I just wanted to share this example submitted today. (Thanks Dave!)
Can you tell which domains to report? :)
This is why scraping urls with scripts is no good.
********************************************** <a href="http://opoloves.com/tp/default.asp?id=rxsavings"> <img src="http://netuetion.com/faxd.gif" border=0> </a>
<br> Up to 8<A href="http://www.impractical.org"></A>0<A href="http://www.hettie.org"></A>% Sa<A href="http ://www.sheath.org"></A>vin<A href="http://www.inhibitor.org"></A>gs on X<A href="http://www.brown.org"
</A>an<A href="http://www.shinto.org"></A>ax, Va<A
href="http://www.triptych.org%22%3E</A>li<A href="http ://www.irreproducible.org"></A>um, P<A href="http://www.anonymity.org"></A>hen<A href="http://www.sire n.org"></A>term<A href="http://www.warble.org"></A>ine, V<A href="http://www.bind.org"></A>ia<A href=" http://www.volterra.org"></A>gr<A href="http://www.baccarat.org"></A>a <b><a href="http://opoloves.com/tp/default.asp?id=rxsavings"> HERE</a></b>
<br><BR><br><br>
<P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>For em<A href="http://www.della.org"></A>ail re<A href="http://www.aviate.org"></A>mov<A href="http://www.accede.org"></A>a<A href="http://www.servitor.org"></A>l, g<A href="http://www.beet.org"></A>o <A href="http://opoloves.com/er/e.asp">here.</A></FONT></P>
**********************************************
Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered.
Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
on Thu, Jul 08, 2004 at 04:21:45PM -0400, Chris Santerre wrote:
I just wanted to share this example submitted today. (Thanks Dave!)
Can you tell which domains to report? :)
Yeah, the ones with a '/' after the hostname. :)
This is why scraping urls with scripts is no good.
Or not. :)
<a href="http://opoloves.com/tp/default.asp?id=rxsavings"> <img src="http://netuetion.com/faxd.gif" border=0> </a>
<br> Up to 8<A href="http://www.impractical.org"></A>0<A href="http://www.hettie.org"></A>% Sa<A href="http ://www.sheath.org"></A>vin<A href="http://www.inhibitor.org"></A>gs on X<A href="http://www.brown.org" ></A>an<A href="http://www.shinto.org"></A>ax, Va<A href="http://www.triptych.org"></A>li<A href="http ://www.irreproducible.org"></A>um, P<A href="http://www.anonymity.org"></A>hen<A href="http://www.sire n.org"></A>term<A href="http://www.warble.org"></A>ine, V<A href="http://www.bind.org"></A>ia<A href=" http://www.volterra.org"></A>gr<A href="http://www.baccarat.org"></A>a <b><a href="http://opoloves.com/tp/default.asp?id=rxsavings"> HERE</a></b>
<br><BR><br><br>
<P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>For em<A href="http://www.della.org"></A>ail re<A href="http://www.aviate.org"></A>mov<A href="http://www.accede.org"></A>a<A href="http://www.servitor.org"></A>l, g<A href="http://www.beet.org"></A>o <A href="http://opoloves.com/er/e.asp">here.</A></FONT></P>
Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered.
Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
I always 'LOOK' at the actually displayed message within my mailer and THEN analyze the source... but looking at this, I'd tend to report opoloves.com and netuetion.com (supposing the faxd.gif has something visible in it).
Please, people... by far the BEST thing about SURBL is its really, really, really low FP rate so you can be very comfortable scoring it high.
I have them scored at 3.5 (except for 6dos) in a VERY conservative ISP and it's doing wonderfully.
I can't offer right now 'cause I have no time at all, but I'd very much like that the SURBL lists keep being managed manually.
It'd be great if we could, at some point, form a small group of volunteers with VERY good skills at spotting guilty URIs within spam and keep the lists much like clamav maintains its virus database...
On Thu, 8 Jul 2004 16:21:45 -0400 , Chris Santerre csanterre@merchantsoverseas.com wrote:
I just wanted to share this example submitted today. (Thanks Dave!)
Can you tell which domains to report? :)
This is why scraping urls with scripts is no good.
<a href="http://opoloves.com/tp/default.asp?id=rxsavings"> <img src="http://netuetion.com/faxd.gif" border=0> </a>
<br> Up to 8<A href="http://www.impractical.org"></A>0<A href="http://www.hettie.org"></A>% Sa<A href="http ://www.sheath.org"></A>vin<A href="http://www.inhibitor.org"></A>gs on X<A href="http://www.brown.org" ></A>an<A href="http://www.shinto.org"></A>ax, Va<A href="http://www.triptych.org"></A>li<A href="http ://www.irreproducible.org"></A>um, P<A href="http://www.anonymity.org"></A>hen<A href="http://www.sire n.org"></A>term<A href="http://www.warble.org"></A>ine, V<A href="http://www.bind.org"></A>ia<A href=" http://www.volterra.org"></A>gr<A href="http://www.baccarat.org"></A>a <b><a href="http://opoloves.com/tp/default.asp?id=rxsavings"> HERE</a></b>
<br><BR><br><br>
<P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>For em<A href="http://www.della.org"></A>ail re<A href="http://www.aviate.org"></A>mov<A href="http://www.accede.org"></A>a<A href="http://www.servitor.org"></A>l, g<A href="http://www.beet.org"></A>o <A href="http://opoloves.com/er/e.asp">here.</A></FONT></P>
Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered.
Hi,
Well - to make things easy, I guess it's just a matter of checking whether any text is present from the <A HREF=""> to the </A> ... So <A HREF="http://domain.org/"></A> won't trigger anything - but <A HREF="http://domain.org/">Some text</A> will....
Just my 5 cents of input ;-)
/Brian
I just wanted to share this example submitted today. (Thanks Dave!)
Can you tell which domains to report? :)
This is why scraping urls with scripts is no good.
<a href="http://opoloves.com/tp/default.asp?id=rxsavings"> <img src="http://netuetion.com/faxd.gif" border=0> </a>
<br> Up to 8<A href="http://www.impractical.org"></A>0<A href="http://www.hettie.org"></A>% Sa<A href="http ://www.sheath.org"></A>vin<A href="http://www.inhibitor.org"></A>gs on X<A href="http://www.brown.org" ></A>an<A href="http://www.shinto.org"></A>ax, Va<A href="http://www.triptych.org"></A>li<A href="http ://www.irreproducible.org"></A>um, P<A href="http://www.anonymity.org"></A>hen<A href="http://www.sire n.org"></A>term<A href="http://www.warble.org"></A>ine, V<A href="http://www.bind.org"></A>ia<A href=" http://www.volterra.org"></A>gr<A href="http://www.baccarat.org"></A>a <b><a href="http://opoloves.com/tp/default.asp?id=rxsavings"> HERE</a></b>
<br><BR><br><br>
<P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>For em<A href="http://www.della.org"></A>ail re<A href="http://www.aviate.org"></A>mov<A href="http://www.accede.org"></A>a<A href="http://www.servitor.org"></A>l, g<A href="http://www.beet.org"></A>o <A href="http://opoloves.com/er/e.asp">here.</A></FONT></P>
Wasn't that fun! :) Took a human eye about 20 seconds to find the 2 that mattered.
Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
Brian Ipsen wrote:
Hi,
Well - to make things easy, I guess it's just a matter of checking whether any text is present from the <A HREF=""> to the </A> ... So <A HREF="http://domain.org/"></A> won't trigger anything - but <A HREF="http://domain.org/">Some text</A> will....
<a href=http://domain.org/><!--sometext--></a> shall not trigger
<a href=http://domain.org/><img src=toto.jpg width=0 heigth=0></a> shall not trigger
<!-- <a href=http://domain.org/>text</a> -->, maybe shall not trigger - shall check !!!
It seems to me very difficult to handle URL BLs without any manual handling. What you can do is to have some scripts to extract URLs and do many checks in order to present them in a easy way to handle it manually.
This kind of example is presented this way by my scripts.
# 461 1 7 0.292 4.167 14.286 : .. bangor.com # 461 1 7 0.292 4.167 14.286 : .. hankel.com # 461 18 7 5.250 75.000 257.143 : BL mainstreamsoft.biz # 461 1 7 0.292 4.167 14.286 : .. marmalade.com # 461 1 7 0.292 4.167 14.286 : .. monolith.com # 461 1 7 0.292 4.167 14.286 : .. sao.com # 461 1 7 0.292 4.167 14.286 : .. shiplap.com
This is a short example - only seven URLs. Usually when the number of URLs is greater, you have two or three URLs to blaklist.
Just my 5 cents of input ;-)
Also my 0.5 cents... 8-)
Joe
/Brian
On Saturday, July 10, 2004, 2:19:10 AM, Brian Ipsen wrote:
Well - to make things easy, I guess it's just a matter of checking whether any text is present from the <A HREF=""> to the </A> ... So <A HREF="http://domain.org/"></A> won't trigger anything - but <A HREF="http://domain.org/">Some text</A> will....
Just my 5 cents of input ;-)
I believe is what SpamAssassin and SpamCop correctly ignore empty anchors. If not they should. Can't recall what Eric's SpamCopURI does, but ignoring unclickable URIs is probably a good way to defeat the kind of URI poisoning originally mentioned, and likely should generally be used by message parsers.
Jeff C.