From: "Menno van Bennekom" > Hi,
I get spam with a different URL, the redirect has only one '/': <a
href="http://rd.yahoo.com/oashoscy/*http:/hjktccbz.woodwheel.info/mn/num17%22%3E
This is not recognised by BIZ_TLD (in this example my copy, INFO_TLD). I can change that in the regular expression. But I don't think SPAMCOP_URI_RBL recognizes it too because woodwheel is in the database but SA gives no hit. If you click on the link above it works, so it seems the one slash is possible. Can anyone confirm that one slash is not recognized?
This should work with SpamCopURI.
What version are you using? Have you got entry like
spamcop_uri_resolve_open_redirects 1 open_redirect_list_spamcop_uri rd.yahoo.com *.rd.yahoo.com
in spamcop_uri.cf?
John
From: "Menno van Bennekom" > Hi,
I get spam with a different URL, the redirect has only one '/': <a
href="http://rd.yahoo.com/oashoscy/*http:/hjktccbz.woodwheel.info/mn/num17%22%3E
This is not recognised by BIZ_TLD (in this example my copy, INFO_TLD). I can change that in the regular expression. But I don't think SPAMCOP_URI_RBL recognizes it too because woodwheel is in the database but SA gives no hit. If you click on the link above it works, so it seems the one slash is possible. Can anyone confirm that one slash is not recognized?
This should work with SpamCopURI.
What version are you using? Have you got entry like
spamcop_uri_resolve_open_redirects 1 open_redirect_list_spamcop_uri rd.yahoo.com *.rd.yahoo.com
in spamcop_uri.cf?
John
You are right, SpamCopURI is not bothered by the one slash. I think my configuration (v0.16 and v0.18) is okay, I get lots of hits on ws+sc.surbl.org in other mails on both servers, also with redirects in them. I have done some sniffing and SpamCopURI DOES do the lookup, only for some reason it gets a NXdomain.. See tcpdump: 09:50:20.338446 10.1.40.12.3107 > 194.109.104.104.53: 16981+ A? woodwheel.info.ws.surbl.org. (45) (DF) 09:50:20.357518 194.109.104.104.53 > 10.1.40.12.3107: 16981 NXDomain 0/1/0 (101) 09:50:20.376361 10.1.40.12.3107 > 194.109.104.104.53: 16982+ A? yahoo.com.sc.surbl.org. (40) (DF) 09:50:20.397058 194.109.104.104.53 > 10.1.40.12.3107: 16982 NXDomain* 0/1/0 (108) 09:50:20.405862 10.1.40.12.3107 > 194.109.104.104.53: 16983+ A? woodwheel.info.sc.surbl.org. (45) (DF) 09:50:20.424440 194.109.104.104.53 > 10.1.40.12.3107: 16983 NXDomain 0/1/0 (101)
But http://www.rulesemporium.com/cgi-bin/uribl.cgi says that woodwheel.info is listed in sc.surbl.org... Strange thing. But I'm relieved that uri's with one slash are checked by Spamcopuri so what's left is BIZ_TLD (and INFO_TLD), the standard regexpression doesn't recognise the one slash. If I see more of those uri's I will change that regexp.
Regards Menno
From: "Menno van Bennekom"
But http://www.rulesemporium.com/cgi-bin/uribl.cgi says that woodwheel.info is listed in sc.surbl.org... Strange thing. But I'm relieved that uri's with one slash are checked by Spamcopuri so what's left is BIZ_TLD (and INFO_TLD), the standard regexpression doesn't recognise the one slash. If I see more of those uri's I will change that regexp.
Regards Menno
Indeed, if I do a command line lookup, I find an A record for it:
dig +short woodwheel.info.sc.surbl.org 127.0.0.2
what does this return for you?
If it's working now, it could be just a zonefile propagation delay to the secondary name servers. (There is still one secondary ns14.surbl.org which does not have the record at the time of writing).
Are you normally getting spam hits from surbl?
what does this return (removing MUNGED first):
dig surbl-org-permanent-test-pointMUNGED.com.sc.surbl.org
Are you running a local copy of surbld data or using the public name servers?
John
From: "Menno van Bennekom"
But http://www.rulesemporium.com/cgi-bin/uribl.cgi says that woodwheel.info is listed in sc.surbl.org... Strange thing. But I'm relieved that uri's with one slash are checked by Spamcopuri so what's left is BIZ_TLD (and INFO_TLD), the standard regexpression doesn't recognise the one slash. If I see more of those uri's I will change that regexp.
Regards Menno
Indeed, if I do a command line lookup, I find an A record for it:
dig +short woodwheel.info.sc.surbl.org 127.0.0.2
what does this return for you?
If it's working now, it could be just a zonefile propagation delay to the secondary name servers. (There is still one secondary ns14.surbl.org which does not have the record at the time of writing).
Are you normally getting spam hits from surbl?
what does this return (removing MUNGED first):
dig surbl-org-permanent-test-pointMUNGED.com.sc.surbl.org
Are you running a local copy of surbld data or using the public name servers?
John
I use the public name servers, and the SpamCopURI is working fine, lots of SPAMCOP_URI hits on other spam-mails. The woodwheel-surbl is not found in the DNS of my provider (xs4all) but other domains are found, and I tried another providers DNS and that one did find the woodwheel-surbl. So it seems there is something not up to date in the DNS of my provider.. dig @194.109.104.104 +short woodwheel.info.sc.surbl.org dig @194.109.104.104 +short watchsound.com.sc.surbl.org --> 127.0.0.2 dig @194.109.104.104 +short surbl-org-permanent-test-point.com.sc.surbl.org --> 127.0.0.2 Other provider: dig @194.159.73.135 +short woodwheel.info.sc.surbl.org --> 127.0.0.2
Thanks Menno
On Wednesday, June 9, 2004, 1:36:16 AM, Menno Bennekom wrote:
I use the public name servers, and the SpamCopURI is working fine, lots of SPAMCOP_URI hits on other spam-mails. The woodwheel-surbl is not found in the DNS of my provider (xs4all) but other domains are found, and I tried another providers DNS and that one did find the woodwheel-surbl. So it seems there is something not up to date in the DNS of my provider.. dig @194.109.104.104 +short woodwheel.info.sc.surbl.org
Thanks much for the heads up Menno. For some reason the zone file on ns14.surbl.org, which is hosted at xs4all is very stale. Let me contact the DNS administrator there and ask him to check it.
Jeff C.
On Wednesday, June 9, 2004, 1:36:16 AM, Menno Bennekom wrote:
I use the public name servers, and the SpamCopURI is working fine, lots of SPAMCOP_URI hits on other spam-mails. The woodwheel-surbl is not found in the DNS of my provider (xs4all) but other domains are found, and I tried another providers DNS and that one did find the woodwheel-surbl. So it seems there is something not up to date in the DNS of my provider.. dig @194.109.104.104 +short woodwheel.info.sc.surbl.org
Thanks much for the heads up Menno. For some reason the zone file on ns14.surbl.org, which is hosted at xs4all is very stale. Let me contact the DNS administrator there and ask him to check it.
Jeff C.
Woodwheel.info is now in the DNS of our provider (xs4all) so I guess they are up to date now. Thanks! Menno
Hi Menno,
Thanks much for the heads up Menno. For some reason the zone file on ns14.surbl.org, which is hosted at xs4all is very stale. Let me contact the DNS administrator there and ask him to check it.
Woodwheel.info is now in the DNS of our provider (xs4all) so I guess they are up to date now.
Yes, xs4all fixed the problem and the zone is running ok again since some hours now.
Bye, Raymond.