I've set up a bitmasked, combined SURBL list with sc, ws, and ph data:
multi.surbl.org
as described earlier, except that the TXT message is customized to each entry in the list rather than generic, for example:
areyoureallysatisfied.biz 600 IN A 127.0.0.6 600 IN TXT "Blocked, areyoureallysatisfied.biz on sc, ws lists, See: http://www.surbl.org/lists.html"
aridanti.com 21600 IN A 127.0.0.4 21600 IN TXT "Blocked, aridanti.com on ws lists, See: http://www.surbl.org/lists.html"
citi-protection.info 600 IN A 127.0.0.14 600 IN TXT "Blocked, citi-protection.info on sc, ws, ph lists, See: http://www.surbl.org/lists.html"
cmbcag.biz 600 IN A 127.0.0.2 600 IN TXT "Blocked, cmbcag.biz on sc lists, See: http://www.surbl.org/lists.html"
The description of multi on the Lists page has been updated to reflect this beta version of the list:
http://www.surbl.org/lists.html#multi
Currently this zone is served only on my name server. There is no need for any name servers to carry this zone yet since there probably won't be code to use it for a while. Hopefully it can be useful to the developers though. Once the code is written to use the combined list, we will need to get the zone out to all the name servers. I have not finished modifying my rbldnsd zone file creation script, so there is only a BIND version currently.
I hope there's still some time to get support for this into the SA 3.0.0 release.
The data is live, and inclusion in the combined list and other parameters are all governed from control files, so they're easy to change, for example to add future lists.
Please send me any feedback, including about the proposed wording of the TXT message.
Cheers,
Jeff C.
On Mon, 14 Jun 2004, Jeff Chan wrote:
sc = spamcop ws = sa-blacklist ph = ???
What's ph?
I've set up a bitmasked, combined SURBL list with sc, ws, and ph data:
multi.surbl.org
as described earlier, except that the TXT message is customized to each entry in the list rather than generic, for example:
areyoureallysatisfied.biz 600 IN A 127.0.0.6 600 IN TXT "Blocked, areyoureallysatisfied.biz on sc, ws lists, See: http://www.surbl.org/lists.html"
aridanti.com 21600 IN A 127.0.0.4 21600 IN TXT "Blocked, aridanti.com on ws lists, See: http://www.surbl.org/lists.html"
citi-protection.info 600 IN A 127.0.0.14 600 IN TXT "Blocked, citi-protection.info on sc, ws, ph lists, See: http://www.surbl.org/lists.html"
cmbcag.biz 600 IN A 127.0.0.2 600 IN TXT "Blocked, cmbcag.biz on sc lists, See: http://www.surbl.org/lists.html"
The description of multi on the Lists page has been updated to reflect this beta version of the list:
http://www.surbl.org/lists.html#multi
Currently this zone is served only on my name server. There is no need for any name servers to carry this zone yet since there probably won't be code to use it for a while. Hopefully it can be useful to the developers though. Once the code is written to use the combined list, we will need to get the zone out to all the name servers. I have not finished modifying my rbldnsd zone file creation script, so there is only a BIND version currently.
I hope there's still some time to get support for this into the SA 3.0.0 release.
The data is live, and inclusion in the combined list and other parameters are all governed from control files, so they're easy to change, for example to add future lists.
Please send me any feedback, including about the proposed wording of the TXT message.
Cheers,
Jeff C.
On Monday, June 14, 2004, 9:48:57 AM, ian list) wrote:
sc = spamcop ws = sa-blacklist ph = ???
What's ph?
ph is phishing data from David Hooton and mailsecurity.net.au:
http://www.surbl.org/lists.html#multi
ph - Phishing data source
Phishing data is kindly provided by MailSecurity. Since the phishing list is relatively small so far, it is not offered as a separate list, instead finding a home in the combined list. Despite that, it should be quite valuable to include in URI checking, so we're grateful for MailSecurity making it publically available as a service to the Internet community. MailSecurity has other pharmaspam and general spam SURBLs available on a subscription basis.
Jeff C.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff -- sounds great!
one thing though -- any chance you could make the returned msg a little more machine-readable? ie. instead of
Blocked, areyoureallysatisfied.biz on sc, ws lists, See: http://www.surbl.org/lists.html
something like:
Blocked, areyoureallysatisfied.biz, on lists [sc][ws], See: http://www.surbl.org/lists.html
That way, we could use "[sc]" as a regexp to match that. Otherwise, it's not quite as easy to pick out from the "human-readable" part of the string, and possibly even might misfire -- for example if in future someone set up an "on" blocklist. ;)
- --j.
Jeff Chan writes:
I've set up a bitmasked, combined SURBL list with sc, ws, and ph data:
multi.surbl.org
as described earlier, except that the TXT message is customized to each entry in the list rather than generic, for example:
areyoureallysatisfied.biz 600 IN A 127.0.0.6 600 IN TXT "Blocked, areyoureallysatisfied.biz on sc, ws lists, See: http://www.surbl.org/lists.html"
aridanti.com 21600 IN A 127.0.0.4 21600 IN TXT "Blocked, aridanti.com on ws lists, See: http://www.surbl.org/lists.html"
citi-protection.info 600 IN A 127.0.0.14 600 IN TXT "Blocked, citi-protection.info on sc, ws, ph lists, See: http://www.surbl.org/lists.html"
cmbcag.biz 600 IN A 127.0.0.2 600 IN TXT "Blocked, cmbcag.biz on sc lists, See: http://www.surbl.org/lists.html"
The description of multi on the Lists page has been updated to reflect this beta version of the list:
http://www.surbl.org/lists.html#multi
Currently this zone is served only on my name server. There is no need for any name servers to carry this zone yet since there probably won't be code to use it for a while. Hopefully it can be useful to the developers though. Once the code is written to use the combined list, we will need to get the zone out to all the name servers. I have not finished modifying my rbldnsd zone file creation script, so there is only a BIND version currently.
I hope there's still some time to get support for this into the SA 3.0.0 release.
The data is live, and inclusion in the combined list and other parameters are all governed from control files, so they're easy to change, for example to add future lists.
Please send me any feedback, including about the proposed wording of the TXT message.
On Monday, June 14, 2004, 2:45:03 PM, Justin Mason wrote:
one thing though -- any chance you could make the returned msg a little more machine-readable? ie. instead of
Blocked, areyoureallysatisfied.biz on sc, ws lists, See: http://www.surbl.org/lists.html
something like:
Blocked, areyoureallysatisfied.biz, on lists [sc][ws], See: http://www.surbl.org/lists.html
That way, we could use "[sc]" as a regexp to match that. Otherwise, it's not quite as easy to pick out from the "human-readable" part of the string, and possibly even might misfire -- for example if in future someone set up an "on" blocklist. ;)
Thanks for the feedback!. I've made the change:
citi-protection.info 600 IN A 127.0.0.14 600 IN TXT "Blocked, citi-protection.info on lists [sc][ws][ph], See: http://www.surbl.org/lists.html"
citibank-validate.info 21600 IN A 127.0.0.12 21600 IN TXT "Blocked, citibank-validate.info on lists [ws][ph], See: http://www.surbl.org/lists.html"
citicorp-verification.com 21600 IN A 127.0.0.12 21600 IN TXT "Blocked, citicorp-verification.com on lists [ws][ph], See: http://www.surbl.org/lists.html"
However If possible I may prefer that folks process on the A record instead of the TXT record. To me the A record is the more machine-relevant part. Others, including the early proponents of using TXT for signalling to machines, may disagree.
Also this makes the human-readable part somewhat less pretty IMNSHO. :-)
Jeff C.
Jeff Chan wrote:
I've set up a bitmasked, combined SURBL list with sc, ws, and ph data: multi.surbl.org
Tnx, I replace sc.surbl.org by multi.surbl.org in my script.
I'm not sure how other combined lists handle this, but how about some "combined" test entries:
Add 127.0.0.4 to ws, 127.0.0.6 to sc + ws, 127.0.0.8 to ph, 127.0.0.10 to sc + ph, 127.0.0.14 to sc + ws + ph. 127.0.0.12 to ws + ph.
With these test entries we would get for multi.surbl.org :
0.0.0.127.multi => not found 1.0.0.127.multi => not found (= no localhost confusion) 2.0.0.127.multi => 127.0.0.2 => sc 3.0.0.127.multi => not found (same for all odd.0.0.127) 4.0.0.127.multi => 127.0.0.4 => sc + ws [...] 14.0.0.127.multi => 127.0.0.14 => sc + ws + ph
Bye, Frank
On Tuesday, June 15, 2004, 5:59:17 AM, Frank Ellermann wrote:
Jeff Chan wrote:
I've set up a bitmasked, combined SURBL list with sc, ws, and ph data: multi.surbl.org
Tnx, I replace sc.surbl.org by multi.surbl.org in my script.
OK, I should have mentioned that's not the preferred way to do things. :-) The multi.surbl.org list has lists encoded with bitmasks that SpamCopURI and urirhsbl won't work too well with. You *could* make many rules to handle every numeric combination of the bits, but since this would require 2 ^ N rules, it shows that the existing single-list programs aren't really the right tool. What's needed is some different or added code to decode these back into their original lists.
Justin Mason is adding such code into a new program "urirhsblsub" now. Hopefully Eric Kolve will be able to roll similar code into SpamCopURI in future also, or perhaps code up a differently named program.
I'm not sure how other combined lists handle this, but how about some "combined" test entries:
Add 127.0.0.4 to ws, 127.0.0.6 to sc + ws, 127.0.0.8 to ph, 127.0.0.10 to sc + ph, 127.0.0.14 to sc + ws + ph. 127.0.0.12 to ws + ph.
With these test entries we would get for multi.surbl.org :
0.0.0.127.multi => not found 1.0.0.127.multi => not found (= no localhost confusion) 2.0.0.127.multi => 127.0.0.2 => sc 3.0.0.127.multi => not found (same for all odd.0.0.127) 4.0.0.127.multi => 127.0.0.4 => sc + ws [...]
14.0.0.127.multi =>> 127.0.0.14 => sc + ws + ph
Yes, we could probably make some bitmasked tests. I'll consider it a task for later.... :-)
Jeff C.
Jeff Chan wrote:
I replace sc.surbl.org by multi.surbl.org in my script.
OK, I should have mentioned that's not the preferred way to do things. :-)
For my purposes (I'm only interested in the listing status, it's not used for blocking mail) it is, one GetHostByName is faster than three.
You *could* make many rules to handle every numeric combination of the bits
All I do is something like `rxwhois -a qualitycorner.biz` resulting in...
| qualitycorner.biz not found at .rfc-ignorant.org or | .multi.surbl.org | whois -h whois.abuse.net qualitycorner.biz | postmaster@qualitycorner.biz (default, no info)
Hm, not very convincing, this spam was 30 minutes old. But for an older spamervized site `rxwhois -a eedqmed.com`
| eedqmed.com (6): .multi.surbl.org | whois -h whois.abuse.net eedqmed.com | postmaster@eedqmed.com (default, no info)
So that result tells me "unknown at abuse.net and RFCI, but listed in sc (2) and ws (4)", because multi said 6.
Therefore it could be interesting to attack this site at abuse@ and postmaster@, hoping for at least 1 bounce.
Then I'd submit the bounce to rfc-ignorant.org with an info to the Tech-C / Admin-C listed in the whois data for eedqmed.com
Maybe the latter results again in a bounce, and then I could report the domain as "whois ignorant" at RFCI and ICANN's whois data problem report system.
Of course I only do this when I'm very angry, normally SpamCop is good enough for me (and feeds sc.surbl.org :-)
Bye, Frank
On Wednesday, June 16, 2004, 2:25:23 AM, Frank Ellermann wrote:
Jeff Chan wrote:
I replace sc.surbl.org by multi.surbl.org in my script.
OK, I should have mentioned that's not the preferred way to do things. :-)
For my purposes (I'm only interested in the listing status, it's not used for blocking mail) it is, one GetHostByName is faster than three.
[...]
But for an older spamervized site `rxwhois -a eedqmed.com`
| eedqmed.com (6): .multi.surbl.org | whois -h whois.abuse.net eedqmed.com | postmaster@eedqmed.com (default, no info)
So that result tells me "unknown at abuse.net and RFCI, but listed in sc (2) and ws (4)", because multi said 6.
Aha! I often forget that people have different uses for the data. Since you have your own way to decode the data into the different lists, my comments were misguided. Thanks for telling us a little about how you're using the data!
Jeff C.
-
Frank Ellermann -
ian sison (mailing list) -
Jeff Chan -
jm@jmason.org