Rakesh Pal wrote:
I have been bugged a lot by embedded image spams recently, although some of these spams got trapped due URI checks, some managed to pass as well as the url wasn't yet blocked in the SURBLs.
and Jeff Chan wrote:
Please provide the URI and the timestamp it was first seen. We can use that information to see if we can get them into SURBLs sooner.
Hello ---
I've been diligently sending full message sources of similar spam to submit.[code]@spam.spamcop.net these past several days. My account there is set up as a mole to minimze the chance of being joe-jobbed. My understanding is that spamcop adds a point for that URI in spamcop's database, until it exceeds the threshold needed for inclusion in sc.surbl. Then, by way of the URIBL_SC_SURBL rule in SA 3.0.3, more of these things will be caught as spam, since SA assigns >= 3.8 points to each such spam. Am new to these tools, so I hope I've understood the docs and faq pages correctly ...
Jeff, I can send you a zip file with a bunch of these recent message sources (my email client is OE6). Or, do you just need a bunch of Date: / Message-ID: / Content-ID: triplets?
Sean S. www.twin-dad.com
On Saturday, May 28, 2005, 7:35:05 AM, Sean Sowell wrote:
Rakesh Pal wrote:
I have been bugged a lot by embedded image spams recently, although some of these spams got trapped due URI checks, some managed to pass as well as the url wasn't yet blocked in the SURBLs.
and Jeff Chan wrote:
Please provide the URI and the timestamp it was first seen. We can use that information to see if we can get them into SURBLs sooner.
Hello ---
I've been diligently sending full message sources of similar spam to submit.[code]@spam.spamcop.net these past several days. My account there is set up as a mole to minimze the chance of being joe-jobbed. My understanding is that spamcop adds a point for that URI in spamcop's database, until it exceeds the threshold needed for inclusion in sc.surbl. Then, by way of the URIBL_SC_SURBL rule in SA 3.0.3, more of these things will be caught as spam, since SA assigns >= 3.8 points to each such spam. Am new to these tools, so I hope I've understood the docs and faq pages correctly ...
Jeff, I can send you a zip file with a bunch of these recent message sources (my email client is OE6). Or, do you just need a bunch of Date: / Message-ID: / Content-ID: triplets?
If you can post or send the timestamp of the message and the URI domain of it, that would be great.
Jeff C. -- Don't harm innocent bystanders.
Jeff C. wrote:
If you can post or send the timestamp of the message and the URI domain of it, that would be great.
Here's the list. My criteria for inclusion were that SA with default settings scored it < 5.0 (false negative), and the image(s) took up > 1/3 of the message body height.
If the keepers of the various SURBLs would be willing to block-list these spammers and repeat-offender spamvertisers, that would be muy fantastico. My preference would be the SC, AB or OB SURBLs in that order, since SA assigns them the most points.
Many thanks,
Sean S.
=====
Date: 19 May 2005 13:57:20 -0400 besaway.com (spamvertised domain true.com) Date: 19 May 2005 16:32:15 -0400 farcommail.com (unknown) Date: 20 May 2005 09:38:26 -0400 hopeforit.com (spamvertised company gevalia) Date: Fri, 20 May 2005 10:23:08 -0400 onthebuy.com and newstransfers.net (hats.com) Date: Fri, 20 May 2005 10:31:32 -0400 onthebuy.com and newstransfers.net (directv) Date: 20 May 2005 14:01:26 -0400 calmra.com and healthsitesinc.com (flourish) Date: Fri, 20 May 2005 12:11:30 -0400 onthebuy.com and newstransfers.net (wfmdesigncheck.com) Date: 20 May 2005 18:18:16 -0400 hopeforit.com (unknown) Date: 20 May 2005 18:25:02 -0400 golfshore.com (date.com) Date: 20 May 2005 23:10:39 -0400 besaway.com (medical hair restoration) Date: Sat, 21 May 2005 12:13:28 -0500 undershow.com, primaryads.com and superbrewards.com (mobil, shell and bp) Date: 21 May 2005 23:42:46 -0400 calmra.com (walmart) Date: 22 May 2005 00:21:00 -0400 hopeforit.com (myinks.com, hp, epson, canon, and lexmark) Date: Sat, 21 May 2005 22:05:32 EST trert.info (blackjackballroom.com) Date: 22 May 2005 02:46:28 -0400 besaway.com (unknown) Date: 22 May 2005 08:53:53 -0400 hopeforit.com (petcarerx, frontline plus and advantage) Date: 22 May 2005 20:26:03 -0400 besaway.com (entertainment savings book) Date: Sun, 22 May 2005 18:37:36 EST tttot.info (dish noetwork) Date: 23 May 2005 04:38:39 -0400 farcommail.com and esioffers.com (mark victor hansen and robert g allen) Date: 23 May 2005 11:11:45 -0400 hopeforit.com (lucky emperor casino) Date: 23 May 2005 13:20:11 -0400 farcommail.com and findyourcustomers.com (debthelp) Date: 23 May 2005 14:10:31 -0400 besaway.com (united health net) Date: Mon, 23 May 2005 12:34:11 -0700 pearingletters.com and consumerincentivepromotions.com (icard) Date: Mon, 23 May 2005 16:55:38 -0500 winfreestuff.com, en34.com and ameri-savings.com (aig direct, via matrix direct and Ron Harris licensed agent ca # ob57619 [in Pennsylvania]) Date: 23 May 2005 22:09:57 -0400 farcommail.com (true.com) Date: 24 May 2005 02:11:13 -0400 satellitetelevisionus.com and hopeforit.com (unknown) Date: 24 May 2005 02:18:57 -0400 hopeforit.com (unknown) Date: 24 May 2005 03:16:42 -0400 calmra.com and healthsitesinc.com (flourish) Date: 24 May 2005 04:14:21 -0400 golfshore.com and esioffers.com (robert [g] allen) Date: 24 May 2005 12:12:17 -0400 hopeforit.com (miracleburn) Date: Tue, 24 May 2005 09:46:15 -0700 dentleadvertigo.com (producttestpanel.com and sony) Date: Tue, 24 May 2005 13:09:26 -0400 onthebuy.com and newstransfers.net (hats.com) Date: Tue, 24 May 2005 14:49:20 -0400 onthebuy.com and newstransfers.net (la tortilla factory) Date: 24 May 2005 17:03:53 -0400 besaway.com (date.com) Date: Tue, 24 May 2005 10:11:35 -0700 clearcutsavings.com, freeshoppingmail4u.com and nyclearcut.com (unknown) Date: Tue, 24 May 2005 16:41:37 -0500 labyrinthine74.com and winfreestuff.com (unknown) Date: Tue, 24 May 2005 23:24:26 -0400 onthebuy.com and newstransfers.net (transamerica occidental life, todd l wayne general agent [various state license #s given]) Date: 25 May 2005 05:40:20 -0400 hopeforit.com (unknown) Date: 25 May 2005 10:51:31 -0400 besaway.com and esioffers.com (dolf de roos) Date: Wed, 25 May 2005 13:26:10 -0500 labyrinthine74.com, winfreestuff.com and ameri-savings.com (aig direct, via matrix direct and Ron Harris licensed agent ca # ob57619 [in Pennsylvania]) Date: Wed, 25 May 2005 10:11:32 -0700 clearcutsavings.com and nyclearcut.com (instant cash loan til payday) Date: 25 May 2005 15:35:35 -0400 calmra.com (crazyape.com) Date: 25 May 2005 17:40:05 -0400 farcommail.com (price-savers.com) Date: Wed, 25 May 2005 17:30:51 -0400 onthebuy.com and newstransfers.net (hats.com) Date: 25 May 2005 20:11:17 -0400 besaway.com and esioffers.com (stephen cooper) Date: 26 May 2005 01:02:18 -0400 hopeforit.com (golden palace) Date: 26 May 2005 02:31:00 -0400 calmra.com (american idol and morgan mint) Date: 26 May 2005 04:05:26 -0400 farcommail.com (petcarerx, frontline plus and advantage) Date: Thu, 26 May 2005 03:45:49 -0600 timelessoffers.com and yourgiftcards.com (staples) Date: 26 May 2005 06:22:18 -0400 besaway.com (gourmet select coffee) Date: Thu, 26 May 2005 05:30:36 -0700 datdir.com, idealrewards.com and rocketoffers.com (the gap) Date: Thu, 26 May 2005 06:29:22 -0700 gentlearnicandle.com (myinks.com, hp, epson, canon, and lexmark) Date: Thu, 26 May 2005 09:48:55 -0600 timelessoffers.com (christianfamilyloans.com) Date: Thu, 26 May 2005 08:10:27 -0700 ccs44.com (concertsource4u.com) Date: 26 May 2005 12:54:00 -0400 farcommail.com (entertainment savings book) Date: 26 May 2005 13:55:45 -0400 calmra.com (trimlife) Date: Thu, 26 May 2005 12:34:02 -0400 onthebuy.com and greatnewslinks.com (databazaar,.com) Date: Thu, 26 May 2005 22:25:20 +0400 (MSD) kenon.biz (spyware no!) Date: Thu, 26 May 2005 11:16:16 -0700 catestatermine.com (myinks.com, hp, epson, canon, and lexmark) Date: Thu, 26 May 2005 15:50:37 -0400 onthebuy.com and greatnewslinks.com (rosettastone.com) Date: 26 May 2005 18:21:24 -0400 besaway.com (myinks.com, hp, epson, canon, and lexmark) Date: 26 May 2005 18:18:25 -0400 golfshore.com (lucky emperor casino) Date: Thu, 26 May 2005 16:56:19 -0500 undershow.com (avela) Date: 26 May 2005 22:49:41 -0400 calmra.com (educational direct) Date: 26 May 2005 22:51:26 -0400 satellitetelevisionus.com and hopeforit.com (unknown) Date: Thu, 26 May 2005 20:27:09 -0700 pepperiscopingpong.com and m57media.com (natural cholesterol balance and dr. lawrence d rink) Date: Thu, 26 May 2005 18:33:15 -0700 saverzforyou2.info (vistaprint.com) Date: Thu, 26 May 2005 21:32:15 -0700 crosscentermed.com and myfreecomputer.net (dell computer and fedex) Date: 27 May 2005 03:08:06 -0400 besaway.com (medical hair restoration) Date: Fri, 27 May 2005 00:36:05 -0400 thepopevideo.com, onthebuy.com and greatnewslinks.com (thepopemovie.com) Date: Fri, 27 May 2005 06:33:36 -0400 onthebuy.com and greatnewslinks.com (lineahome.com) Date: Fri, 27 May 2005 08:41:45 -0400 (EDT) alazing.com (alazing.com and omaha steaks) Date: 27 May 2005 08:48:29 -0400 golfshore.com (goldenpalace) Date: 27 May 2005 09:27:12 -0400 hopeforit.com (direct wines) Date: Fri, 27 May 2005 06:40:35 -0700 targettleantent.com and esolutionsmedia.net (collegeinformationdirect.com) Date: Fri, 27 May 2005 09:50:02 -0600 seoadnetwork.com (seoadnetwork.com) Date: Fri, 27 May 2005 20:17:51 +0400 (MSD) actualymail.com and yoursmartrewards.com (motorola and samsung) Date: 27 May 2005 13:18:35 -0400 besaway.com (avvaa neuroskin) Date: Fri, 27 May 2005 10:54:16 -0700 catestatermine.com and myfreepsp.net (sony) Date: Fri, 27 May 2005 11:34:25 -0500 undershow.com (vistaprint.com) Date: Fri, 27 May 2005 11:34:25 -0500 undershow.com (vistaprint.com) [no, this is not a duplicate entry] Date: 27 May 2005 16:57:40 -0400 besaway.com and healthsitesinc.com (flourish) Date: Fri, 27 May 2005 17:48:41 -0500 savingz23.com (icopydvds2 and prodvdcopy.com) Date: Fri, 27 May 2005 14:14:44 -0700 clearcutsavings.com and goccutsav.com (megalottoclub.com) Date: 27 May 2005 23:33:24 -0400 farcommail.com (directv) Date: 27 May 2005 23:42:25 -0400 calmra.com (american idol and morgan mint) Date: Fri, 27 May 2005 23:36:13 -0500 savingz23.com and price-savers.com (hidden treasures super packs) Date: Fri, 27 May 2005 22:40:22 -0700 datdir.com, optit.com and rocketoffers.com (cigar affair) Date: 28 May 2005 01:53:40 -0400 besaway.com and findyourcustomers.com (debthelp) Date: 28 May 2005 09:04:22 -0400 farcommail.com (gevalia) Date: Sat, 28 May 2005 10:35:40 -0500 undershow.com (christian lending center) Date: 28 May 2005 19:18:13 -0400 besaway.com (cigar affair) Date: 28 May 2005 19:28:59 -0400 besaway.com (nutrathin and hoodia) Date: Sat, 28 May 2005 17:07:26 -0700 clearcutsavings.com and goccutsav.com (first premier bank and centennial mastercard) Date: 29 May 2005 00:43:03 -0400 farcommail.com (unitedhealthnet.com) Date: Sun, 29 May 2005 01:09:53 -0500 undershow.com (thecarloancenter.com) Date: Sun, 29 May 2005 02:53:23 -0700 strawestuaryear.com, i-dealdirect.com and i-dealrewards.com (jcpenney.com) Date: Sun, 29 May 2005 06:53:44 -0700 cablessedimented.com (where christians meet) Date: 29 May 2005 10:03:51 -0400 farcommail.com (petcarerx, frontline plus and advantage) Date: Sun, 29 May 2005 11:42:48 -0500 undershow.com and casinorewards.com (blackjackballroom.com) Date: Sun, 29 May 2005 12:22:12 -0700 dayepencilseof.com and myfreecomputer.net (dell computer and fedex) Date: Sun, 29 May 2005 20:44:52 GMT yourexclusivesource.com and exclusivesforyou.com (eversave.com) Date: Sun, 29 May 2005 20:47:52 GMT airinsider.com and insideroffers.com (jellybelly.com) Date: Sun, 29 May 2005 22:49:59 GMT smartshoppings.com and shoppingsmarts.net (first premier bank and centennial gold mastercard) Date: Sun, 29 May 2005 22:49:59 GMT smartsclub.com and shoppingsmarts.net (first premier bank and centennial gold mastercard)
On Sunday, May 29, 2005, 5:27:44 PM, Sean Sowell wrote:
Jeff C. wrote:
If you can post or send the timestamp of the message and the URI domain of it, that would be great.
Here's the list. My criteria for inclusion were that SA with default settings scored it < 5.0 (false negative), and the image(s) took up > 1/3 of the message body height.
1. Please don't use SA scores as an absolute indication of spammyness. It's crucial to manually review the submissions and not report legitimate domains like dell.com, directv, walmart, etc. Please don't report those!
2. Please do continue to use SpamCop for reporting. Even in mole mode, we get the URI reports.
3. But's it's crucial to NOT report legitimate domains. Frankly the only domains I'm interested in blacklisting are the ones that are advertised by criminal spam gangs, i.e. the ones usually advertising viagra, porn, pirated software or mortgages, etc.
Jeff C. -- Don't harm innocent bystanders.
On May 30, 2005 1802 Jeff C. wrote
- Please don't use SA scores as an absolute indication of
spammyness. It's crucial to manually review the submissions and not report legitimate domains like dell.com, directv, walmart, etc. Please don't report those!
- Please do continue to use SpamCop for reporting. Even in mole
mode, we get the URI reports.
- But's it's crucial to NOT report legitimate domains. Frankly
the only domains I'm interested in blacklisting are the ones that are advertised by criminal spam gangs, i.e. the ones usually advertising viagra, porn, pirated software or mortgages, etc.
OK, for general purposes I see why the spamvertised domains should not be blacklisted. I only started using SA on 5/19. Have been reading thru their faq and wiki, and can see how the 600 rules it uses can at times cancel each other out. I haven't seen a reason to change the default threshold yet but that may change.
For me, it helps to see who's letting their stuff or their logo appear in spamvertisements. At some point - in my book anyway - they move from the innocent bystander column into a gray area and across the spectrum toward black. Just my point of view.
I do review my submissions carefully. I include the spamvertised domain(s) in my reports so they know their marks are being used improperly and can take steps to end it. That way, the spammers get it from both ends. Seems fair to me, but please let me know if my thinking is flawed.
Thanks,
Sean
On Monday, May 30, 2005, 7:31:27 PM, Sean Sowell wrote:
On May 30, 2005 1802 Jeff C. wrote
- Please don't use SA scores as an absolute indication of
spammyness. It's crucial to manually review the submissions and not report legitimate domains like dell.com, directv, walmart, etc. Please don't report those!
- Please do continue to use SpamCop for reporting. Even in mole
mode, we get the URI reports.
- But's it's crucial to NOT report legitimate domains. Frankly
the only domains I'm interested in blacklisting are the ones that are advertised by criminal spam gangs, i.e. the ones usually advertising viagra, porn, pirated software or mortgages, etc.
OK, for general purposes I see why the spamvertised domains should not be blacklisted. I only started using SA on 5/19. Have been reading thru their faq and wiki, and can see how the 600 rules it uses can at times cancel each other out. I haven't seen a reason to change the default threshold yet but that may change.
There are very few negative scores left in SA. About the only one people commonly have trouble with is ALL_TRUSTED. That only "does the wrong thing" if the trust path is not set correctly:
http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html
For me, it helps to see who's letting their stuff or their logo appear in spamvertisements. At some point - in my book anyway - they move from the innocent bystander column into a gray area and across the spectrum toward black. Just my point of view.
I do review my submissions carefully. I include the spamvertised domain(s) in my reports so they know their marks are being used improperly and can take steps to end it. That way, the spammers get it from both ends. Seems fair to me, but please let me know if my thinking is flawed.
That's fine as far as it goes, but it's not what we're looking to include in SURBLs.
If you can find domains that belong to spam gangs advertising viagra, mortgages, warez, etc. then please report those.
Please do not report Dell, Walmart, or any other domain with legitimate non-spam uses.
Jeff C. -- Don't harm innocent bystanders.
On Monday, May 30, 2005 2216, Jeff C. wrote
... That's fine as far as it goes, but it's not what we're looking to include in SURBLs.
If you can find domains that belong to spam gangs advertising viagra, mortgages, warez, etc. then please report those.
Please do not report Dell, Walmart, or any other domain with legitimate non-spam uses.
OK. Again, as I agreed in my prior post, none of the spamvertised domains in parentheses should be blacklisted.
The rest of the list is good though, and those domains should be added. Do you want me to delete the extra stuff and re-post it?
On Tuesday, May 31, 2005, 12:58:32 AM, Sean Sowell wrote:
OK. Again, as I agreed in my prior post, none of the spamvertised domains in parentheses should be blacklisted.
The rest of the list is good though, and those domains should be added. Do you want me to delete the extra stuff and re-post it?
Yes, please, if you could mention the ones over the past couple days we'll look into them. Some of the ones you mentioned earlier are already blacklisted, so we'd like to analyze the unlisted recent ones to see how we can list them sooner.
Jeff C. -- Don't harm innocent bystanders.
On Tuesday, May 31, 2005, 1:11:58 AM, Jeff Chan wrote:
On Tuesday, May 31, 2005, 12:58:32 AM, Sean Sowell wrote:
OK. Again, as I agreed in my prior post, none of the spamvertised domains in parentheses should be blacklisted.
The rest of the list is good though, and those domains should be added. Do you want me to delete the extra stuff and re-post it?
Yes, please, if you could mention the ones over the past couple days we'll look into them. Some of the ones you mentioned earlier are already blacklisted, so we'd like to analyze the unlisted recent ones to see how we can list them sooner.
By the way, just to sanity check things, these are the domains in message body URIs and not headers, right? I ask because it's somewhat unusual to have two sets of domains in a given spam, and SURBLs are meant to operate on message body URIs and not headers.
Jeff C. -- Don't harm innocent bystanders.
-
Jeff Chan -
Sean Sowell