OK. It's a silly question but I'd like to start submitting more of the SPAM I hand-filter for inclusion in the SURBL lists.
For example, I'm being inundated with offers for free watches linking to http://*.nepel-MUNGED.com/ which redirects to http://www.online-replica-store-MUNGED.com/.
What is the best process for me to take a known SPAM and get the ball rolling on something like this?
Regards, KAM
Kevin A. McGrail wrote:
OK. It's a silly question but I'd like to start submitting more of the SPAM I hand-filter for inclusion in the SURBL lists.
For example, I'm being inundated with offers for free watches linking to http://*.nepel-MUNGED.com/ which redirects to http://www.online-replica-store-MUNGED.com/.
What is the best process for me to take a known SPAM and get the ball rolling on something like this?
Regards, KAM _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Hi Kevin
your best bet is probably checking & submitting via http://www.rulesemporium.com/cgi-bin/uribl.cgi (inclusion in ws.surbl.org)
or submitting to Spamcop (per Spamcop procedure) so its included in sc.surbl.org AND in the Spamcop RBL
h2h
Alex
Alex,
or submitting to Spamcop (per Spamcop procedure) so its included in sc.surbl.org AND in the Spamcop RBL
Thanks for the quick response. I've gone to spamcop.com and cut and pasted a spam and hit interrogate but I don't get an indication it's been submitted. It simply gives me a link to email abuse@wherever. Is that all there is to submitting on SpamCop?
I think I've also found that the original FAQ for switching to multi with SA 2.6X had some typos in the default config so the Rules Emporium link was quite helpful in pointing out that the problematic domain WAS listed.
regards, KAM
Hi Kevin,
Kevin A. McGrail wrote:
Alex,
or submitting to Spamcop (per Spamcop procedure) so its included in sc.surbl.org AND in the Spamcop RBL
Thanks for the quick response. I've gone to spamcop.com and cut and pasted a spam and hit interrogate but I don't get an indication it's been submitted. It simply gives me a link to email abuse@wherever. Is that all there is to submitting on SpamCop?
Check the procedure here:
http://www.spamcop.net/anonsignup.shtml
You may also want to see their very complete FAQ http://www.spamcop.net/fom-serve/cache/285.html
I think I've also found that the original FAQ for switching to multi with SA 2.6X had some typos in the default config so the Rules Emporium link was quite helpful in pointing out that the problematic domain WAS listed.
Reporting Spam at the Rules Emporium is really only worth it if a msg is less that 2 hours old. Anything else will probably be already in there or in process of being listed.
h2h
Alex
On Tuesday, December 28, 2004, 1:05:47 AM, Kevin McGrail wrote:
Alex,
or submitting to Spamcop (per Spamcop procedure) so its included in sc.surbl.org AND in the Spamcop RBL
Thanks for the quick response. I've gone to spamcop.com and cut and pasted a spam and hit interrogate but I don't get an indication it's been submitted. It simply gives me a link to email abuse@wherever. Is that all there is to submitting on SpamCop?
If you follow the Past Reports tab at SpamCop, then View Recent Reports you should be able to see spams you've submitted before, with their subjects, recipients, submission date, etc. SpamCop doesn't always parse the URIs correctly, but it gets them right most of the time.
I think I've also found that the original FAQ for switching to multi with SA 2.6X had some typos in the default config so the Rules Emporium link was quite helpful in pointing out that the problematic domain WAS listed.
regards, KAM
FWIW There is a revised SpamCopURI (SA 2.6x) config at:
http://www.surbl.org/spamcop_uri.cf.022-updated.txt
Alex's comments are right on.
Jeff C. -- "If it appears in hams, then don't list it."
FWIW There is a revised SpamCopURI (SA 2.6x) config at:
Yep, those +'s really helped.
Alex's comments are right on.
Definitely. Very helpful. My big issue is I kept going to spamcop.com and didn't know about .net. Go figure.
Regards, KAM
FWIW There is a revised SpamCopURI (SA 2.6x) config at:
Jeff and all:
I'm learning more about submitting SPAM that we get as I know we have quite a honeypot based on the past work from the SpamAssassin guys on our server. Today I got two SPAMs that looked like candidates to submit. One was not listed and I submitted to Mr. Stearns. That went perfectly. However, one URL did not work out as planned and because of my recent issue with a typo in the 2.6 config, I'm a bit panicky just to make sure I really have a handle on how the interaction is working.
Anyway, I have checked this URL, healthyandcozy-MUNGED.com, at http://www.rulesemporium.com/cgi-bin/uribl.cgi?report=1;uri=editdiscussions....;
It is listed in ws, ob, jp and multi which I can also confirm is working on d3.surbl.org:
ping healthyandcozy.com.multi.surbl.org PING healthyandcozy.com.multi.surbl.org (127.0.0.84) from 127.0.0.84 : 56(84) bytes of data.
And I have switched the SpamCop 2.6 config to the updated file above to ensure that a small typo isn't my issue. I have then sent myself an email with just this text in the body sans the munged: healthyandcozy-MUNGED.com
It does not hit.
However, I have found that if I have put www.healthyandcozy-munged.com the URI hit is positive. I have further confirmed that http://healthyandcozy-munged.com/ is a hit as well.
This seems like a loophole to me since it's still possible that an MUA will automatically make just something.com into a link and it's annoying since I'd still like these emails marked as SPAM. Can anyone comment? Am I over worried? Is this by design? Is it fixed in SA 3.0?
Regards, KAM
On Thursday, December 30, 2004, 6:57:24 AM, Kevin McGrail wrote:
And I have switched the SpamCop 2.6 config to the updated file above to ensure that a small typo isn't my issue. I have then sent myself an email with just this text in the body sans the munged: healthyandcozy-MUNGED.com
It does not hit.
However, I have found that if I have put www.healthyandcozy-munged.com the URI hit is positive. I have further confirmed that http://healthyandcozy-munged.com/ is a hit as well.
This seems like a loophole to me since it's still possible that an MUA will automatically make just something.com into a link and it's annoying since I'd still like these emails marked as SPAM. Can anyone comment? Am I over worried? Is this by design? Is it fixed in SA 3.0?
This is a design choice. Programs that look for URIs, whether they are MUAs or spam checkers need to decide what they will consider to be URIs. Clearly most things that start with "http://" and have hostnames are probably meant to be URIs. So are www.host.com. But checking for host.com may not be too productive and would get confused about mentions of DOS programs like command.com, etc.
The behavior is probably similar in SA 3 for similar reasons, though I can't recall the details.
The quick answer is SpamCopURI and SpamAssassin probably are doing the right thing. Their URI behavior is the result of a lot of discussion, thought and careful design.
Jeff C. -- "If it appears in hams, then don't list it."
On Thursday, December 30, 2004, 2:35:06 PM, Jeff Chan wrote:
The quick answer is SpamCopURI and SpamAssassin probably are doing the right thing. Their URI behavior is the result of a lot of discussion, thought and careful design.
BTW That last sentence was not meant to be a put down of any kind; just a reflection of some history.
Jeff C. -- "If it appears in hams, then don't list it."
BTW That last sentence was not meant to be a put down of any kind; just a reflection of some history.
Thanks for the initial clarification and while appreciated this second clarification is unnecessary.
Knowing that it's operating "as designed" was the key reason for the email.
However, going further, an option to process URIs such as bob-munged.com might be useful ESPECIALLY for the main TLD's .com, .net and .org plus .info and .biz and perhaps a few more. If it's not too painful to relive, this is an annoyance like the recent rash of SPAMs that don't have valid URLs. While the links may not work, it still clutters the inbox.
So I believe a key mantra is to reduce the inbox to valid emails and SURBLs are very effective at doing that. Perhaps the FPs of doing this change are small?
Regards, KAM
On Thursday, December 30, 2004, 3:50:44 PM, Kevin McGrail wrote:
However, going further, an option to process URIs such as bob-munged.com might be useful ESPECIALLY for the main TLD's .com, .net and .org plus .info and .biz and perhaps a few more. If it's not too painful to relive, this is an annoyance like the recent rash of SPAMs that don't have valid URLs. While the links may not work, it still clutters the inbox.
So I believe a key mantra is to reduce the inbox to valid emails and SURBLs are very effective at doing that. Perhaps the FPs of doing this change are small?
I think it's already been evaluated and decided against for a number of reasons. IIRC a major one was additional CPU time for diminishing returns. There are a lot more .somethings to check than http:// and www. Generally the behavior of MUAs is followed, where it makes sense to do so. Also there's a lot more spam with functional URIs than plain domains.
Jeff C. -- "If it appears in hams, then don't list it."
I think it's already been evaluated and decided against for a number of reasons. IIRC a major one was additional CPU time for diminishing returns. There are a lot more .somethings to check than http:// and www. Generally the behavior of MUAs is followed, where it makes sense to do so. Also there's a lot more spam with functional URIs than plain domains.
Besides the CPU time which I can agree, I would argue that subset of email with plain domains should be treated as it's own set.
Therefore, after SURBL is run against http:// and www, what is the hit ratio against the emails with plain domains? Perhaps running it as a second pass only if http:// and www aren't found would be generally good if the false positive rate isn't too high and just for .com/.net/.org/.info/.biz and any other TLDs that are recommended and readily abused.
Regards, KAM
On Thursday, December 30, 2004, 4:26:33 PM, Kevin McGrail wrote:
I think it's already been evaluated and decided against for a number of reasons. IIRC a major one was additional CPU time for diminishing returns. There are a lot more .somethings to check than http:// and www. Generally the behavior of MUAs is followed, where it makes sense to do so. Also there's a lot more spam with functional URIs than plain domains.
Besides the CPU time which I can agree, I would argue that subset of email with plain domains should be treated as it's own set.
Therefore, after SURBL is run against http:// and www, what is the hit ratio against the emails with plain domains? Perhaps running it as a second pass only if http:// and www aren't found would be generally good if the false positive rate isn't too high and just for .com/.net/.org/.info/.biz and any other TLDs that are recommended and readily abused.
To be honest I don't know the answer to that question. Perhaps one way to find out would be to write a SpamAssassin rule to look for plain domains, then look at the results for false positives, etc.
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
On Thursday, December 30, 2004, 4:26:33 PM, Kevin McGrail wrote:
I think it's already been evaluated and decided against for a number of reasons. IIRC a major one was additional CPU time for diminishing returns. There are a lot more .somethings to check than http:// and www. Generally the behavior of MUAs is followed, where it makes sense to do so. Also there's a lot more spam with functional URIs than plain domains.
Besides the CPU time which I can agree, I would argue that subset of email with plain domains should be treated as it's own set.
Therefore, after SURBL is run against http:// and www, what is the hit ratio against the emails with plain domains? Perhaps running it as a second pass only if http:// and www aren't found would be generally good if the false positive rate isn't too high and just for .com/.net/.org/.info/.biz and any other TLDs that are recommended and readily abused.
To be honest I don't know the answer to that question. Perhaps one way to find out would be to write a SpamAssassin rule to look for plain domains, then look at the results for false positives, etc.
I've tried this at my filter and removed some time later.
From my experience, the results tends to be more increase the false positive rate and handling time than the detection rate.
The number of spams you'll catch isn't worthwhile.
Main goal of spammers is to directly show the contents of some web page without asking recipients to cut and paste some URL.
Jose-Marcio
Jeff C.
"If it appears in hams, then don't list it."
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
I've tried this at my filter and removed some time later.
From my experience, the results tends to be more increase the false positive rate and handling time than the detection rate.
The number of spams you'll catch isn't worthwhile.
Thanks. That's the answer I wanted to know and I appreciate knowing it.
Happy New Year, KAM
RE: where to report phishing
I know that this has been covered before... but it seems like it is always in the context of a larger discussion. So, forgive me for asking when I'm sure I could dig this up on my own...
Where should phishing be reported to?
...mailpolice?? antiphishing.org?? rulesemporium.com??, others?...
Also, should I first attempt to contact the abuse dept. of the ISP (or relevant contact via the arin.net contact for that IP address)? ...then wait a couple of days and only report it to third parties if the hosting provider doesn't remove the site?
Or should I report the phish to ALL 3rd parties IMMEDIATELY?
Thanks,
Rob McEwen
I would say that one of the best decisions ClamAV made was to start considering Phishing as a virus and there approach has been reported as VERY effective. So for the benefit of people using Anti-Viral mail filtering to block phishing, I highly suggest reporting phishing there in addition to the ClamAV developers in addition to whatever else people here recommend.
Regards, KAM
----- Original Message ----- From: "Rob McEwen" rob@powerviewsystems.com
Or should I report the phish to ALL 3rd parties IMMEDIATELY?
On Thursday, December 30, 2004, 4:43:05 PM, Rob McEwen wrote:
RE: where to report phishing
I know that this has been covered before... but it seems like it is always in the context of a larger discussion. So, forgive me for asking when I'm sure I could dig this up on my own...
Where should phishing be reported to?
...mailpolice?? antiphishing.org?? rulesemporium.com??, others?...
Also, should I first attempt to contact the abuse dept. of the ISP (or relevant contact via the arin.net contact for that IP address)? ...then wait a couple of days and only report it to third parties if the hosting provider doesn't remove the site?
Or should I report the phish to ALL 3rd parties IMMEDIATELY?
I report phishing immediately to:
postmaster at corp.mailsecurity.net.au reportphishing at antiphishing.org spam at uce.gov
I don't know if Mailpolice has a reporting address, but a quick check of their web site did not show one. Maybe Jay Swackhamer of Mailpolice can comment.
I think it's important to get the sites listed quickly to limit the effect of the phish. If the hosting provider will do something about the sites, that's fine too, but their behavior may vary.
Jeff C. -- "If it appears in hams, then don't list it."
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
On Thursday, December 30, 2004, 4:43:05 PM, Rob McEwen wrote:
RE: where to report phishing
I know that this has been covered before... but it seems like it is
always
in the context of a larger discussion. So, forgive me for asking when
I'm
sure I could dig this up on my own...
Where should phishing be reported to?
...mailpolice?? antiphishing.org?? rulesemporium.com??, others?...
Also, should I first attempt to contact the abuse dept. of the ISP (or relevant contact via the arin.net contact for that IP address)? ...then
wait
a couple of days and only report it to third parties if the hosting
provider
doesn't remove the site?
Or should I report the phish to ALL 3rd parties IMMEDIATELY?
I report phishing immediately to:
postmaster at corp.mailsecurity.net.au reportphishing at antiphishing.org spam at uce.gov
I don't know if Mailpolice has a reporting address, but a quick check of their web site did not show one. Maybe Jay Swackhamer of Mailpolice can comment.
When I asked Jay a couple of months ago where to send phish messages, he said that sending them to spam@mailpolice.com will get them to the right people.
Bill
On Thursday, December 30, 2004, 8:13:42 PM, Bill Landry wrote:
I report phishing immediately to:
postmaster at corp.mailsecurity.net.au reportphishing at antiphishing.org spam at uce.gov
I don't know if Mailpolice has a reporting address, but a quick check of their web site did not show one. Maybe Jay Swackhamer of Mailpolice can comment.
When I asked Jay a couple of months ago where to send phish messages, he said that sending them to spam@mailpolice.com will get them to the right people.
Thanks Bill, I'll add that address to my personal list too.
Jeff C. -- "If it appears in hams, then don't list it."
On Thu, 30 Dec 2004 20:13:42 -0800, Bill Landry billl@pointshare.com wrote:
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
I report phishing immediately to:
postmaster at corp.mailsecurity.net.au reportphishing at antiphishing.org spam at uce.gov
Jeff,
Do you think that we could create a phish@surbl.org distribution list that we can advertise on the surbl website and which will send reports to all the right people? It might help to streamline the process for people :)
On Sunday, January 2, 2005, 7:15:01 PM, David Hooton wrote:
On Thu, 30 Dec 2004 20:13:42 -0800, Bill Landry billl@pointshare.com wrote:
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
I report phishing immediately to:
postmaster at corp.mailsecurity.net.au reportphishing at antiphishing.org spam at uce.gov
Jeff,
Do you think that we could create a phish@surbl.org distribution list that we can advertise on the surbl website and which will send reports to all the right people? It might help to streamline the process for people :)
Hi David, It's a good idea, but I don't think I'm ready for my server to be a conduit for reporting.
Jeff C. -- "If it appears in hams, then don't list it."
-
Alex Broens -
Bill Landry -
David Hooton -
Jeff Chan -
Jose Marcio Martins da Cruz -
Kevin A. McGrail -
Rob McEwen