Not sure when this happened, but a plain "w" somehow got listed in the SURBL, at least in the text list version. I've perused the website and the list removal section, but haven't found a way of determining what the source of the "w" is, since the query tools do domain format checking and won't let me query on a plain "w".
The "w" shows up in this list: http://www.surbl.org/dns-queries.blocklist.counts.txt It's in the section preceeded by the number "2".
The effect of this is that domains that have a "w" in certain places generate false positives.
It might be a good idea to run new domains through a simple domain format parsing check to make sure that they're basically valid before adding them to the SURBL.
John DeMillion Director of Information Technology Chester County Intermediate Unit
On Sunday, January 22, 2006, 1:49:41 PM, John DeMillion wrote:
Not sure when this happened, but a plain "w" somehow got listed in the SURBL, at least in the text list version. I've perused the website and the list removal section, but haven't found a way of determining what the source of the "w" is, since the query tools do domain format checking and won't let me query on a plain "w".
The "w" shows up in this list: http://www.surbl.org/dns-queries.blocklist.counts.txt It's in the section preceeded by the number "2".
The effect of this is that domains that have a "w" in certain places generate false positives.
It might be a good idea to run new domains through a simple domain format parsing check to make sure that they're basically valid before adding them to the SURBL.
John DeMillion Director of Information Technology Chester County Intermediate Unit
Hello John, "w" is not currently listed:
; <<>> DiG 8.3 <<>> w.multi.surbl.org a ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9855 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; w.multi.surbl.org, type = A, class = IN
;; AUTHORITY SECTION: multi.surbl.org. 15M IN SOA a.surbl.org. zone.surbl.org. ( 1137979981 ; serial 15M ; refresh 15M ; retry 1W ; expiry 15M ) ; minimum
;; Total query time: 58 msec ;; FROM: ns1.freeapp.net to SERVER: 127.0.0.1 ;; WHEN: Sun Jan 22 17:52:58 2006 ;; MSG SIZE sent: 35 rcvd: 78
Doing a DNS query is probably the best, most authoritative way to check the lists.
What you saw may have been an artifact of broken DNS queries. There are also filters in place to prevent things that cannot be domains from getting on the lists.
Cheers,
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
What you saw may have been an artifact of broken DNS queries. There are also filters in place to prevent things that cannot be domains from getting on the lists.
Some spammers apparently try their luck with ">" in pseudo-URLs like http://what%3Eever.spammer.example (seen in an article on the SpamCop list). It's a bit beyond me how any decent MUA can accept this as link. In that example what>ever.spammer.example has an IP, but it's of course no valid host name.
Apparently a hard case of "fix your MUA", I've no better idea. Normally I hate this line of arguments when it's used against my good old "Mozilla 3". Of course my monster doesn't accept this crap as host name, it stops at http://what as it should.
Bye, Frank
On Mon, Jan 23, 2006 at 08:57:57AM +0100, Frank Ellermann wrote:
Apparently a hard case of "fix your MUA", I've no better idea. Normally I hate this line of arguments when it's used against my good old "Mozilla 3". Of course my monster doesn't accept this crap as host name, it stops at http://what as it should.
They're targetting Outlook -- I dug up a copy of MS Outlook (2002, FWIW), and given mail containing the URL http://foo%3Ebar.com, it will hyperlink the entire thing and direct the browser to http://foo%3ebar.com/. It tolerates < and > equally.
Bleh.
-
Devin Carraway -
Frank Ellermann -
Jeff Chan -
John DeMillion