Just spotted this one, on both black.uribl.com and ab.surbl.org - it's a very widely used French-language URL-shortening service.
I'd say this is a definite FP.
I can see people getting confused about whether minilien are really white hat, given that it now redirects to a page on the unfortunately-named digipills.com - but AFAICT this is also a genuine domain originally created by a medical student and offering free hosting for genuine medically-related content.
John.
Den 13. sep. 2006 kl. 15.07 skrev John Wilcock:
Just spotted this one, on both black.uribl.com and ab.surbl.org - it's a very widely used French-language URL-shortening service.
I'd say this is a definite FP.
But then again, if spam email uses minilien.com for masquerading evil redirects, then it's the site owner's problem. There is an explicit coverage on this topic on the SURBL.org site.
Redirection services such as tinyurl.com and (my own) memurl.com looks up if the destination hosts are blocklisted, and so should minilien.com
If we regard this one as a false positive, then it's free access for spammail that uses the minilien service.
I suggest we notify the site owner and let him act accordingly.
-- Christian Stigen Larsen, http://csl.sublevel3.org
On Wednesday, September 13, 2006, 6:32:27 AM, Christian Larsen wrote:
Den 13. sep. 2006 kl. 15.07 skrev John Wilcock:
Just spotted this one, on both black.uribl.com and ab.surbl.org - it's a very widely used French-language URL-shortening service.
I'd say this is a definite FP.
But then again, if spam email uses minilien.com for masquerading evil redirects, then it's the site owner's problem. There is an explicit coverage on this topic on the SURBL.org site.
Redirection services such as tinyurl.com and (my own) memurl.com looks up if the destination hosts are blocklisted, and so should minilien.com
If we regard this one as a false positive, then it's free access for spammail that uses the minilien service.
I suggest we notify the site owner and let him act accordingly.
-- Christian Stigen Larsen, http://csl.sublevel3.org
Yes, that's true, but at the same time we generally don't blacklist redirection services as that could cause false positives. Christian, would you please try to contact the site owner and refer him to:
http://www.surbl.org/redirect.html
In the mean time we will remove this domain from our blacklist.
Jeff C. -- Don't harm innocent bystanders.
On Wednesday, September 13, 2006, 3:24:17 PM, Jeff Chan wrote:
Yes, that's true, but at the same time we generally don't blacklist redirection services as that could cause false positives.
[...]
In the mean time we will remove this domain from our blacklist.
BTW This applies to SURBL only as URIBL.com is a separate project.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
Is the suggestion to check URLs when submitted to the redirection service or when the redirector is then used (or both)?
- Ron
On Wednesday, September 13, 2006, 3:54:24 PM, Ron Guerin wrote:
Jeff Chan wrote:
Is the suggestion to check URLs when submitted to the redirection service or when the redirector is then used (or both)?
- Ron
Submission-time checks were the main intention.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
On Wednesday, September 13, 2006, 3:54:24 PM, Ron Guerin wrote:
Jeff Chan wrote:
Is the suggestion to check URLs when submitted to the redirection service or when the redirector is then used (or both)?
- Ron
Submission-time checks were the main intention.
That's what I thought, but I wanted some clarification. I'm the author of a redirector created in October 2004 that has always used SURBL to check submitted URLs. Nevertheless, I find my database polluted with abuse. Even though most of it redirects to pages in Asian languages I don't understand, it's not hard to recognize spammers landing pages. It also occurs to me that checking the URL at submission time is probably checking it before any spam with that URL has been sent, and by extension, before it would appear in SURBL.
Among the things I'm considering, is re-checking accepted URLs a few hours later, and flagging them for abuse if they come up with a hit. The other thing I think needs to be done is to follow and count the number of re-directions. I see a lot of URLs in my database that are other redirection services.
- Ron
On Thursday, September 14, 2006, 7:02:46 AM, Ron Guerin wrote:
Jeff Chan wrote:
Submission-time checks were the main intention.
That's what I thought, but I wanted some clarification. I'm the author of a redirector created in October 2004 that has always used SURBL to check submitted URLs. Nevertheless, I find my database polluted with abuse. Even though most of it redirects to pages in Asian languages I don't understand, it's not hard to recognize spammers landing pages. It also occurs to me that checking the URL at submission time is probably checking it before any spam with that URL has been sent, and by extension, before it would appear in SURBL.
Makes sense.
Among the things I'm considering, is re-checking accepted URLs a few hours later, and flagging them for abuse if they come up with a hit. The other thing I think needs to be done is to follow and count the number of re-directions. I see a lot of URLs in my database that are other redirection services.
A re-check sounds reasonable. If you'd be doing a large volume of queries you may want to consider using rsynced local versions of the zone files:
http://www3.surbl.org/rsync-signup.html
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
On Thursday, September 14, 2006, 7:02:46 AM, Ron Guerin wrote:
Jeff Chan wrote:
Submission-time checks were the main intention.
That's what I thought, but I wanted some clarification. I'm the author of a redirector created in October 2004 that has always used SURBL to check submitted URLs. Nevertheless, I find my database polluted with abuse. Even though most of it redirects to pages in Asian languages I don't understand, it's not hard to recognize spammers landing pages. It also occurs to me that checking the URL at submission time is probably checking it before any spam with that URL has been sent, and by extension, before it would appear in SURBL.
Makes sense.
Among the things I'm considering, is re-checking accepted URLs a few hours later, and flagging them for abuse if they come up with a hit. The other thing I think needs to be done is to follow and count the number of re-directions. I see a lot of URLs in my database that are other redirection services.
A re-check sounds reasonable. If you'd be doing a large volume of queries you may want to consider using rsynced local versions of the zone files:
Won't be necessary. My redirector is primarily for people to install on their own sites. I run a public copy for the sake of both providing an demonstration, and to get some real-world usage data. I've got hundreds, not hundreds of thousands of URLs from 2 years of operation, at the rate of a few new URLs a day. I had considered slowly re-checking the entire database just to see what turned up, but I decided it wouldn't tell me anything useful to check today's SURBL against submissions made two years ago. I do think that re-checking submissions a few hours after acceptance might be useful. If it is, I'll report that back here.
I can offer the following observation, which is that for a service that's not promoted outside of merely existing on SourceForge, my public redirection service has been primarily discovered by those seeking to conceal their true destination, rather than by those seeking to shorten a URL. Given that my situation is not normal and I've got a relatively small dataset to work with, I'm hesitant to jump to conclusions, but I'd be interested in hearing from other redirector operators about what they're finding out about themselves. From where I'm sitting, it's looking like the bad outweighs the good, substantially.
- Ron
On Thursday, September 14, 2006, 10:24:12 AM, Ron Guerin wrote:
Jeff Chan wrote:
A re-check sounds reasonable. If you'd be doing a large volume of queries you may want to consider using rsynced local versions of the zone files:
Won't be necessary. My redirector is primarily for people to install on their own sites. I run a public copy for the sake of both providing an demonstration, and to get some real-world usage data. I've got hundreds, not hundreds of thousands of URLs from 2 years of operation, at the rate of a few new URLs a day. I had considered slowly re-checking the entire database just to see what turned up, but I decided it wouldn't tell me anything useful to check today's SURBL against submissions made two years ago. I do think that re-checking submissions a few hours after acceptance might be useful. If it is, I'll report that back here.
Sounds reasonable. Please let us know if you find anything of interest.
I can offer the following observation, which is that for a service that's not promoted outside of merely existing on SourceForge, my public redirection service has been primarily discovered by those seeking to conceal their true destination, rather than by those seeking to shorten a URL. Given that my situation is not normal and I've got a relatively small dataset to work with, I'm hesitant to jump to conclusions, but I'd be interested in hearing from other redirector operators about what they're finding out about themselves. From where I'm sitting, it's looking like the bad outweighs the good, substantially.
It definitely seems the case that some redirectors seem heavily abused, though I don't know why.
One of your previous notes was about redirection to other redirector sites, and we've seen that too, sometimes in chains of many redirection steps. Perhaps other redirection sites could/should be disallowed targets in general?
Jeff C. -- Don't harm innocent bystanders.
Hi,
Den 14. sep. 2006 kl. 00.24 skrev Jeff Chan:
Christian, would you please try to contact the site owner and refer him to:
Done. :)
-- Christian Stigen Larsen, http://csl.sublevel3.org
-
Christian Stigen Larsen -
Jeff Chan -
John Wilcock -
Ron Guerin