Hello,
Take a look at this SPAM :
http://www.ensmp.fr/~martins/Prozac
Mainly, check the source.
The problem is that it comes with many, many URLs. At the beginning, there are URLs needed by the SPAM itself. After, it puts many URLs with font size equals to 1. Most of these last domains aren't spam... 8-)
Jose-Marcio
Hi Jose-Marcio,
Take a look at this SPAM :
http://www.ensmp.fr/~martins/Prozac
Mainly, check the source.
The problem is that it comes with many, many URLs. At the beginning, there are URLs needed by the SPAM itself. After, it puts many URLs with font size equals to 1. Most of these last domains aren't spam... 8-)
Who cares, its picked up anyway, BIGEVIL_URI_RBL and WS_URI_RBL! :)
May 5 21:52:33 vmx80 MailScanner[31469]: Message i45Jp6FK030462 from 212.127.254.140 (raymond@prolocation.net) to quicknet.nl is spam, SpamAssassin (score=19.963, required 5, BAYES_99 5.40, BIGEVIL_URI_RBL 3.50, BIZ_TLD 0.10, CLICK_BELOW 0.10, DRUGS_ANXIETY 0.01, DRUGS_ANXIETY_EREC 1.00, DRUGS_DEPRESSION 0.01, DRUGS_DEPR_EREC 1.00, DRUGS_DIET 0.01, DRUGS_DIET_EREC 1.00, DRUGS_ERECTILE 1.00, DRUGS_ERECTILE_OBFU 1.50, DRUGS_MANYKINDS 1.00, DRUGS_MUSCLE 0.01, DRUGS_SLEEP 0.01, DRUGS_SLEEP_EREC 0.50, HTML_60_70 0.11, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, WS_URI_RBL 3.50)
I would say HOOOOOOORAY! Its doing a nice job catching them.
Bye, Raymond.
Raymond Dijkxhoorn wrote:
Hi Jose-Marcio,
Take a look at this SPAM :
http://www.ensmp.fr/~martins/Prozac
Mainly, check the source.
The problem is that it comes with many, many URLs. At the beginning, there are URLs needed by the SPAM itself. After, it puts many URLs with font size equals to 1. Most of these last domains aren't spam... 8-)
Who cares, its picked up anyway, BIGEVIL_URI_RBL and WS_URI_RBL! :)
Scripts extracting URLs to insert into blacklist **should care** with extracted URLs.
E.g. http://www.bernoulli.org, http://www.ubiquity.com, http://www.nay.org aren't really spammers, and they have nothing to do with this SPAM.
May 5 21:52:33 vmx80 MailScanner[31469]: Message i45Jp6FK030462 from 212.127.254.140 (raymond@prolocation.net) to quicknet.nl is spam, SpamAssassin (score=19.963, required 5, BAYES_99 5.40, BIGEVIL_URI_RBL 3.50, BIZ_TLD 0.10, CLICK_BELOW 0.10, DRUGS_ANXIETY 0.01, DRUGS_ANXIETY_EREC 1.00, DRUGS_DEPRESSION 0.01, DRUGS_DEPR_EREC 1.00, DRUGS_DIET 0.01, DRUGS_DIET_EREC 1.00, DRUGS_ERECTILE 1.00, DRUGS_ERECTILE_OBFU 1.50, DRUGS_MANYKINDS 1.00, DRUGS_MUSCLE 0.01, DRUGS_SLEEP 0.01, DRUGS_SLEEP_EREC 0.50, HTML_60_70 0.11, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, WS_URI_RBL 3.50)
I would say HOOOOOOORAY! Its doing a nice job catching them.
Bye, Raymond.
Hi!
Who cares, its picked up anyway, BIGEVIL_URI_RBL and WS_URI_RBL! :)
Scripts extracting URLs to insert into blacklist **should care** with extracted URLs.
E.g. http://www.bernoulli.org, http://www.ubiquity.com, http://www.nay.org aren't really spammers, and they have nothing to do with this SPAM.
Yes, thats why most things are done manually. The system works just fine, it didnt trigger on the 'positive' ones did it ? :)
Bye, Raymond.
On Wednesday, May 5, 2004, 1:20:36 PM, Raymond Dijkxhoorn wrote:
Who cares, its picked up anyway, BIGEVIL_URI_RBL and WS_URI_RBL! :)
Scripts extracting URLs to insert into blacklist **should care** with extracted URLs.
E.g. http://www.bernoulli.org, http://www.ubiquity.com, http://www.nay.org aren't really spammers, and they have nothing to do with this SPAM.
Yes, thats why most things are done manually. The system works just fine, it didnt trigger on the 'positive' ones did it ? :)
Yes that's correct. The legitimate domains are not in any SURBL blocklists, so SpamCopURI did not block on them.
The system works exactly as intended.
Jeff C.
Hi,
Another one I found today :
<a hreftwinklehref=http://chopping.com href="http://luckydoc.net/lv/index.php?pid=eph8151">
Joe
Jeff Chan wrote:
On Wednesday, May 5, 2004, 1:20:36 PM, Raymond Dijkxhoorn wrote:
Who cares, its picked up anyway, BIGEVIL_URI_RBL and WS_URI_RBL! :)
Scripts extracting URLs to insert into blacklist **should care** with extracted URLs.
E.g. http://www.bernoulli.org, http://www.ubiquity.com, http://www.nay.org aren't really spammers, and they have nothing to do with this SPAM.
Yes, thats why most things are done manually. The system works just fine, it didnt trigger on the 'positive' ones did it ? :)
Yes that's correct. The legitimate domains are not in any SURBL blocklists, so SpamCopURI did not block on them.
The system works exactly as intended.
Jeff C.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Monday, May 10, 2004, 12:32:08 AM, Jose Cruz wrote:
Hi,
Another one I found today :
<a hreftwinklehref=http://chopping.com href="http://luckydoc.net/lv/index.php?pid=eph8151">
Joe
Hi Joe, Can you explain a little more what this is?
Is it a case we're not parsing correctly? A false positive? :-)
Jeff C.
Jeff Chan wrote:
On Monday, May 10, 2004, 12:32:08 AM, Jose Cruz wrote:
Hi,
Another one I found today :
<a hreftwinklehref=http://chopping.com href="http://luckydoc.net/lv/index.php?pid=eph8151">
Joe
Hi Joe, Can you explain a little more what this is?
Is it a case we're not parsing correctly? A false positive? :-)
No. luckydoc.net is at your database (ws and sc), and at the mine one.
chopping.com shall not be blaclisted, luckydoc.net yes.
Take a look at the original message at :
http://j-chkmail.ensmp.fr/chopping.txt
Best
Joe
Jeff C.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Tuesday, May 11, 2004, 12:53:36 AM, Jose Cruz wrote:
luckydoc.net is at your database (ws and sc), and at the mine one.
chopping.com shall not be blaclisted, luckydoc.net yes.
Thanks, I've whitelisted chopping.com. Note that it is *not* on any of the lists however.
Jeff C.
Good afternoon, all,
On Wed, 5 May 2004, Jose-Marcio.Martins@ensmp.fr wrote:
Raymond Dijkxhoorn wrote:
Take a look at this SPAM :
http://www.ensmp.fr/~martins/Prozac
Mainly, check the source.
The problem is that it comes with many, many URLs. At the beginning, there are URLs needed by the SPAM itself. After, it puts many URLs with font size equals to 1. Most of these last domains aren't spam... 8-)
I call this spamchaff - useless links thrown in just to throw off spam fighters like ourselves. Some of those hyperlinks are simply [a href="...."][/a] with no target in the middle. I specifically check for those "empty links" before even starting the normal process of extracting urls. Another common one is 3 link pairs, each surrounding a single character of punctuation.
Who cares, its picked up anyway, BIGEVIL_URI_RBL and WS_URI_RBL! :)
Scripts extracting URLs to insert into blacklist **should care** with extracted URLs.
Agreed, and this is why I've spent a _lot_ of time working on the scripts that extract URL's so that I can see these and they won't hit the list at all. It's also why I'm finding I have less and less patience with other people's scripts as these slip into their submissions. Cheers, - Bill
--------------------------------------------------------------------------- The web page you seek cannot be found here: countless others await (Courtesy of John Sage jsage@finchhaven.com) -------------------------------------------------------------------------- William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------