Guys
Seems Zdnet doesn't bothers about its open redirectors as yet. This is a spam that I trapped just 5 mins back. Spammers are enjoying using these openredirectors.
Can any one send a reminder to Zdnet of this redirector.
The Spam .......
Hi,
Wanna get up 4 times in one night, well we've got the answer for you, check us out at http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo
Replying to my own mail, Zdnet finally seems to have taken care of its redirector. The link "http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo" that appeared in the spam is now not being redirected it shows a message
"Forbidden to relay request through this server"
finally they seem to have taken care of this.
Rakesh wrote:
Guys
Seems Zdnet doesn't bothers about its open redirectors as yet. This is a spam that I trapped just 5 mins back. Spammers are enjoying using these openredirectors.
Can any one send a reminder to Zdnet of this redirector.
The Spam .......
Hi,
Wanna get up 4 times in one night, well we've got the answer for you, check us out at http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo
Rakesh wrote:
Replying to my own mail, Zdnet finally seems to have taken care of its redirector. The link "http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo" that appeared in the spam is now not being redirected it shows a message
"Forbidden to relay request through this server"
finally they seem to have taken care of this.
hmmmmm
check this:
http://chkpt.zdnet.com/chkpt/zdnetdoesnothing/surbl.org
Alex
check this:
Works just fine :(
Regards,
Joseph
On Tuesday, April 5, 2005, 10:45:11 PM, Alex Broens wrote:
Rakesh wrote:
Replying to my own mail, Zdnet finally seems to have taken care of its redirector. The link "http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo" that appeared in the spam is now not being redirected it shows a message
"Forbidden to relay request through this server"
finally they seem to have taken care of this.
hmmmmm
check this:
Alex
Yeah, but maybe surbl.org isn't on blacklists, eh? :-)
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
On Tuesday, April 5, 2005, 10:45:11 PM, Alex Broens wrote:
Rakesh wrote:
Replying to my own mail, Zdnet finally seems to have taken care of its redirector. The link "http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo" that appeared in the spam is now not being redirected it shows a message
"Forbidden to relay request through this server"
finally they seem to have taken care of this.
hmmmmm
check this:
Alex
Yeah, but maybe surbl.org isn't on blacklists, eh? :-)
It seems Zdnet is maintaining a list of blacklisted sites and blocking only for them and is open to the rest. I think they should have done the reverse way by manging a list of sites that are allowed and block all others.
On Tuesday, April 5, 2005, 11:23:11 PM, Rakesh Rakesh wrote:
Jeff Chan wrote:
On Tuesday, April 5, 2005, 10:45:11 PM, Alex Broens wrote:
Rakesh wrote:
Replying to my own mail, Zdnet finally seems to have taken care of its redirector. The link "http://chkpt.zdnet.com/chkpt/howbad/rdx56.info/p/yo" that appeared in the spam is now not being redirected it shows a message
"Forbidden to relay request through this server"
finally they seem to have taken care of this.
hmmmmm
check this:
Alex
Yeah, but maybe surbl.org isn't on blacklists, eh? :-)
It seems Zdnet is maintaining a list of blacklisted sites and blocking only for them and is open to the rest. I think they should have done the reverse way by manging a list of sites that are allowed and block all others.
Maybe they're following the advice at:
http://www.surbl.org/redirect.html
at least we can hope.
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
Maybe they're following the advice at:
http://www.surbl.org/redirect.html
at least we can hope.
While they clearly have a blacklist in place, it doesn't seem to be using SURBL:
http://chkpt.zdnet.com/chkpt/test/surbl-org-permanent-test-point.com
is redirected (except of course that the domain then doesn't resolve)
John.
Hi!
http://www.surbl.org/redirect.html
at least we can hope.
While they clearly have a blacklist in place, it doesn't seem to be using SURBL:
http://chkpt.zdnet.com/chkpt/test/surbl-org-permanent-test-point.com
is redirected (except of course that the domain then doesn't resolve)
They seem to have a bloacklist of abused one, but thats the other way around and will not stop abuse.
Bye, Raymond.
Raymond, Paul and others, please LART them.
We're not going to blacklist zdnet.
Jeff C.
Hi!
Raymond, Paul and others, please LART them.
We're not going to blacklist zdnet.
I have a local ruile in place...
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
That crap doesnt get in anymore.
Feel free to share.
Bye, Raymond
Hi!
Why the use of the full test rather than the uri test? Regards,
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
URI tests are done on the toplevel domain, i dont want to block whole zdnet...
If you have something else that can do it, thats also fine, i mean, this works for us <tm>
Bye, Raymond.
On Saturday, April 9, 2005, 1:56:10 AM, Raymond Dijkxhoorn wrote:
Hi!
Why the use of the full test rather than the uri test? Regards,
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
URI tests are done on the toplevel domain, i dont want to block whole zdnet...
If you have something else that can do it, thats also fine, i mean, this works for us <tm>
Would a regular body test work?
Jeff C. -- "If it appears in hams, then don't list it."
Raymond Dijkxhoorn wrote:
Hi!
Why the use of the full test rather than the uri test? Regards,
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
URI tests are done on the toplevel domain, i dont want to block whole zdnet...
It's the network tests that are done on the registered domain. The entire URI is available to the uri-type tests.
Your rule above, using uri instead of full, works under both 3.0 and 3.1 (and probably older versions).
Of course, if you've got the time to spare, the full test isn't going to hurt anything (well your machine might blow up, but that's it!). :)
Daryl
Hi!
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
URI tests are done on the toplevel domain, i dont want to block whole zdnet...
It's the network tests that are done on the registered domain. The entire URI is available to the uri-type tests.
Your rule above, using uri instead of full, works under both 3.0 and 3.1 (and probably older versions).
Of course, if you've got the time to spare, the full test isn't going to hurt anything (well your machine might blow up, but that's it!). :)
So how would it look like? I have no problem replacing it with a less CPU exhausting model ;)
Bye, Raymond.
Raymond Dijkxhoorn wrote:
Hi!
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
Your rule above, using uri instead of full, works under both 3.0 and 3.1 (and probably older versions).
So how would it look like? I have no problem replacing it with a less CPU exhausting model ;)
The exact same regex above would work as a uri test. Though, you might want to use:
uri PROLO_REDIR_ZDNET_CHECK_1 /^http://.*chkpt.zdnet.com/chkpt/
...and to more closely match the zdnet redirector...
uri PROLO_REDIR_ZDNET_CHECK1 /^http://chkpt.zdnet.com/chkpt//
Daryl
Hi!
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
uri PROLO_REDIR_ZDNET_CHECK_1 /^http://.*chkpt.zdnet.com/chkpt/
...and to more closely match the zdnet redirector...
uri PROLO_REDIR_ZDNET_CHECK1 /^http://chkpt.zdnet.com/chkpt//
Thanks! Got the picture now.
Bye, Raymond.
----- Original Message ----- From: "Daryl C. W. O'Shea" spamassassin@dostech.ca
Raymond Dijkxhoorn wrote:
Hi!
full PROLO_REDIR_ZDNET_CHECK_1 /http://.*chkpt.zdnet.com/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
Your rule above, using uri instead of full, works under both 3.0 and 3.1 (and probably older versions).
So how would it look like? I have no problem replacing it with a less CPU exhausting model ;)
The exact same regex above would work as a uri test. Though, you might want to use:
uri PROLO_REDIR_ZDNET_CHECK_1 /^http://.*chkpt.zdnet.com/chkpt/
...and to more closely match the zdnet redirector...
uri PROLO_REDIR_ZDNET_CHECK1 /^http://chkpt.zdnet.com/chkpt//
Just curious why you would require the URI start at the beginning of the line? Why not simply:
uri PROLO_REDIR_ZDNET_CHECK1 /http://chkpt.zdnet.com/chkpt//
Without the caret "^", so the URI can show up anywhere within a line?
Bill
At 01:26 2005-04-06 -0700, Jeff Chan wrote:
Raymond, Paul and others, please LART them.
We're not going to blacklist zdnet.
It's not zdnet, it's chkpt.zdnet.com.
Does chkpt.zdnet.com show up in ham?
http://groups-beta.google.com/groups?q=%22chkpt.zdnet.com%22&start=10&am...
Are we still 100% opposed to trying to find a way to include sub-domains in surbls?
Patrik
On Wednesday, April 6, 2005, 11:54:56 AM, Patrik Nilsson wrote:
At 01:26 2005-04-06 -0700, Jeff Chan wrote:
Raymond, Paul and others, please LART them.
We're not going to blacklist zdnet.
It's not zdnet, it's chkpt.zdnet.com.
Does chkpt.zdnet.com show up in ham?
http://groups-beta.google.com/groups?q=%22chkpt.zdnet.com%22&start=10&am...
Are we still 100% opposed to trying to find a way to include sub-domains in surbls?
Patrik
It's possible to list subdomains, but this one chkpt.zdnet.com would still probably not be appropriate since it probably has legitimate uses. Also subdomains may not be checked by SURBL applications.
Jeff C. -- "If it appears in hams, then don't list it."
Jeff,
So it seems that there is an obvious loophole in SURBL. As long as the spammer uses a legitimate business running a redirector you will never black list them (perhaps the spammer could even set up their own legitimate redirector). This open redirector discussion for ZDNET has been open for several weeks now, they have had more than ample warning.
Nick
Protect your domain from use by spammers. Set up an SPF record, read more about it here http://spf.pobox.com/.
-----Original Message----- From: Jeff Chan jeffc@surbl.org To: SURBL Discussion list discuss@lists.surbl.org Date: Wed, 6 Apr 2005 17:49:51 -0700 Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector
On Wednesday, April 6, 2005, 11:54:56 AM, Patrik Nilsson wrote:
At 01:26 2005-04-06 -0700, Jeff Chan wrote:
Raymond, Paul and others, please LART them.
We're not going to blacklist zdnet.
It's not zdnet, it's chkpt.zdnet.com.
Does chkpt.zdnet.com show up in ham?
http://groups-beta.google.com/groups?q=%22chkpt.zdnet.com%22&start=10&am... coring=d
Are we still 100% opposed to trying to find a way to include
sub-domains in
surbls?
Patrik
It's possible to list subdomains, but this one chkpt.zdnet.com would still probably not be appropriate since it probably has legitimate uses. Also subdomains may not be checked by SURBL applications.
Jeff C.
"If it appears in hams, then don't list it."
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
Jeff,
So it seems that there is an obvious loophole in SURBL. As long as the spammer uses a legitimate business running a redirector you will never black list them (perhaps the spammer could even set up their own legitimate redirector). This open redirector discussion for ZDNET has been open for several weeks now, they have had more than ample warning.
Nick
No, it's not a loophole. Programs like SpamAssassin and SpamCopURI correctly parse some redirection sites like g.msn.com and check the redirected-to site.
Jeff C. -- "If it appears in hams, then don't list it."
The vast majority of people on the Internet do not know or care what ZDNet is. The only time they are going to see a ZDNet URL is when it arrives as part of some spam. They would quickly benefit if ZDNet was listed.
If I were to open my SMTP server so that any spammer could use it to redirect mail I'd be prepared to bet that I would end up (quite rightly) on a black list within hours and yet despite the warnings ZDNet have taken weeks and done next to nothing and are still not black listed.
Actually it's just occured to me that all this illicit spam traffic could be quite useful for someone running a redirector. All they need to do is make it look like you are open for a couple of weeks and get the spammers really interested. Then intercept the illegal redirects to create traffic for their own site. They can effectively spam anyone they want without having to worry about the implications because after all they didn't actually do anything wrong. I'll have to quickly create my own redirector and then sit back and wait for the hits.
Nick
Protect your domain from use by spammers. Set up an SPF record, read more about it here http://spf.pobox.com/.
-----Original Message----- From: Jeff Chan jeffc@surbl.org To: "Nick Askew" Nick@askew.nl Cc: SURBL Discussion list discuss@lists.surbl.org Date: Thu, 7 Apr 2005 00:13:53 -0700 Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector
On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
Jeff,
So it seems that there is an obvious loophole in SURBL. As long as
the
spammer uses a legitimate business running a redirector you will
never black
list them (perhaps the spammer could even set up their own legitimate redirector). This open redirector discussion for ZDNET has been open
for
several weeks now, they have had more than ample warning.
Nick
No, it's not a loophole. Programs like SpamAssassin and SpamCopURI correctly parse some redirection sites like g.msn.com and check the redirected-to site.
Jeff C.
"If it appears in hams, then don't list it."
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Thursday, April 7, 2005, 2:58:19 AM, Nick Askew wrote:
The vast majority of people on the Internet do not know or care what ZDNet is. The only time they are going to see a ZDNet URL is when it arrives as part of some spam. They would quickly benefit if ZDNet was listed.
I disagree. ZDnet is a well known technology news site. If we listed it, then anyone who mentioned their site could get their message blocked. I think that would be wrong.
If I were to open my SMTP server so that any spammer could use it to redirect mail I'd be prepared to bet that I would end up (quite rightly) on a black list within hours and yet despite the warnings ZDNet have taken weeks and done next to nothing and are still not black listed.
Sure, but sender RBLs are not the same as what we're doing. Listing a mail server/sender is not the same as listing a domain to be checked against URIs. If we listed your domain askew.nl it would mean mentions of your web site would get messages blocked. That has a lot more impact than just blacklisting your mail server since it means no one (using SURBLs) would hear mention your web site.
Many people keep thinking in terms of old-fashioned RBLs, but we're doing something quite different. :-)
Actually it's just occured to me that all this illicit spam traffic could be quite useful for someone running a redirector. All they need to do is make it look like you are open for a couple of weeks and get the spammers really interested. Then intercept the illegal redirects to create traffic for their own site. They can effectively spam anyone they want without having to worry about the implications because after all they didn't actually do anything wrong. I'll have to quickly create my own redirector and then sit back and wait for the hits.
Not sure what you're saying. If spammers created their own domains for redirecting spam, we would blacklist those domains and blacklist the domains they redirected to.
I doubt that any legitimate organizations would gain much from intercepting and redirecting spammer's use of their redirectors. More likely it would make people mad at them for appearing to advertise their own site using spam. How many spam fighters would like that? Probably not many.
Jeff C. -- "If it appears in hams, then don't list it."
At 00:13 2005-04-07 -0700, Jeff Chan wrote:
On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
Jeff,
So it seems that there is an obvious loophole in SURBL. As long as the spammer uses a legitimate business running a redirector you will never
black
list them (perhaps the spammer could even set up their own legitimate redirector). This open redirector discussion for ZDNET has been open for several weeks now, they have had more than ample warning.
Nick
No, it's not a loophole. Programs like SpamAssassin and SpamCopURI correctly parse some redirection sites like g.msn.com and check the redirected-to site.
That workaround is part of the problem, not part of the solution.
If we encourage client implementations to work around the problem in that way, we will always have:
1. Clients that need to be updated with the latest redirectors, unless we provide and encourage implementations to use a constantly updated online source of redirectors.
2. Major redirectors getting included in the special work-arounds, like Google, and smaller ones not getting included.
If we believe that open redirectors are bad, we should not solve the problem by working around a few major ones that we are currently aware of.
Patrik
On Thursday, April 7, 2005, 12:45:51 PM, Patrik Nilsson wrote:
At 00:13 2005-04-07 -0700, Jeff Chan wrote:
On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
Jeff,
So it seems that there is an obvious loophole in SURBL. As long as the spammer uses a legitimate business running a redirector you will never
black
list them (perhaps the spammer could even set up their own legitimate redirector). This open redirector discussion for ZDNET has been open for several weeks now, they have had more than ample warning.
Nick
No, it's not a loophole. Programs like SpamAssassin and SpamCopURI correctly parse some redirection sites like g.msn.com and check the redirected-to site.
That workaround is part of the problem, not part of the solution.
If we encourage client implementations to work around the problem in that way, we will always have:
- Clients that need to be updated with the latest redirectors, unless we
provide and encourage implementations to use a constantly updated online source of redirectors.
- Major redirectors getting included in the special work-arounds, like
Google, and smaller ones not getting included.
If we believe that open redirectors are bad, we should not solve the problem by working around a few major ones that we are currently aware of.
Patrik
Our solution is to detect and check the big ones, and try to get all of them to not be open to spammers.
What's your solution? Blacklisting all open redirectors? So no one should be able to mention them?
Jeff C. -- "If it appears in hams, then don't list it."
At 17:49 2005-04-06 -0700, Jeff Chan wrote:
It's possible to list subdomains, but this one chkpt.zdnet.com would still probably not be appropriate since it probably has legitimate uses.
"probably"?. Is there any evidence of chkpt.zdnet.com actually appearing in ham? There is plenty of evidence of it appearing in spam, but I have not seen any example of it appearing in ham.
Also subdomains may not be checked by SURBL applications.
What I am actually asking is "Should we maybe change our current policy and actively encourage that appplications and listings consider sub-domains of certain domains in a similar way to how some country subdomains are already treated, and if so, should this be something that is updated from an on-line source".
Patrik
On Thursday, April 7, 2005, 1:32:58 PM, Patrik Nilsson wrote:
At 17:49 2005-04-06 -0700, Jeff Chan wrote:
It's possible to list subdomains, but this one chkpt.zdnet.com would still probably not be appropriate since it probably has legitimate uses.
"probably"?. Is there any evidence of chkpt.zdnet.com actually appearing in ham? There is plenty of evidence of it appearing in spam, but I have not seen any example of it appearing in ham.
zdnet would not have created the redirector just for spammers to use. That would not be reasonable. Therefore they probably have some legitimate uses for it.
Also subdomains may not be checked by SURBL applications.
What I am actually asking is "Should we maybe change our current policy and actively encourage that appplications and listings consider sub-domains of certain domains in a similar way to how some country subdomains are already treated, and if so, should this be something that is updated from an on-line source".
Patrik
It's something to consider, and SpamAssassin does actually check gtlds at both second and third level domains. But so far most spams use domains that can be blocked at the second level. In other words, spammers register their own gtlds like spammer.com. They don't tend to use third-level.legitimate.com.
chkpt.zdnet.com does not change this situation significantly.
Jeff C. -- "If it appears in hams, then don't list it."