Declude Virus software. In fact, Declude recommends against sending virus notification to senders since most viruses are forging these day anyway.
Bill
On Tue, 17 Jan 2006 16:56:49 -0800 "Bill Landry" wrote:
----- Original Message ----- From: "David B Funk" dbfunk@engineering.uiowa.edu
On Tue, 17 Jan 2006, Jeff Chan wrote:
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
None of those domains has ever been on any SURBL list. The error may be on their end.
Jeff C.
True, but after being hit by back-scatter Brain-Dead anti-virus bounces from declude protected systems with that inane message:
The Declude Virus software on our mail server detected a virus If your mail server had virus protection, it would have prevented this.
I almost consider declude.com to be worthy of a spammer listing. ;( (I have resisted the temptation to nominate but I do have a custom SA rule to hit that garbage with a high score ;).
Dave
That is not Declude's fault, that is a configuration problem with the customer that is running the Declude Virus software. In fact, Declude recommends against sending virus notification to senders since most viruses are forging these day anyway.
Actually it is Declude's fault. That particular message is from an *OLD* version of Declude that lots of people are still running. The newer versions of this message have language that says something to the effect that you may not have caused this. (At least this is what the people at Declude told me a while ago).
Generally when I get those I send a message to the person running the server saying if you upgraded your version of Declude your server wouldn't have sent me this message.
-Jeff
----- Original Message ----- From: "Jeff Ballard" ballard+surbl@cae.wisc.edu
On Tue, 17 Jan 2006 16:56:49 -0800 "Bill Landry" wrote:
----- Original Message ----- From: "David B Funk" dbfunk@engineering.uiowa.edu
On Tue, 17 Jan 2006, Jeff Chan wrote:
----- Original Message ----- From: "Pete McNeil" madscientist@microneil.com
An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org
None of those domains has ever been on any SURBL list. The error may be on their end.
Jeff C.
True, but after being hit by back-scatter Brain-Dead anti-virus bounces from declude protected systems with that inane message:
The Declude Virus software on our mail server detected a virus If your mail server had virus protection, it would have prevented this.
I almost consider declude.com to be worthy of a spammer listing. ;( (I have resisted the temptation to nominate but I do have a custom SA rule to hit that garbage with a high score ;).
Dave
That is not Declude's fault, that is a configuration problem with the customer that is running the Declude Virus software. In fact, Declude recommends against sending virus notification to senders since most viruses are forging these day anyway.
Actually it is Declude's fault. That particular message is from an *OLD* version of Declude that lots of people are still running. The newer versions of this message have language that says something to the effect that you may not have caused this. (At least this is what the people at Declude told me a while ago).
Generally when I get those I send a message to the person running the server saying if you upgraded your version of Declude your server wouldn't have sent me this message.
I have been running Declude Virus since it's first release, and it has always been configurable to not send virus notifications to senders. Again, this is a configuration issue with the Declude user, not the company.
Bill
David B Funk wrote:
Brain-Dead anti-virus bounces from declude protected systems
Maybe submit that to SpamCop. It's not only brain dead, it's net abuse. AFAIK declude suports SPF, so you could in theory switch from NEUTRAL to FAIL, but that should be your decision, not enforced by this net abuse.
I almost consider declude.com to be worthy of a spammer listing. ;(
Where does "almost" enter the picture ? If you're sure that they send bogus bounces there's no further doubt about this. We had this already with Barracuda and Symantec in IIRC 2004.
Bye, Frank
-
Bill Landry -
Darrell (support@invariantsystems.com) -
David B Funk -
Duncan Hill -
Frank Ellermann -
Jeff Ballard -
Jeff Chan -
John Graham-Cumming -
mouss -
Pete McNeil -
William Stearns