Does anyone have any comments on adding the malware domains at:
http://www.malwaredomains.com/
to the SURBL phising list, with significant filtering to exclude possible false positives? The actual list would be the third field of:
http://www.malwaredomains.com/files/domains.txt
The data includes malware and phishing sites.
Cheers,
Jeff C.
Sounds good to me! :)
- Jeremy
"Jeff Chan" jeffc@surbl.org wrote in message news:7b7cecbb0711251851j78e54a7sc847d29259754c19@mail.gmail.com...
Does anyone have any comments on adding the malware domains at:
http://www.malwaredomains.com/
to the SURBL phising list, with significant filtering to exclude possible false positives? The actual list would be the third field of:
http://www.malwaredomains.com/files/domains.txt
The data includes malware and phishing sites.
Cheers,
Jeff C.
--On Sunday, November 25, 2007 18:51 -0800 Jeff Chan jeffc@surbl.org wrote:
Does anyone have any comments on adding the malware domains at:
http://www.malwaredomains.com/
to the SURBL phising list, with significant filtering to exclude possible false positives? The actual list would be the third field of:
http://www.malwaredomains.com/files/domains.txt
The data includes malware and phishing sites.
The first field seems to be the URI we would see in mail. Isn't that what we would want to search?
Otherwise I don't understand why the third field repeatedly lists F-Secure's pages about virus threats at http://www.f-secure.com/weblog/. We would not want to interfere with mail referring to F-Secure.
Another third field, www.webhelper4u.com/cws/cwsbyalphanumeric.html, listed many many times, is a 404.
Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Quoting Joseph Brennan brennan@columbia.edu:
--On Sunday, November 25, 2007 18:51 -0800 Jeff Chan jeffc@surbl.org wrote:
Does anyone have any comments on adding the malware domains at:
http://www.malwaredomains.com/
to the SURBL phising list, with significant filtering to exclude possible false positives? The actual list would be the third field of:
http://www.malwaredomains.com/files/domains.txt
The data includes malware and phishing sites.
The first field seems to be the URI we would see in mail. Isn't that what we would want to search?
Otherwise I don't understand why the third field repeatedly lists F-Secure's pages about virus threats at http://www.f-secure.com/weblog/. We would not want to interfere with mail referring to F-Secure.
Another third field, www.webhelper4u.com/cws/cwsbyalphanumeric.html, listed many many times, is a 404.
Thanks. There are some leading tabs, and the fields are tab-separated, so the third tabbed field is the first visible one (on uncommented records).
Cheers,
Jeff C.
Does anyone have any comments on adding the malware domains at:
to the SURBL phising list, with significant filtering to exclude possible false positives? The actual list would be the third field of:
The data includes malware and phishing sites.
I never heard of this site before. Looks interesting. I am reviewing the malware list right now, however, and this is the second entry:
007arcadegames.com digitalriver www.bleedingthreats.net/forum/viewtopic.php?forum=11 showtopic=9
I unfortunately wasn't able to pull up the web page it lists; it comes up blank in Firefox. The domain has hinky registration, probably is a malware site. But if it's hosted by Digitalriver, they're fairly legitimate. (There are considerably more spam problems there than when Al Iverson was the Abuse manager, but they're at worst light grey.)
Which probably doesn't matter when it comes to listing the domain. :) But I'd definitely send a note to the host, especially when the host is a legitimate business that would be horrified to be hosting a malware site. Hope this guy does that.
Some of the sites are clearly malware, but there are a lot of semi-legitimate, high traffic sites on there, many of which are already whitelisted. I'm all for adding more data, but it looks like the amount of filtering may be so high it is not worth it for this source.
How would you handle the filtering? It looks like it would have to be done manually.
-- AW
On 11/27/07, Catherine Jefferson ariel@spambouncer.org wrote:
Does anyone have any comments on adding the malware domains at:
to the SURBL phising list, with significant filtering to exclude possible false positives? The actual list would be the third field of:
The data includes malware and phishing sites.
I never heard of this site before. Looks interesting. I am reviewing the malware list right now, however, and this is the second entry:
007arcadegames.com digitalriver www.bleedingthreats.net/forum/viewtopic.php?forum=11 showtopic=9
I unfortunately wasn't able to pull up the web page it lists; it comes up blank in Firefox. The domain has hinky registration, probably is a malware site. But if it's hosted by Digitalriver, they're fairly legitimate. (There are considerably more spam problems there than when Al Iverson was the Abuse manager, but they're at worst light grey.)
Which probably doesn't matter when it comes to listing the domain. :) But I'd definitely send a note to the host, especially when the host is a legitimate business that would be horrified to be hosting a malware site. Hope this guy does that.
-- Catherine (Hampton) Jefferson ariel@spambouncer.org The SpamBouncer * http://www.spambouncer.org/ Personal Home Page * http://www.devsite.org/ _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
----- Original Message ----- From: "Andy Warner" admin@andy.net To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Tuesday, November 27, 2007 8:26 PM Subject: Re: [SURBL-Discuss] RFC: Adding malwaredomains.com data to phishinglist?
Some of the sites are clearly malware, but there are a lot of semi-legitimate, high traffic sites on there, many of which are already whitelisted. I'm all for adding more data, but it looks like the amount of filtering may be so high it is not worth it for this source.
How would you handle the filtering? It looks like it would have to be done manually.
Seems to me that if the SOURCE of the data is reliable and correct (in that the site DOES contain malaria), but the domain is whitelisted somewhere, then it's a good reason to remove the whitelisting. Not to remove the listing from the malaria list.
My complaint (not actually complaining about this list in particular) is that too many domains and/or IP's are whitelisted on lists generally (and I AM talking generally here). It's the "they have some legit customers" syndrome - so what if they do ? If they screw up they get blacklisted until they clean up their act - it's that simple.
ISP's ESP's & webhosts who act responsibly and in a timely fashion get given the benefit of the doubt. Those that don't - well - don't !!
All the best
Phil
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Re: MY LAST POST
For MALARIA - please read MALWARE
Damned spellcheckers :-s
All the best
Phil
----- Original Message ----- From: "Phil (Medway Hosting)" phil@medwayhosting.com To: "SURBL Discussion" discuss@lists.surbl.org Sent: Tuesday, November 27, 2007 8:54 PM Subject: Re: [SURBL-Discuss] RFC: Adding malwaredomains.com data tophishinglist?
----- Original Message ----- From: "Andy Warner" admin@andy.net To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Tuesday, November 27, 2007 8:26 PM Subject: Re: [SURBL-Discuss] RFC: Adding malwaredomains.com data to phishinglist?
Some of the sites are clearly malware, but there are a lot of semi-legitimate, high traffic sites on there, many of which are already whitelisted. I'm all for adding more data, but it looks like the amount of filtering may be so high it is not worth it for this source.
How would you handle the filtering? It looks like it would have to be done manually.
Seems to me that if the SOURCE of the data is reliable and correct (in
that
the site DOES contain malaria), but the domain is whitelisted somewhere, then it's a good reason to remove the whitelisting. Not to remove the listing from the malaria list.
My complaint (not actually complaining about this list in particular) is that too many domains and/or IP's are whitelisted on lists generally (and
I
AM talking generally here). It's the "they have some legit customers" syndrome - so what if they do ? If they screw up they get blacklisted
until
they clean up their act - it's that simple.
ISP's ESP's & webhosts who act responsibly and in a timely fashion get
given
the benefit of the doubt. Those that don't - well - don't !!
All the best
Phil
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________ _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Quoting "Phil (Medway Hosting)" phil@medwayhosting.com:
Seems to me that if the SOURCE of the data is reliable and correct (in that the site DOES contain [malware]), but the domain is whitelisted somewhere, then it's a good reason to remove the whitelisting. Not to remove the listing from the [malware] list.
We use our whitelist internally to exclude domains from blacklisting. If a site is whitelisted, it is generally assumed to be a responsible operation that would actively correct compromised sites, remove malware content, phishing sites, spammed sites, etc. Therefore the logic of un-doing the whitelisting if malware appears would be arguably incorrect. The ones who are whitelisted are the ones likely to do the right thing.
Jeff C.
Quoting Andy Warner admin@andy.net:
Some of the sites are clearly malware, but there are a lot of semi-legitimate, high traffic sites on there, many of which are already whitelisted. I'm all for adding more data, but it looks like the amount of filtering may be so high it is not worth it for this source.
How would you handle the filtering? It looks like it would have to be done manually.
Probably we wouldn't want to specify exactly how the data would be filtered in public, but it would be mostly automatic, like the other phishing data. Occasionally we need to manually whitelist one of those.
Cheers,
Jeff C.
--On Tuesday, November 27, 2007 11:09 -0800 Catherine Jefferson ariel@spambouncer.org wrote:
I never heard of this site before. Looks interesting. I am reviewing the malware list right now, however, and this is the second entry:
007arcadegames.com digitalriver www.bleedingthreats.net/forum/viewtopic.php?forum=11 showtopic=9
I unfortunately wasn't able to pull up the web page it lists; it comes up blank in Firefox.
For www.007arcadegames.com I get a page from Godaddy saying that the registration expired Nov 7 and that they're waiting to renew or delete the name.
Joseph Brennan Columbia University Information Technology
Quoting Joseph Brennan brennan@columbia.edu:
For www.007arcadegames.com I get a page from Godaddy saying that the registration expired Nov 7 and that they're waiting to renew or delete the name.
Joseph Brennan Columbia University Information Technology
Yes, it's probably an old listing whose domain expired recently.
Cheers,
Jeff C.
Quoting Catherine Jefferson ariel@spambouncer.org:
007arcadegames.com digitalriver www.bleedingthreats.net/forum/viewtopic.php?forum=11 showtopic=9
I unfortunately wasn't able to pull up the web page it lists; it comes up blank in Firefox. The domain has hinky registration, probably is a malware site. But if it's hosted by Digitalriver, they're fairly legitimate. (There are considerably more spam problems there than when Al Iverson was the Abuse manager, but they're at worst light grey.)
It's not clear how that field is derived. If the domain really belonged to Digital River then it may have been worth trying to notify them. If the site was minor, cracked, or belonged to bad guys then it might get blacklisted since the potential harm from malware may on balance exceed the effect of blacklisting. Malware/phishing/etc. have the potential to ruin people's lives.
Which probably doesn't matter when it comes to listing the domain. :) But I'd definitely send a note to the host, especially when the host is a legitimate business that would be horrified to be hosting a malware site. Hope this guy does that.
Depending on the source, they may get automatic notifications.
Jeff C.