Hi, please remove uk. geocities .com from all white lists and/or add it manually to local URIBLs, it's a black hat.
Bye, Frank
On Saturday, October 8, 2005, 8:13:56 AM, Frank Ellermann wrote:
Hi, please remove uk. geocities .com from all white lists and/or add it manually to local URIBLs, it's a black hat.
No it's not. It belongs to Yahoo. Yahoo is currently trying to properly organize their handling of hosting abuse.
Bye, Frank
What does the article say please?
Jeff C. -- Don't harm innocent bystanders.
The 'article' seems to be a mirror complaint posted by Frank on nttp group spamcopy.routing where uk.geocities.com failes the spamcop test for abuse contact from both abuse.net and arin. Now I don't know Frank from nobody (haha) but I think the uk.geocities issue is a known issue that yahoo is working on.
Regards, KAM
What does the article say please?
Subject: O/R: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com From: Frank Ellermann nobody@xyzzy.claranet.de Date: Thu, 06 Oct 2005 20:04:24 +0200 CC: network-abuse@cc.yahoo-inc.com Newsgroups: spamcop.routing
Hi, for the infamous uk.geocities.com series of spam runs SpamCop tries:
| Using abuse net on network-abuse@cc.yahoo-inc.com | abuse net cc.yahoo-inc.com = postmaster@cc.yahoo-inc.com | Using best contacts postmaster@cc.yahoo-inc.com | postmaster@cc.yahoo-inc.com bounces (7 sent : 7 bounces)
But ARIN apparently says that SC should use:
| "whois 66.218.77.68@whois.arin.net" [...] | Found AbuseEmail in whois network-abuse@cc.yahoo-inc.com | 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com
I recommend to block all mails containing any URL with FQDN uk.geocities.com in local URIBLs.
http://www.spamcop.net/sc?id=z812431135z90373e8638a8645cf7c1de6de25ebb36z
As always SpamCop needed at least five "reloads" to find the relevant IP for uk.geocities.com spam, and after that effort it should use some working abuse@ address at Yahoo!
Bye, Frank
On Saturday, October 8, 2005, 8:49:47 AM, Kevin McGrail wrote:
The 'article' seems to be a mirror complaint posted by Frank on nttp group spamcopy.routing where uk.geocities.com failes the spamcop test for abuse contact from both abuse.net and arin. Now I don't know Frank from nobody (haha) but I think the uk.geocities issue is a known issue that yahoo is working on.
Regards, KAM
Thanks. Frank has been on the SpamAssassin and SURBL lists for a long time. Everyone knows that Yahoo has not been handling their abuse very well, but they are making good progress on it lately. I can't reveal the details, but I know this for a fact, from several different aspects.
Jeff C. __
What does the article say please?
Subject: O/R: 66.218.64.0 -
66.218.95.255:network-abuse@cc.yahoo-inc.com From: Frank Ellermann nobody@xyzzy.claranet.de Date: Thu, 06 Oct 2005 20:04:24 +0200 CC: network-abuse@cc.yahoo-inc.com Newsgroups: spamcop.routing
Hi, for the infamous uk.geocities.com series of spam runs SpamCop tries:
| Using abuse net on network-abuse@cc.yahoo-inc.com | abuse net cc.yahoo-inc.com = postmaster@cc.yahoo-inc.com | Using best contacts postmaster@cc.yahoo-inc.com | postmaster@cc.yahoo-inc.com bounces (7 sent : 7 bounces)
But ARIN apparently says that SC should use:
| "whois 66.218.77.68@whois.arin.net" [...] | Found AbuseEmail in whois network-abuse@cc.yahoo-inc.com | 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com
I recommend to block all mails containing any URL with FQDN uk.geocities.com in local URIBLs.
http://www.spamcop.net/sc?id=z812431135z90373e8638a8645cf7c1de6de25ebb36z
As always SpamCop needed at least five "reloads" to find the relevant IP for uk.geocities.com spam, and after that effort it should use some working abuse@ address at Yahoo!
Bye, Frank
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
Frank has been on the SpamAssassin and SURBL lists for a long time.
s/SpamAssassin/SpamCop/ or s/SpamAssassin/SPF/ ;-)
they are making good progress on it lately
And that's why they bounce SpamCop reports to their listed abuse.net address ?
I can't reveal the details, but I know this for a fact
Let's start with a full disclosure for SURBL: How many WL hits does [see subject] really get, the two I found can't be all, or do you only note the first hit per year ? Bye
Frank,
And that's why they bounce SpamCop reports to their listed abuse.net address ?
I can't reveal the details, but I know this for a fact
Let's start with a full disclosure for SURBL: How many WL hits does [see subject] really get, the two I found can't be all, or do you only note the first hit per year ? Bye
This discussion is kinda useless here. It does have legitimate use, you could ask to get it added on uribl.com, sinc they have different criteria. Its no material for SURBL and we wont put them in to just show them they should respond on abuse reports. List them in RFC-I, thats a appropriate list for domains bouncing abuse mails... :)
Bye, Raymond.
Raymond Dijkxhoorn wrote:
Frank,
And that's why they bounce SpamCop reports to their listed abuse.net address ?
I can't reveal the details, but I know this for a fact
Let's start with a full disclosure for SURBL: How many WL hits does [see subject] really get, the two I found can't be all, or do you only note the first hit per year ? Bye
This discussion is kinda useless here. It does have legitimate use, you could ask to get it added on uribl.com, sinc they have different criteria. Its no material for SURBL and we wont put them in to just show them they should respond on abuse reports. List them in RFC-I, thats a appropriate list for domains bouncing abuse mails... :)
At uribl.com we won't list them either.
:)
Alex
Hi!
Let's start with a full disclosure for SURBL: How many WL hits does [see subject] really get, the two I found can't be all, or do you only note the first hit per year ? Bye
This discussion is kinda useless here. It does have legitimate use, you could ask to get it added on uribl.com, sinc they have different criteria. Its no material for SURBL and we wont put them in to just show them they should respond on abuse reports. List them in RFC-I, thats a appropriate list for domains bouncing abuse mails... :)
At uribl.com we won't list them either.
:)
Could perhaps be grey, but i guess if people want to start blocking it the SA rules i posted would do.
Bye, Raymond.
Let's start with a full disclosure for SURBL: How many WL hits does [see subject] really get, the two I found can't be all, or do you only note the first hit per year ? Bye
This discussion is kinda useless here. It does have legitimate use, you could ask to get it added on uribl.com, sinc they have different criteria. Its no material for SURBL and we wont put them in to just show them they should respond on abuse reports. List them in RFC-I, thats a appropriate list for domains bouncing abuse mails... :)
Even on URIBL, the domain uk.geocities.com would qualify for, at most, a listing on URIBL grey. Given the stated goal of the SURBLs -- *no* false positives -- they simply don't qualify for a SURBL listing. That in no way means they aren't bouncing SpamCop reports, or are handling their abuse issues properly. It just means that web sites with legitimate users or a legitimate purpose outside of spam do not get listed on SURBLs no matter how abusive they are or how much spam they appear in.
Here's a recipe I've put in the SpamBouncer that catches most of the spam with Geocities links I've been seeing. Most of that spam contains, not just a Geocities URL (not always uk.geocities.com), but also a query right after the domain and first slash. If you block that pattern, you'll catch a lot of spam. So far, I've seen *no* false positives -- in the SpamBouncer spamtrap or as complaints from users of SpamBouncer 2.1 beta.
SpamBouncer is a huge set of Procmail recipes, so anyone who uses Procmail might find this handy:
=-=-=-=-=-=-=-=-=-=
# Geocities URL with a query # :0 B * (^|[^0-9a-z]|[=%]20)http://%5Ba-z%5D+(%EF%BF%BD%7C%5C.%7C%5B=%%5D2E)geocities(%EF%BF%BD%7C%5C.%7... spam.incoming
=-=-=-=-=-=-=-=-=-=
Hi!
Here's a recipe I've put in the SpamBouncer that catches most of the spam with Geocities links I've been seeing. Most of that spam contains, not just a Geocities URL (not always uk.geocities.com), but also a query right after the domain and first slash. If you block that pattern, you'll catch a lot of spam. So far, I've seen *no* false positives -- in the SpamBouncer spamtrap or as complaints from users of SpamBouncer 2.1 beta.
SpamBouncer is a huge set of Procmail recipes, so anyone who uses Procmail might find this handy:
We see a lot comming in with plain http://geocities.com lately, so you might want to add that also.
Bye, Raymond.
Hi,
I recently added some spamassassin rules that deal with these geocities spam as I gathered a list of them.
Here are my rules (used in my server & also posted in NANAE) :
Description :
PW_GEOCITIES adds a little 0.2 for any email containing a link to Geocities. Obviously, this rule will trigger some False Positives and the score is low. I added it mainly as a way to check valid mails with a geocities link within them.
PW_GEOCITIES_DASH adds 1.0 when the address contains either "_" or "-" in the user name (used to bump the score a bit when no redirector is used). Few legitimate geocities accounts use these characters, but expect a few False Positives.
PW_GEOCITIES_RD adds a massive 10 points when a geocities account with redirection / tracking is detected (no normal geocities account owner would do that. False Positive rate should be very close to Zero)
# Deal with Geocities Spam
body PW_GEOCITIES /(?i)(?i)http://(it|uk|sg|ca|www|au|in|mx|de|es).geocities(.yahoo|).com//
describe PW_GEOCITIES Contains a link to Geocities. score PW_GEOCITIES 0.2
body PW_GEOCITIES_DASH /(?i)(?i)http://(it|uk|sg|ca|www|au|in|mx|de|es).geocities(.yahoo|).com/[A-Za-z0-9%]{1,40}(_|-)[A-Z_-a-z0-9%]{1,60}/
describe PW_GEOCITIES_DASH Link to Geocities with a - or _ score PW_GEOCITIES_DASH 1.0
body PW_GEOCITIES_RD /(?i)(?i)http://(it|uk|sg|ca|www|au|in|mx|de|es).geocities(.yahoo|).com/[A-Z_-a-z0-9%]{1,60}/?[A-Z_-a-z0-9%&]{1,100}/
describe PW_GEOCITIES_RD Geocities Redirector spam. score PW_GEOCITIES_RD 10.0
My 0.02
Eric
------------------------------------------------------------------------------------
Raymond Dijkxhoorn wrote:
Hi!
Here's a recipe I've put in the SpamBouncer that catches most of the spam with Geocities links I've been seeing. Most of that spam contains, not just a Geocities URL (not always uk.geocities.com), but also a query right after the domain and first slash. If you block that pattern, you'll catch a lot of spam. So far, I've seen *no* false positives -- in the SpamBouncer spamtrap or as complaints from users of SpamBouncer 2.1 beta.
SpamBouncer is a huge set of Procmail recipes, so anyone who uses Procmail might find this handy:
We see a lot comming in with plain http://geocities.com lately, so you might want to add that also.
Bye, Raymond. _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
We see a lot comming in with plain http://geocities.com lately, so you might want to add that also.
Ah... You mean, urls with queries at just geocities.com, not <subdomain>.geocities.com? You are sure about the queries? <making a note to search the spamtrap> :)
Raymond Dijkxhoorn wrote:
This discussion is kinda useless here.
Sooner or later many spammers will try to hide in the crowd, some free hoster without working abuse desk is a "good" idea.
you could ask to get it added on uribl.com
My question was why there are only two entries in the WL hit list. I know perfectly well why [see subject] is on the WL.
What's the precise purpose and content of this page: http://spamcheck.freeapp.net/whitelist-hits.new.log.sort
So far I thought that it counts "rejected submissions", but that's obviously not the case for [see subject].
List them in RFC-I, thats a appropriate list for domains bouncing abuse mails... :)
No, RFCI does not care about "incorrect" abuse.net entries, let alone any "evidence" in the form of "bounces SC reports". It was a short glitch in SC's logic, it used an address for...
cc.yahoo-inc.com (------10): .postmaster.rfc-ignorant.org cc.yahoo-inc.com (-----2--): .abuse.rfc-ignorant.org cc.yahoo-inc.com (-----2-0): .whois.rfc-ignorant.org whois -h whois.abuse.net cc.yahoo-inc.com postmaster@cc.yahoo-inc.com (for yahoo-inc.com)
...instead of using what it got from ARIN for the IP. As you see submitting it to RFCI would be a complete waste of time, it's already listed.
Working abuse addresses for [see subject] might be network-abuse@cc.yahoo-inc.com as reported by ARIN for the IP or uk-geo-abuse@cc.yahoo-inc.com (for uk. geocities .com) as reported by abuse.net for the FQDN.
Bye, Frank
Frank,
you could ask to get it added on uribl.com
My question was why there are only two entries in the WL hit list. I know perfectly well why [see subject] is on the WL.
What's the precise purpose and content of this page: http://spamcheck.freeapp.net/whitelist-hits.new.log.sort
Pages like that are for internal use.
cc.yahoo-inc.com (-----2--): .abuse.rfc-ignorant.org cc.yahoo-inc.com (-----2-0): .whois.rfc-ignorant.org whois -h whois.abuse.net cc.yahoo-inc.com postmaster@cc.yahoo-inc.com (for yahoo-inc.com)
...instead of using what it got from ARIN for the IP. As you see submitting it to RFCI would be a complete waste of time, it's already listed.
Working abuse addresses for [see subject] might be network-abuse@cc.yahoo-inc.com as reported by ARIN for the IP or uk-geo-abuse@cc.yahoo-inc.com (for uk. geocities .com) as reported by abuse.net for the FQDN.
Like Jeff told you, we KNOW that they are working on this. Thats currently enough for us. Meanwhile just use some custom rules to catch up with them. Plenty examples posted allready.
Bye, Raymond.
Frank Ellermann wrote:
And that's why they bounce SpamCop reports to their listed abuse.net address ?
I don't know that that means anything. Spamcop hasn't historically had a reputation for being accurate, although they might have improved recently.
Steve Sobol a écrit :
Frank Ellermann wrote:
And that's why they bounce SpamCop reports to their listed abuse.net address ?
I don't know that that means anything. Spamcop hasn't historically had a reputation for being accurate, although they might have improved recently.
what do you mean by accurate? The only accurate list is the empty one:)
On Sunday, October 9, 2005, 12:20:31 PM, Steve Sobol wrote:
Frank Ellermann wrote:
And that's why they bounce SpamCop reports to their listed abuse.net address ?
I don't know that that means anything. Spamcop hasn't historically had a reputation for being accurate, although they might have improved recently.
The quality of SpamCop reports is dependent on the quality of what users report, plus internal processing SpamCop does to reduce the noise and errors in those reports.
The quality of contact information SpamCop has to report spams to is dependent on source like abuse.net and whatever other contacts they can determine for themselves or with external help.
In the specific case of SpamCop's contact information for Yahoo, it currently appears out of date or incorrect, but Yahoo has provided new information to SpamCop. I know this because I was involved in bringing the parties together. The new contact info is private and will not be visible to SpamCop users or the public, but when it's in place the reports will get through and hopefully be acted upon.
Cheers,
Jeff C. -- Don't harm innocent bystanders.
On Sunday, October 9, 2005, 5:39:33 PM, Jeff Chan wrote:
The quality of SpamCop reports is dependent on the quality of what users report, plus internal processing SpamCop does to reduce the noise and errors in those reports.
It's perhaps worth noting that with some munging on our side, the SpamCop spamvertised site data result in some of the better performing SURBLs: sc.surbl.org and ab.surbl.org.
We can compensate for the occasional errors made by SpamCop users, yet it's the fact that the reports are mostly manual that make the data unusually good. Generally speaking, some humans had to take some time and make some effort to report the spam, and the reports are mostly right. Collectively, their judgements about what constitutes spam turns out to be quite useful.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
The quality of SpamCop reports is dependent on the quality of what users report, plus internal processing SpamCop does to reduce the noise and errors in those reports.
It has been quite good for some time (more than a year) now, AFAIK that's why there is a sc.surbl.org (= bit 1 in multi).
In the specific case of SpamCop's contact information for Yahoo, it currently appears out of date or incorrect, but Yahoo has provided new information to SpamCop.
So far that didn't work. I've moved the relevant thread to a place where it's also directly visible without news reader:
http://news.spamcop.net/pipermail/spamcop-list/2005-October/105257.html
I was involved in bringing the parties together. The new contact info is private and will not be visible to SpamCop users or the public
...............^^^^^^ The main question, will reports be visible on the stats page for say SURBL ? Bye, Frank
On Monday, October 10, 2005, 10:46:28 AM, Frank Ellermann wrote:
Jeff Chan wrote:
I was involved in bringing the parties together. The new contact info is private and will not be visible to SpamCop users or the public
...............^^^^^^ The main question, will reports be visible on the stats page for say SURBL ?
Probably not.
Jeff C. -- Don't harm innocent bystanders.
Hi!
I was involved in bringing the parties together. The new contact info is private and will not be visible to SpamCop users or the public
...............^^^^^^ The main question, will reports be visible on the stats page for say SURBL ?
Probably not.
Stats is just samples anyway, doesnt give a complete image. So you better should not use it as a reference ;)
Bye, Raymond.
Raymond Dijkxhoorn wrote:
Stats is just samples anyway, doesnt give a complete image. So you better should not use it as a reference ;)
It's the input for sc.surbl.org, it's required to be reliable, see also http://www.surbl.org/data.html with its link to http://www.spamcop.net/w3m?action=inprogress;type=www
If "sc2" will have some shortcut resulting in essentially the same input it's of course fine, but public pages for users to check what happens with their "votes" are also very important.
You can see on SC's page that spamvertized URLs with private reporting arrangements like spambr AT admin.spamcop.net are (of course) shown.
Spamvertized URLs with dev-nulled reports are also shown, e.g. postmaster#chinanet.cn.net AT devnull.spamcop.net, and that's as it should be: After all SURBL doesn't care about the fate of the SC report, it's only interested in the spamvertized URL.
And the day before yesterday there were numerous URLs with a reporting address postmaster#cc.yahoo-inc.com@devnull on this page, the same erroneous reporting address as for [see subject]
But [see subject] didn't show up as a spamvertized URL, and so SURBL never saw it. That SpamCop glitch (or whatever it was) was unrelated to private or dev-nulled reporting addresses.
Bye, Frank
On Monday, October 10, 2005, 3:31:53 PM, Frank Ellermann wrote:
Raymond Dijkxhoorn wrote:
Stats is just samples anyway, doesnt give a complete image. So you better should not use it as a reference ;)
It's the input for sc.surbl.org, it's required to be reliable, see also http://www.surbl.org/data.html with its link to http://www.spamcop.net/w3m?action=inprogress;type=www
Yes the log file Frank referred to is the hits against the whitelist of new sc.surb.org additions. It's not the same as the whitelist hits of sample DNS queries into SURBL nameservice that Raymond may have been thinking of. Same whitelist, different context.
If "sc2" will have some shortcut resulting in essentially the same input it's of course fine,
It's not the same input; it's a direct, private database query into SpamCop. Some of the data may be the same, some may not be.
but public pages for users to check what happens with their "votes" are also very important.
There is no public page for sc2.
[...]
And the day before yesterday there were numerous URLs with a reporting address postmaster#cc.yahoo-inc.com@devnull on this page, the same erroneous reporting address as for [see subject]
SpamCop is currently updating their contact address for Yahoo.
Really I don't want to talk about it further since these are the private arrangements between SpamCop and Yahoo. I have already said they are working on it and that will need to be enough.
The less we reveal to spammers the better.
But [see subject] didn't show up as a spamvertized URL, and so SURBL never saw it. That SpamCop glitch (or whatever it was) was unrelated to private or dev-nulled reporting addresses.
SpamCop is aware of the Geocities spams, just like anyone else. They are working on the reporting.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
If "sc2" will have some shortcut resulting in essentially the same input it's of course fine,
It's not the same input; it's a direct, private database query into SpamCop. Some of the data may be the same, some may not be.
With "essentially the same input" I meant the manual spam reports, spam where SC tried to find some spamvertized URLs.
Good news, SC now uses a working abuse address also for the geocities crap, example link taken from their "stats" page:
http://www.spamcop.net/sc?track=http://www geocities com/ghadifabecergil/
(add missing dots for a working URL). So now I'd expect that this "vote" later shows up on your WL hit list for geocities.
I don't want to talk about it further since these are the private arrangements between SpamCop and Yahoo.
There's nothing private about the new used reporting address, network-abuse@cc.yahoo-inc.com is just what ARIN says.
The less we reveal to spammers the better.
It has still to be enough that I can trust it. Something is phishy if geocities gets some extra-processing only because they are big. For a spamvertized geocities URL SpamCop now needs 40 (!) reloads of the parsing until it finds the IP - and that's the bad news.
I've no idea what the problem is, but it wouldn't surprise me if somebody working from within Yahoo! tries to play games with SpamCop. OTOH I'd doubt that these persons control everything, maybe network-abuse@cc.yahoo-inc stops this "insider business".
Bye, Frank
On Wednesday, October 12, 2005, 6:28:48 PM, Frank Ellermann wrote:
Jeff Chan wrote:
If "sc2" will have some shortcut resulting in essentially the same input it's of course fine,
It's not the same input; it's a direct, private database query into SpamCop. Some of the data may be the same, some may not be.
With "essentially the same input" I meant the manual spam reports, spam where SC tried to find some spamvertized URLs.
Yes, it's probably mostly the same content or at least the same original source (SpamCop reports).
Good news, SC now uses a working abuse address also for the geocities crap, example link taken from their "stats" page:
http://www.spamcop.net/sc?track=http://www geocities com/ghadifabecergil/
That just means the parsing is probably working correctly, which of course is a good first step.
(add missing dots for a working URL). So now I'd expect that this "vote" later shows up on your WL hit list for geocities.
I don't want to talk about it further since these are the private arrangements between SpamCop and Yahoo.
There's nothing private about the new used reporting address, network-abuse@cc.yahoo-inc.com is just what ARIN says.
That's not the private Yahoo reporting address.
The less we reveal to spammers the better.
It has still to be enough that I can trust it. Something is phishy if geocities gets some extra-processing only because they are big. For a spamvertized geocities URL SpamCop now needs 40 (!) reloads of the parsing until it finds the IP - and that's the bad news.
I'm not sure how you are determining this, but if you think there's a problem with SpamCop's processing you may want to document it and let them know. Please remember that they are trying to stop spam too. They are not the enemy.
I've no idea what the problem is, but it wouldn't surprise me if somebody working from within Yahoo! tries to play games with SpamCop. OTOH I'd doubt that these persons control everything, maybe network-abuse@cc.yahoo-inc stops this "insider business".
Far more likely Yahoo is a very big, rapidly-growing company with many different departments that don't always coordinate things.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
it's a black hat.
No it's not.
IBTD.
Yahoo is currently trying to properly organize their handling of hosting abuse.
It's no general Yahoo! problem, it's only uk. geocities .com
What does the article say please?
| Date: Thu, 06 Oct 2005 20:04:24 +0200 | From: Frank Ellermann nobody@xyzzy.claranet.de [...] | Newsgroups: spamcop.routing | CC: network-abuse@cc.yahoo-inc.com | Subject: O/R: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com [...]
| Hi, for the infamous uk.geocities.com series of spam runs | SpamCop tries:
| : Using abuse net on network-abuse@cc.yahoo-inc.com | : abuse net cc.yahoo-inc.com = postmaster@cc.yahoo-inc.com | : Using best contacts postmaster@cc.yahoo-inc.com | : postmaster@cc.yahoo-inc.com bounces (7 sent : 7 bounces)
| But ARIN apparently says that SC should use:
| : "whois 66.218.77.68@whois.arin.net" | [...] | : Found AbuseEmail in whois network-abuse@cc.yahoo-inc.com | : 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com
| I recommend to block all mails containing any URL with FQDN | uk.geocities.com in local URIBLs.
| http://www.spamcop.net/sc?id=z812431135z90373e8638a8645cf7c1de6de25ebb36z
| As always SpamCop needed at least five "reloads" to find the | relevant IP for uk.geocities.com spam, and after that effort | it should use some working abuse@ address at Yahoo!
| Bye, Frank
The SC problems with numerous uk. geocities .com spams are a known issue for some months, it just deteriorated. The spam is _apparently_ (don't take my word for it, check it) designed to bypass SURBL, the page contains some harmless plain text plus an "encrypted" JavaScript - I didn't try to unescape() it:
So there's a small chance that it's a Joe Job or some kind of DOS attack. OTOH I hope that I'd hear about it if it's "only" a Joe Job, after all I got this stuff for months.
BTW, why does...
http://spamcheck.freeapp.net/whitelist-hits.new.log.sort
...not list the (probably) hundreds of hits for this FQDN ?
Bye, Frank
On Saturday, October 8, 2005, 9:10:35 AM, Frank Ellermann wrote:
BTW, why does...
...not list the (probably) hundreds of hits for this FQDN ?
Because uk.geocities.com (or any com, net, org, etc.) is going to be reduced to the second level, i.e., geocities.com. before checking.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote (munged by me):
Because
[see subject]
(or any com, net, org, etc.) is going to be reduced to the second level, i.e.,
[geocities DOT com]
before checking.
Of course I checked this on the WL hit page... http://spamcheck.freeapp.net/whitelist-hits.new.log.sort
It shows eight hits for the SLD and two hits for [see subject], all ten hits from 2004. The latter April 2004, so probably the removal of UK from the FQDN started to work after 04-16.
The last WL hit was 2004-12-07, and I'm sure that this must be wrong: The spam for [see subject] sometimes avoids the radar of my ISP, no ***SPAM*** tag, and then I often report spam manually, because it could be "fresh" (both for my ISP, but also for SURBL). Therefore that should show up on the WL hit list (= automatically rejected by SURBL).
But it doesn't, therefore something is wrong. I think it's a problem on SC's side, but with Murphy it could be also a PEBKAC (= I don't understand the WL hit list), or a double fault (= WL hit list doesn't work), or worse.
For starters I've now created a simple PURL to look up new "net-abuse" articles:
http://purl.net/net/abuse => Russ' nice net-abuse FAQ http://purl.net/net/abuse/ => partial redirect to fresh net-abuse excl. sightings http://purl.net/net/abuse/uk.geocities.com (see subject ;-)
Should also work with purl.org/net/abuse/whatever, bye, Frank
On Saturday, October 8, 2005, 9:10:35 AM, Frank Ellermann wrote:
| Date: Thu, 06 Oct 2005 20:04:24 +0200 | From: Frank Ellermann nobody@xyzzy.claranet.de [...] | Newsgroups: spamcop.routing | CC: network-abuse@cc.yahoo-inc.com | Subject: O/R: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com [...]
| Hi, for the infamous uk.geocities.com series of spam runs | SpamCop tries:
| : Using abuse net on network-abuse@cc.yahoo-inc.com | : abuse net cc.yahoo-inc.com = postmaster@cc.yahoo-inc.com | : Using best contacts postmaster@cc.yahoo-inc.com | : postmaster@cc.yahoo-inc.com bounces (7 sent : 7 bounces)
| But ARIN apparently says that SC should use:
| : "whois 66.218.77.68@whois.arin.net" | [...] | : Found AbuseEmail in whois network-abuse@cc.yahoo-inc.com | : 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com
The ARIN and abuse.net contact databases are run by humans who sometimes have difficulty determining who to contact for a given network/system/organization. It's particularly difficult for a large organization like Yahoo, but after some prodding, Yahoo has provided a private reporting address for SpamCop to use. SpamCop may not have installed that address yet, but it has been provided, and that is significant progress.
Yahoo is also organizing their internal hosting abuse efforts currently. It's a non-trivial task, especially given their rapid growth and massive size. But they acknowledge there are problems and are working on solutions. I'm hopeful that they will get their abuse under better control.
Until then we can't blacklist them because they do have legitimate uses.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
The ARIN and abuse.net contact databases are run by humans who sometimes have difficulty determining who to contact for a given network/system/organization.
Sure, but I refuse to bother John (update AT abuse.net) only to bypass a "bug" (or feature) in SC's algorithm to guess a better address than what they get from ARIN.
abuse.net doesn't need a working entry for cc.yahoo-inc.com, it has an entry for [see subject] submitted by postmaster@.
That issue has to be fixed at SpamCop somehow, not abuse.net.
SpamCop may not have installed that address yet, but it has been provided, and that is significant progress.
ACK, let's see what happens. Yesterday my report never made it to their Web site reports page, therefore it's no surprise if it also never made it to your WL hit page.
Until then we can't blacklist them because they do have legitimate uses.
The WL hit part still has to work, otherwise sc.surbl.org is compromised. Bye, Frank
On Monday, October 10, 2005, 11:05:00 AM, Frank Ellermann wrote:
Jeff Chan wrote:
The ARIN and abuse.net contact databases are run by humans who sometimes have difficulty determining who to contact for a given network/system/organization.
Sure, but I refuse to bother John (update AT abuse.net) only to bypass a "bug" (or feature) in SC's algorithm to guess a better address than what they get from ARIN.
abuse.net doesn't need a working entry for cc.yahoo-inc.com, it has an entry for [see subject] submitted by postmaster@.
John is in contact with Yahoo and should know what abuse addresses to use for them.
That issue has to be fixed at SpamCop somehow, not abuse.net.
SpamCop has some private contact addresses that they use for certain networks. They are sometimes different from John's publically-listed abuse.net addresses.
SpamCop may not have installed that address yet, but it has been provided, and that is significant progress.
ACK, let's see what happens. Yesterday my report never made it to their Web site reports page,
When SpamCop is using a private contact address, it probably doesn't show up on their reports page, but they do get forwarded to the private contact address.
therefore it's no surprise if it also never made it to your WL hit page.
The SpamCop spamvertised site page is the basis for the current sc.surbl.org list, but the sc2 list is based on a direct database feed from SpamCop which I believe may include more reports.
Jeff C. -- Don't harm innocent bystanders.
Hi!
Hi, please remove uk. geocities .com from all white lists and/or add it manually to local URIBLs, it's a black hat.
No it's not. It belongs to Yahoo. Yahoo is currently trying to properly organize their handling of hosting abuse.
Bye, Frank
What does the article say please?
Its the typical spam we are seeing for months now. I have posted some rules to block them, use those. We wont list geocities in SURBL. It DOES have legitimate uses.
To save you looking for the rules... :
# # Abusive public hosting #
uri PROLO_PUBWEB_UKGEO_CHECK1 /^http://.*uk.geocities.com// score PROLO_PUBWEB_UKGEO_CHECK1 15.0 describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body
uri PROLO_PUBWEB_ITGEO_CHECK1 /^http://.*it.geocities.com// score PROLO_PUBWEB_ITGEO_CHECK1 15.0 describe PROLO_PUBWEB_ITGEO_CHECK1 PROLO_PUBWEB_ITGEO_CHECK1, Body
uri PROLO_PUBWEB_WWWGEO_CHECK1 /^http://.*www.geocities.com// score PROLO_PUBWEB_WWWGEO_CHECK1 15.0 describe PROLO_PUBWEB_WWWGEO_CHECK1 PROLO_PUBWEB_WWWGEO_CHECK1, Body
There are some others abused also (de geocities com) so you might want to extend it.
While we are at it some more:
uri PROLO_HOSTING_PROHOSTING_CHK1 /^http://.*prohosting.com// score PROLO_HOSTING_PROHOSTING_CHK1 15.0 describe PROLO_HOSTING_PROHOSTING_CHK1 PROLO_HOSTING_PROHOSTING_CHK1, Body
uri PROLO_HOSTING_XTHOST_CHK1 /^http://.*xthost.info// score PROLO_HOSTING_XTHOST_CHK1 15.0 describe PROLO_HOSTING_XTHOST_CHK1 PROLO_HOSTING_XTHOST_CHK1, Body
uri PROLO_HOSTING_NET4FREE_CHK1 /^http://.*net4free.org// score PROLO_HOSTING_NET4FREE_CHK1 15.0 describe PROLO_HOSTING_NET4FREE_CHK1 PROLO_HOSTING_NET4FREE_CHK1, Body
We have seen abuse from those also, use at own risk.
Bye, Raymond.