Please test the MailPolice Fraud list as Bill described earlier (copied below). We would like to include this data in our PH anti-phishing list, but request your help in testing it first.
We're particularly interested in any false positives.
Jeff C. __
This is a list that MailPolice hosts and I have been running it for a few hours and it has already flagged some phish and fraud e-mails. Here is some info about the list: http://rhs.mailpolice.com/#rhsfraud
This is my configuration for SA 2.64 with the SpamCopURI plug-in:
uri MP_URI_RBL eval:check_spamcop_uri_rbl('fraud.rhs.mailpolice.com','127.0.0.2') describe MP_URI_RBL URI's domain appears in MailPolice fraud list tflags MP_URI_RBL net score MP_URI_RBL 2.0
And for SA 3.0 with the URIDNSBL plug-in:
urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP URI's domain appears in MailPolice fraud list tflags URIBL_MP net score URIBL_MP 2.0
Bill
Speaking of phishing, please try the mailpolice fraud data and let us know how it works for you. We'd like to add it to PH but want your feedback.
Thanks,
Jeff C. __
On Monday, September 20, 2004, 4:20:52 PM, Jeff Chan wrote:
Please test the MailPolice Fraud list as Bill described earlier (copied below). We would like to include this data in our PH anti-phishing list, but request your help in testing it first.
We're particularly interested in any false positives.
Jeff C. __
This is a list that MailPolice hosts and I have been running it for a few hours and it has already flagged some phish and fraud e-mails. Here is some info about the list: http://rhs.mailpolice.com/#rhsfraud
This is my configuration for SA 2.64 with the SpamCopURI plug-in:
uri MP_URI_RBL eval:check_spamcop_uri_rbl('fraud.rhs.mailpolice.com','127.0.0.2') describe MP_URI_RBL URI's domain appears in MailPolice fraud list tflags MP_URI_RBL net score MP_URI_RBL 2.0
And for SA 3.0 with the URIDNSBL plug-in:
urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP URI's domain appears in MailPolice fraud list tflags URIBL_MP net score URIBL_MP 2.0
Bill
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Jeff C.
Jeff Chan wrote:
Please test the MailPolice Fraud list as Bill described earlier (copied below).
uri MP_URI_RBL eval:check_spamcop_uri_rbl('fraud.rhs.mailpolice.com','127.0.0.2') describe MP_URI_RBL URI's domain appears in MailPolice fraud list tflags MP_URI_RBL net score MP_URI_RBL 2.0
Jeff,
Which bitmask should i use for this list? Or does it work as written above? Below is an example of my spamcop_uri.cf file. Can you please confirm that the three lists below are correct?
uri AB_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+32') describe AB_URI_RBL URI's domain appears in ab database at ab.surbl.org tflags AB_URI_RBL net score AB_URI_RBL 5.0
uri JP_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+64') describe JP_URI_RBL URI's domain appears in jp database at jp.surbl.org tflags JP_URI_RBL net score JP_URI_RBL 5.0
uri MP_URI_RBL eval:check_spamcop_uri_rbl('fraud.rhs.mailpolice.com','127.0.0.2') describe MP_URI_RBL URI's domain appears in MailPolice fraud list tflags MP_URI_RBL net score MP_URI_RBL 2.0
Thank you
/ Martin
On Thursday, September 23, 2004, 1:51:16 AM, Martin Martin wrote:
Jeff Chan wrote:
Please test the MailPolice Fraud list as Bill described earlier (copied below).
Which bitmask should i use for this list? Or does it work as written above? Below is an example of my spamcop_uri.cf file. Can you please confirm that the three lists below are correct?
uri AB_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+32') describe AB_URI_RBL URI's domain appears in ab database at ab.surbl.org tflags AB_URI_RBL net score AB_URI_RBL 5.0
uri JP_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+64') describe JP_URI_RBL URI's domain appears in jp database at jp.surbl.org tflags JP_URI_RBL net score JP_URI_RBL 5.0
uri MP_URI_RBL eval:check_spamcop_uri_rbl('fraud.rhs.mailpolice.com','127.0.0.2') describe MP_URI_RBL URI's domain appears in MailPolice fraud list tflags MP_URI_RBL net score MP_URI_RBL 2.0
That's correct. fraud.rhs.mailpolice.com is not part of multi or even a SURBL at this point, so it has no bitmask. It's a separate, external list. If we like the data, we will add it into PH in multi.
ab.surbl.org is good to add, but jp doesn't exist until Monday. :-)
Also descriptions like:
URI's domain appears in http://www.surbl.org/lists.html#ab
would be better.
Jeff C.
Jeff Chan wrote:
That's correct. fraud.rhs.mailpolice.com is not part of multi or even a SURBL at this point, so it has no bitmask. It's a separate, external list. If we like the data, we will add it into PH in multi.
Right, thanks for clarifying.
ab.surbl.org is good to add, but jp doesn't exist until Monday. :-)
Alright, Will it be harmless to have JP activated even though it's not in use yet?
Also descriptions like:
URI's domain appears in http://www.surbl.org/lists.html#ab
would be better.
Good idea, but the '#' sign is getting ignored by the system as it thinks i've commented out the characters next to it :)
/ Martin
On Thursday, September 23, 2004, 4:41:54 AM, Martin Martin wrote:
ab.surbl.org is good to add, but jp doesn't exist until Monday. :-)
Alright, Will it be harmless to have JP activated even though it's not in use yet?
Probably ok, though it could create extra DNS queries until then. To be honest I don't know the detailed effects of adding it before the data is there.
Also descriptions like:
URI's domain appears in http://www.surbl.org/lists.html#ab
would be better.
Good idea, but the '#' sign is getting ignored by the system as it thinks i've commented out the characters next to it :)
/ Martin
Aha, thanks for the feedback.
Jeff C.
On Monday 20 September 2004 06:20 pm, Jeff Chan wrote:
Please test the MailPolice Fraud list as Bill described earlier (copied below). We would like to include this data in our PH anti-phishing list, but request your help in testing it first.
We're particularly interested in any false positives.
Jeff C. __
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Status: R Return-Path: test@localhost.localdomain Received: from localhost.localdomain ([202.82.17.60]) by tanager.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cc6Dr2lm3NZFmQ0 for cpollock@earthlink.net; Mon, 27 Sep 2004 18:18:29 -0700 (PDT) Received: from localhost.localdomain (httpserver [127.0.0.1]) by localhost.localdomain (8.12.11/8.12.11) with ESMTP id i8S1ISC3018023 for cpollock@earthlink.net; Tue, 28 Sep 2004 09:18:28 +0800 Received: (from test@localhost) by localhost.localdomain (8.12.11/8.12.11/Submit) id i8S1IS7M018022; Tue, 28 Sep 2004 09:18:28 +0800 Date: Tue, 28 Sep 2004 09:18:28 +0800 Message-Id: 200409280118.i8S1IS7M018022@localhost.localdomain To: cpollock@earthlink.net Subject: *****SPAM***** Ebay account update to new servers From: eBay Online Communitysupport@ebay.com Content-Type: text/html X-ELNK-AV: 0 X-Spam-DCC: sgs_public_dcc_server: cpollock 1199; Body=many Fuz1=many Fuz2=many X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cpollock X-Spam-Level: ************************************************** X-Spam-Status: Yes, hits=119.9 required=5.0 tests=AM_BODY_PLING, ASKS_BILLING_ADDRESS,BAYES_70,DCC_CHECK,HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_RED,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HEADER_CTYPE_ONLY,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,RM_uwd_affiliate,SARE_FORGED_EBAY,SARE_HTML_FSIZE6 autolearn=no version=2.63 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 1.0 AM_BODY_PLING BODY: Body has lots of exclamation points * 0.4 ASKS_BILLING_ADDRESS BODY: Asks for a billing address * 2.6 BAYES_70 BODY: Bayesian spam probability is 70 to 80% * [score: 0.7408] * 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue * 0.1 HTML_MESSAGE BODY: HTML included in message * 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red * 0.2 SARE_HTML_FSIZE6 BODY: Message uses suspicious font size and/or color * 1.4 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset * 2.4 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 1.3 RM_uwd_affiliate URI: text references affiliate program * 2.7 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers * 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) X-Status: N
On Mon, 27 Sep 2004 20:27:42 -0500, Chris cpollock@earthlink.net wrote:
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Please forward full message sources for any Phishing reports to postmaster@corp.mailsecurity.net
We'll get them dropped into the PH list in no time :)
On Monday, September 27, 2004, 6:34:48 PM, David Hooton wrote:
On Mon, 27 Sep 2004 20:27:42 -0500, Chris cpollock@earthlink.net wrote:
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Please forward full message sources for any Phishing reports to postmaster@corp.mailsecurity.net
We'll get them dropped into the PH list in no time :)
Yes, as David says, please send them to postmaster@corp.mailsecurity.net and antiphishing.org.
Jeff C. -- "If it appears in hams, then don't list it."
On Monday 27 September 2004 08:34 pm, David Hooton wrote:
On Mon, 27 Sep 2004 20:27:42 -0500, Chris cpollock@earthlink.net wrote:
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Please forward full message sources for any Phishing reports to postmaster@corp.mailsecurity.net
We'll get them dropped into the PH list in no time :)
David, Jeff, I'll be sure to do that. That one has unfortunately already been processed by my reporting script and been deleted.
On Tue, 28 Sep 2004, David Hooton wrote:
On Mon, 27 Sep 2004 20:27:42 -0500, Chris cpollock@earthlink.net wrote:
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Please forward full message sources for any Phishing reports to postmaster@corp.mailsecurity.net
We'll get them dropped into the PH list in no time :)
Minor nit, 'postmaster@corp.mailsecurity.net' gives "no such host" error message.
DNS lookup on 'corp.mailsecurity.net' returns "Non-existent domain".
Typo?
On Tuesday, September 28, 2004, 7:02:31 PM, David Funk wrote:
On Tue, 28 Sep 2004, David Hooton wrote:
On Mon, 27 Sep 2004 20:27:42 -0500, Chris cpollock@earthlink.net wrote:
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Please forward full message sources for any Phishing reports to postmaster@corp.mailsecurity.net
We'll get them dropped into the PH list in no time :)
Minor nit, 'postmaster@corp.mailsecurity.net' gives "no such host" error message.
DNS lookup on 'corp.mailsecurity.net' returns "Non-existent domain".
Typo?
No it's correct. Perhaps there's a DNS problem there. Hopefully David Hooton can let them know to fix it.
Jeff C. -- "If it appears in hams, then don't list it."
On Tue, 28 Sep 2004 19:13:00 -0700, Jeff Chan jeffc@surbl.org wrote:
On Tuesday, September 28, 2004, 7:02:31 PM, David Funk wrote:
On Tue, 28 Sep 2004, David Hooton wrote:
Please forward full message sources for any Phishing reports to postmaster@corp.mailsecurity.net
Minor nit, 'postmaster@corp.mailsecurity.net' gives "no such host" error message.
DNS lookup on 'corp.mailsecurity.net' returns "Non-existent domain".
Typo?
Yes Typo - postmaster@corp.mailsecurity.net.au << Note the .au
Many apologies to all affected!
On Tuesday, September 28, 2004, 7:17:15 PM, David Hooton wrote:
On Tue, 28 Sep 2004 19:13:00 -0700, Jeff Chan jeffc@surbl.org wrote:
On Tuesday, September 28, 2004, 7:02:31 PM, David Funk wrote:
Minor nit, 'postmaster@corp.mailsecurity.net' gives "no such host" error message.
DNS lookup on 'corp.mailsecurity.net' returns "Non-existent domain".
Typo?
Yes Typo - postmaster@corp.mailsecurity.net.au << Note the .au
Dooh!
FWIW It's correct in my lists doc:
http://www.surbl.org/lists.html
I'm adding a mention of reporting phishes to that address also (in addition to any FPs).
Jeff C. -- "If it appears in hams, then don't list it."
On Monday, September 20, 2004, 3:20:52 PM, Jeff Chan wrote:
Please test the MailPolice Fraud list as Bill described earlier (copied below). We would like to include this data in our PH anti-phishing list, but request your help in testing it first.
We're particularly interested in any false positives.
Jeff C. __
This is a list that MailPolice hosts and I have been running it for a few hours and it has already flagged some phish and fraud e-mails. Here is some info about the list: http://rhs.mailpolice.com/#rhsfraud
This is my configuration for SA 2.64 with the SpamCopURI plug-in:
uri MP_URI_RBL eval:check_spamcop_uri_rbl('fraud.rhs.mailpolice.com','127.0.0.2') describe MP_URI_RBL URI's domain appears in MailPolice fraud list tflags MP_URI_RBL net score MP_URI_RBL 2.0
And for SA 3.0 with the URIDNSBL plug-in:
urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP URI's domain appears in MailPolice fraud list tflags URIBL_MP net score URIBL_MP 2.0
Bill
Does anyone have any more testing of the fraud.rhs.mailpolice.com data to share?
SpamAssassin corpus checkers, would you please test it for FPs?
Shall we add it to ph.surbl.org?
Jeff C. -- "If it appears in hams, then don't list it."
On Tue, 9 Nov 2004 23:43:18 -0800, Jeff Chan jeffc@surbl.org wrote:
Does anyone have any more testing of the fraud.rhs.mailpolice.com data to share?
It looks good to me so far.
Shall we add it to ph.surbl.org?
I have no problem with it, it's yet another view of the internet which I believe is important.
As a side note to everyone, please keep submitting your phish emails to postmaster @ corp.mailsecurity.net.au without your submissions we don't have new data :)
On Thursday, November 11, 2004, 7:49:51 PM, David Hooton wrote:
On Tue, 9 Nov 2004 23:43:18 -0800, Jeff Chan jeffc@surbl.org wrote:
Does anyone have any more testing of the fraud.rhs.mailpolice.com data to share?
It looks good to me so far.
Shall we add it to ph.surbl.org?
I have no problem with it, it's yet another view of the internet which I believe is important.
As a side note to everyone, please keep submitting your phish emails to postmaster @ corp.mailsecurity.net.au without your submissions we don't have new data :)
Thanks for your feedback David. Based on your feedback and others, I went ahead and merged the fraud.rhs.mailpolice.com data in with your mailsecurity.net.au phishing list into ph.surbl.org.
Overlap between these two lists was only 36 records, and combining the lists has approximately doubled the size of the ph.surbl.org to about 1000 records.
One thing you may want to look at is expiring the data, especially IP addresses. Not sure what algorithm to use, though age may be a possibility, or perhaps the lack of recent reports for a given record.
Overlap between fraud.rhs.mailpolice.com and other existing SURBLs, including ph.surbl.org is 89 records.
I'll go ahead and announce and document this change.
Jeff C. -- "If it appears in hams, then don't list it."
-
Chris -
David B Funk -
David Hooton -
Jeff Chan -
Martin