From jeffc at surbl.org  Wed Jan  4 10:55:48 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Wed Jan  4 10:55:50 2006
Subject: [SURBL-Discuss] Google search as spam URI
Message-ID: <496925945.20060104015548@surbl.org>

This drug spam message body seems problematic, since the URI is
google, being used to search for the spammer's.   Naturally the
actual spammer domain  bluevallet.com  is blacklisted.  This
showed up  Tue, 03 Jan 2006 14:45:48 +0100

__


Proecia
Xana
Pail
VALIM from $1.21
IAGRA from $3.33
IALIS from $3.75
eridia
Abien
Soa
Levtra
=20
http://www.google.com/search?q=3Dsite:bluevallet.com
<http://www.google.com/search?q=3Dsite:bluevallet.com>=20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D3>Pro<IMG =
src=3D"cid:000101c6106b$c54633bd$66c5a8c0@printingmachine">ecia</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Xana<IMG =
src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine"></FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Pa<IMG =
src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine">il</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>VALI<IMG =
src=3D"cid:000301c6106b$c54633bd$66c5a8c0@printingmachine">M <STRONG>from =
$1.21</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D3><IMG =
src=3D"cid:000401c6106b$c54633bd$66c5a8c0@printingmachine">IAGRA <STRONG>from =
$3.33</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D3><IMG =
src=3D"cid:000501c6106b$c54633bd$66c5a8c0@printingmachine">IALIS <STRONG>from =
$3.75</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D3><IMG =
src=3D"cid:000601c6106b$c54633bd$66c5a8c0@printingmachine">eridia</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>A<IMG =
src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">bien</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>So<IMG =
src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">a</FONT></DIV>
<DIV><FONT face=3DArial size=3D3>Lev<IMG =
src=3D"cid:000801c6106b$c54633bd$66c5a8c0@printingmachine">tra</FONT></DIV>
<DIV><FONT face=3DArial size=3D3></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D3><A =
href=3D"http://www.google.com/search?q=3Dsite:bluevallet.com"><FONT =
face=3DArial =
size=3D3>http://www.google.com/search?q=3Dsite:bluevallet.com</FONT></A><=
/FONT></DIV></BODY></HTML>
R0lGODdhDQAMAOMAAP///wUTCMDEwWJrZCQwJt/h4KGmooKJg0NORQAAAAAAAAAAAAAAAAAAAAAA
AAAAACwAAAAADQAMAAAEMRBIMUggo8htiNFFp0kFMW4Hsg3HtoWb6c5SQNP27cq6xN6GF4/TQnlA
KZoAEbgUJREAOw==
R0lGODdhDgAZAOMAAP///wUCDkNBSqGgpN/f4CQhLIKAhmJgaMC/wgAAAAAAAAAAAAAAAAAAAAAA
AAAAACwAAAAADgAZAAAESxDISau9OOvNu/9gKHLCcA3CFAhERRSBOhiVYcRSXFQFgQOxg0kyOABV
AERKIkAcc5Jecvd8GowHWhX36kK/gIPACP4hAs4yhfyNAAA7
R0lGODdhDQAXAMIAAP///wANER8rLt/g4V9nar/Cw5+kpQAAACwAAAAADQAXAAADMgi63P4wykmr
vRiGt1dvHxB6zKiEplhyq4Oyi+AM8kIUjUEwtDEAA4PgxyMIAgICUZEAADs=
R0lGODdhDAAVAOMAAP///wgOEMHCwyYsLYOGh2RoaeDg4aKkpUVKSwAAAAAAAAAAAAAAAAAAAAAA
AAAAACwAAAAADAAVAAAENhDISau9OOvNu5/CcA2CRFbhRBRVQUyGSAUGVRzTgaC7hJSVQS12IbyM
F6IQg9BlDgNcRkaJAAA7
R0lGODdhBQANAIAAAP///w0KDywAAAAABQANAAACDIQfp2uJ6hqcr0pTAAA7
R0lGODdhDgANAMIAAP///xIJC6aioy8nKcPBwk1GSOHg4IiEhSwAAAAADgANAAADJwi63P4wShXE
CIPYUFcoBnB8oRB4hBdSHnO2LBwD70zLt1zn8+4rCQA7
R0lGODdhCgAVAOMAAP///xMPD6alpTAtLcTDw2tpaeHh4YmHh05LSwAAAAAAAAAAAAAAAAAAAAAA
AAAAACwAAAAACgAVAAAELRDISau9OOvNu/9AIAzBQFCBCBDmpEpC4RqTMbhVMNe39AIxV4tF8x1I
iCIgAgA7
R0lGODdhCQAVAMIAAP///wQKA2JlYaCjoN/g3yMoIgAAAAAAACwAAAAACQAVAAADJQi63P4wykmr
XWKsIRQpBPCFCgdkjaA6REAyaseYqAeK96mVcgIAOw==

__

SpamAssassin 3.0.1 did not catch this one, though the sender IP
was on the SpamCop BL (that was all it caught).

Jeff C.
--
Don't harm innocent bystanders.

From dallase at nmgi.com  Wed Jan  4 15:29:39 2006
From: dallase at nmgi.com (Dallas L. Engelken)
Date: Wed Jan  4 15:30:15 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <6E239CE693316B48B483C7273C171122563A49@exchange.nmgi.com>

adding a redirector_pattern will catch this.

redirector_pattern
/^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/I

 dbg: uri: parsed uri found,
http://www.google.com/search?q=site:bluevallet.com
 dbg: uri: cleaned parsed uri, http://bluevallet.com
 dbg: uri: cleaned parsed uri,
http://www.google.com/search?q=site:bluevallet.com
 dbg: uri: cleaned parsed uri, bluevallet.com
 dbg: uri: parsed domain, google.com
 dbg: uri: parsed domain, bluevallet.com
 dbg: uridnsbl: domain google.com in skip list
 dbg: uridnsbl: domains to query: bluevallet.com
 dbg: uri: running uri tests; score so far=-0.001
 dbg: rules: ran uri rule __LOCAL_PP_NONPPURL ======> got hit:
"http://bluevallet.com"
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_BLACK): 127.0.0.2
 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
(multi.uribl.com.:bluevallet.com)
 dbg: uridnsbl: queries completed: 1 started: 0
 dbg: uridnsbl: queries active: DNSBL=1 NS=1 at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SC_SURBL):
127.0.0.2
 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
(multi.surbl.org.:bluevallet.com)
 dbg: uridnsbl: queries completed: 1 started: 0
 dbg: uridnsbl: queries active: NS=1 at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: queries completed: 1 started: 2
 dbg: uridnsbl: queries active:  at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: queries completed: 1 started: 1
 dbg: uridnsbl: queries active: A=1 at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: queries completed: 1 started: 1
 dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36468"
 dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36335"
 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
(sbl.spamhaus.org.:17.160.20.58)
 dbg: uridnsbl: queries completed: 1 started: 0
 dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: select found 1 socks ready
 dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36470"
 dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
(sbl.spamhaus.org.:7.134.11.221)
 dbg: uridnsbl: queries completed: 1 started: 0
 dbg: uridnsbl: queries active:  at Wed Jan  4 08:26:42 2006
 dbg: uridnsbl: done waiting for URIDNSBL lookups to complete
 dbg: uri: running uri tests; score so far=9.972
 dbg: uri: running uri tests; score so far=7.11254545454546

Thanks, 
Dallas


> -----Original Message-----
> From: Jeff Chan [mailto:jeffc@surbl.org] 
> Sent: Wednesday, January 04, 2006 3:56 AM
> To: SpamAssassin Users; SURBL Discuss
> Subject: Google search as spam URI
> 
> This drug spam message body seems problematic, since the URI is
> google, being used to search for the spammer's.   Naturally the
> actual spammer domain  bluevallet.com  is blacklisted.  This 
> showed up  Tue, 03 Jan 2006 14:45:48 +0100
> 
> __
> 
> 
> Proecia
> Xana
> Pail
> VALIM from $1.21
> IAGRA from $3.33
> IALIS from $3.75
> eridia
> Abien
> Soa
> Levtra
> =20
> http://www.google.com/search?q=3Dsite:bluevallet.com
> <http://www.google.com/search?q=3Dsite:bluevallet.com>=20
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 
> Transitional//EN"> <HTML><HEAD> <META 
> http-equiv=3DContent-Type content=3D"text/html; = 
> charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" 
> name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY 
> bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D3>Pro<IMG = 
> src=3D"cid:000101c6106b$c54633bd$66c5a8c0@printingmachine">eci
a</FONT></DIV>
> <DIV><FONT face=3DArial size=3D3>Xana<IMG = 
> src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine"></F
ONT></DIV>
> <DIV><FONT face=3DArial size=3D3>Pa<IMG = 
> src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine">il<
/FONT></DIV>
> <DIV><FONT face=3DArial size=3D3>VALI<IMG = 
> src=3D"cid:000301c6106b$c54633bd$66c5a8c0@printingmachine">M 
> <STRONG>from = $1.21</STRONG></FONT></DIV> <DIV><FONT 
> face=3DArial size=3D3><IMG = 
> src=3D"cid:000401c6106b$c54633bd$66c5a8c0@printingmachine">IAG
RA <STRONG>from = $3.33</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial
size=3D3><IMG = 
> src=3D"cid:000501c6106b$c54633bd$66c5a8c0@printingmachine">IAL
IS <STRONG>from = $3.75</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial
size=3D3><IMG = 
> src=3D"cid:000601c6106b$c54633bd$66c5a8c0@printingmachine">eri
dia</FONT></DIV>
> <DIV><FONT face=3DArial size=3D3>A<IMG = 
> src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">bie
n</FONT></DIV>
> <DIV><FONT face=3DArial size=3D3>So<IMG = 
> src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">a</
FONT></DIV>
> <DIV><FONT face=3DArial size=3D3>Lev<IMG = 
> src=3D"cid:000801c6106b$c54633bd$66c5a8c0@printingmachine">tra
</FONT></DIV>
> <DIV><FONT face=3DArial size=3D3></FONT>&nbsp;</DIV> 
> <DIV><FONT face=3DArial size=3D3><A = 
> href=3D"http://www.google.com/search?q=3Dsite:bluevallet.com">
<FONT = face=3DArial = size=3D3>http://www.google.com/search?q=>
3Dsite:bluevallet.com</FONT></A><=
> /FONT></DIV></BODY></HTML>
> R0lGODdhDQAMAOMAAP///wUTCMDEwWJrZCQwJt/h4KGmooKJg0NORQAAAAAAAA
> AAAAAAAAAAAAAA
> AAAAACwAAAAADQAMAAAEMRBIMUggo8htiNFFp0kFMW4Hsg3HtoWb6c5SQNP27c
> q6xN6GF4/TQnlA
> KZoAEbgUJREAOw==
> R0lGODdhDgAZAOMAAP///wUCDkNBSqGgpN/f4CQhLIKAhmJgaMC/wgAAAAAAAA
> AAAAAAAAAAAAAA
> AAAAACwAAAAADgAZAAAESxDISau9OOvNu/9gKHLCcA3CFAhERRSBOhiVYcRSXF
> QFgQOxg0kyOABV
> AERKIkAcc5Jecvd8GowHWhX36kK/gIPACP4hAs4yhfyNAAA7
> R0lGODdhDQAXAMIAAP///wANER8rLt/g4V9nar/Cw5+kpQAAACwAAAAADQAXAA
ADMgi63P4wykmr
> vRiGt1dvHxB6zKiEplhyq4Oyi+AM8kIUjUEwtDEAA4PgxyMIAgICUZEAADs=
> R0lGODdhDAAVAOMAAP///wgOEMHCwyYsLYOGh2RoaeDg4aKkpUVKSwAAAAAAAA
> AAAAAAAAAAAAAA
> AAAAACwAAAAADAAVAAAENhDISau9OOvNu5/CcA2CRFbhRBRVQUyGSAUGVRzTga
> C7hJSVQS12IbyM
> F6IQg9BlDgNcRkaJAAA7
> R0lGODdhBQANAIAAAP///w0KDywAAAAABQANAAACDIQfp2uJ6hqcr0pTAAA7
> R0lGODdhDgANAMIAAP///xIJC6aioy8nKcPBwk1GSOHg4IiEhSwAAAAADgANAA
> ADJwi63P4wShXE
> CIPYUFcoBnB8oRB4hBdSHnO2LBwD70zLt1zn8+4rCQA7
> R0lGODdhCgAVAOMAAP///xMPD6alpTAtLcTDw2tpaeHh4YmHh05LSwAAAAAAAA
> AAAAAAAAAAAAAA
> AAAAACwAAAAACgAVAAAELRDISau9OOvNu/9AIAzBQFCBCBDmpEpC4RqTMbhVMN
> e39AIxV4tF8x1I
> iCIgAgA7
> R0lGODdhCQAVAMIAAP///wQKA2JlYaCjoN/g3yMoIgAAAAAAACwAAAAACQAVAA
> ADJQi63P4wykmr
> XWKsIRQpBPCFCgdkjaA6REAyaseYqAeK96mVcgIAOw==
> 
> __
> 
> SpamAssassin 3.0.1 did not catch this one, though the sender 
> IP was on the SpamCop BL (that was all it caught).
> 
> Jeff C.
> --
> Don't harm innocent bystanders.
> 
> 

From dallase at nmgi.com  Wed Jan  4 15:39:40 2006
From: dallase at nmgi.com (Dallas L. Engelken)
Date: Wed Jan  4 15:40:14 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <6E239CE693316B48B483C7273C171122563A50@exchange.nmgi.com>

> -----Original Message-----
> From: Jeff Chan [mailto:jeffc@surbl.org] 
> Sent: Wednesday, January 04, 2006 3:56 AM
> To: SpamAssassin Users; SURBL Discuss
> Subject: Google search as spam URI
> 
> This drug spam message body seems problematic, since the URI is
> google, being used to search for the spammer's.   Naturally the
> actual spammer domain  bluevallet.com  is blacklisted.  This 
> showed up  Tue, 03 Jan 2006 14:45:48 +0100
> 
> __

Also FWIW, we auto-listed bluevallet.com on black.uribl.com at 

bluevallet.com   Listed: 2006-01-03 06:38:02 CDT (-0500 UTC)

What I'm wondering is "how", since this shouldn't be showing up in the
dns query stream if people were not using the google redirector
pattern.... 

D


From dallase at nmgi.com  Wed Jan  4 15:46:46 2006
From: dallase at nmgi.com (Dallas L. Engelken)
Date: Wed Jan  4 15:47:14 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <6E239CE693316B48B483C7273C171122563A55@exchange.nmgi.com>

> -----Original Message-----
> From: Dallas L. Engelken [mailto:dallase@nmgi.com] 
> Sent: Wednesday, January 04, 2006 8:30 AM
> To: Jeff Chan; SpamAssassin Users; SURBL Discuss
> Subject: RE: Google search as spam URI
> 
> adding a redirector_pattern will catch this.
> 
> redirector_pattern
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
> \-\.]+)$/I
> 

Notice the 'I' at the end should be 'i'.  Damn outlook, I know what I
want to say!
D

From csanterre at MerchantsOverseas.com  Wed Jan  4 15:53:46 2006
From: csanterre at MerchantsOverseas.com (Chris Santerre)
Date: Wed Jan  4 15:49:58 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <620A4FF9B83DD511B69900062939D037012EF14E@internal.merchantsoverseas.com>



> -----Original Message-----
> From: Dallas L. Engelken [mailto:dallase@nmgi.com]
> Sent: Wednesday, January 04, 2006 9:30 AM
> To: Jeff Chan; SpamAssassin Users; SURBL Discuss
> Subject: RE: Google search as spam URI
> 
> 
> adding a redirector_pattern will catch this.
> 
> redirector_pattern
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
> \-\.]+)$/I
> 
> 
> Thanks, 
> Dallas

Should this be a standard redirect added to SA or should SARE add the a rule
to 70_Specific.cf?

Also I don't know how it got added to URIBL, as the only NANAS hits show
them using this redir. 

--Chris
From martinh at solid-state-logic.com  Wed Jan  4 17:36:18 2006
From: martinh at solid-state-logic.com (Martin Hepworth)
Date: Wed Jan  4 17:56:40 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
In-Reply-To: <6E239CE693316B48B483C7273C171122563A49@exchange.nmgi.com>
Message-ID: <003201c6114d$0313a190$3004010a@martinhlaptop>

Dallas

Small change required for my to lint cleanly...

redirector_pattern
/^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/i

(lower case letter I at the end, not uppercase/capitol I)

--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: Dallas L. Engelken [mailto:dallase@nmgi.com]
> Sent: 04 January 2006 14:30
> To: Jeff Chan; SpamAssassin Users; SURBL Discuss
> Subject: RE: Google search as spam URI
> 
> adding a redirector_pattern will catch this.
> 
> redirector_pattern
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/I
> 
>  dbg: uri: parsed uri found,
> http://www.google.com/search?q=site:bluevallet.com
>  dbg: uri: cleaned parsed uri, http://bluevallet.com
>  dbg: uri: cleaned parsed uri,
> http://www.google.com/search?q=site:bluevallet.com
>  dbg: uri: cleaned parsed uri, bluevallet.com
>  dbg: uri: parsed domain, google.com
>  dbg: uri: parsed domain, bluevallet.com
>  dbg: uridnsbl: domain google.com in skip list
>  dbg: uridnsbl: domains to query: bluevallet.com
>  dbg: uri: running uri tests; score so far=-0.001
>  dbg: rules: ran uri rule __LOCAL_PP_NONPPURL ======> got hit:
> "http://bluevallet.com"
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_BLACK): 127.0.0.2
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (multi.uribl.com.:bluevallet.com)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active: DNSBL=1 NS=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SC_SURBL):
> 127.0.0.2
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (multi.surbl.org.:bluevallet.com)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active: NS=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: queries completed: 1 started: 2
>  dbg: uridnsbl: queries active:  at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: queries completed: 1 started: 1
>  dbg: uridnsbl: queries active: A=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: queries completed: 1 started: 1
>  dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36468"
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36335"
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (sbl.spamhaus.org.:17.160.20.58)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active: DNSBL=1 at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: select found 1 socks ready
>  dbg: uridnsbl: domain "bluevallet.com" listed (URIBL_SBL):
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36470"
>  dbg: uridnsbl: query for bluevallet.com took 1 seconds to look up
> (sbl.spamhaus.org.:7.134.11.221)
>  dbg: uridnsbl: queries completed: 1 started: 0
>  dbg: uridnsbl: queries active:  at Wed Jan  4 08:26:42 2006
>  dbg: uridnsbl: done waiting for URIDNSBL lookups to complete
>  dbg: uri: running uri tests; score so far=9.972
>  dbg: uri: running uri tests; score so far=7.11254545454546
> 
> Thanks,
> Dallas
> 
> 
> > -----Original Message-----
> > From: Jeff Chan [mailto:jeffc@surbl.org]
> > Sent: Wednesday, January 04, 2006 3:56 AM
> > To: SpamAssassin Users; SURBL Discuss
> > Subject: Google search as spam URI
> >
> > This drug spam message body seems problematic, since the URI is
> > google, being used to search for the spammer's.   Naturally the
> > actual spammer domain  bluevallet.com  is blacklisted.  This
> > showed up  Tue, 03 Jan 2006 14:45:48 +0100
> >
> > __
> >
> >
> > Proecia
> > Xana
> > Pail
> > VALIM from $1.21
> > IAGRA from $3.33
> > IALIS from $3.75
> > eridia
> > Abien
> > Soa
> > Levtra
> > =20
> > http://www.google.com/search?q=3Dsite:bluevallet.com
> > <http://www.google.com/search?q=3Dsite:bluevallet.com>=20
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
> > Transitional//EN"> <HTML><HEAD> <META
> > http-equiv=3DContent-Type content=3D"text/html; =
> > charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106"
> > name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY
> > bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D3>Pro<IMG =
> > src=3D"cid:000101c6106b$c54633bd$66c5a8c0@printingmachine">eci
> a</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>Xana<IMG =
> > src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine"></F
> ONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>Pa<IMG =
> > src=3D"cid:000201c6106b$c54633bd$66c5a8c0@printingmachine">il<
> /FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>VALI<IMG =
> > src=3D"cid:000301c6106b$c54633bd$66c5a8c0@printingmachine">M
> > <STRONG>from = $1.21</STRONG></FONT></DIV> <DIV><FONT
> > face=3DArial size=3D3><IMG =
> > src=3D"cid:000401c6106b$c54633bd$66c5a8c0@printingmachine">IAG
> RA <STRONG>from = $3.33</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial
> size=3D3><IMG =
> > src=3D"cid:000501c6106b$c54633bd$66c5a8c0@printingmachine">IAL
> IS <STRONG>from = $3.75</STRONG></FONT></DIV> <DIV><FONT face=> 3DArial
> size=3D3><IMG =
> > src=3D"cid:000601c6106b$c54633bd$66c5a8c0@printingmachine">eri
> dia</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>A<IMG =
> > src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">bie
> n</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>So<IMG =
> > src=3D"cid:000701c6106b$c54633bd$66c5a8c0@printingmachine">a</
> FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3>Lev<IMG =
> > src=3D"cid:000801c6106b$c54633bd$66c5a8c0@printingmachine">tra
> </FONT></DIV>
> > <DIV><FONT face=3DArial size=3D3></FONT>&nbsp;</DIV>
> > <DIV><FONT face=3DArial size=3D3><A =
> > href=3D"http://www.google.com/search?q=3Dsite:bluevallet.com">
> <FONT = face=3DArial = size=3D3>http://www.google.com/search?q=>
> 3Dsite:bluevallet.com</FONT></A><=
> > /FONT></DIV></BODY></HTML>
> > R0lGODdhDQAMAOMAAP///wUTCMDEwWJrZCQwJt/h4KGmooKJg0NORQAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAADQAMAAAEMRBIMUggo8htiNFFp0kFMW4Hsg3HtoWb6c5SQNP27c
> > q6xN6GF4/TQnlA
> > KZoAEbgUJREAOw==
> > R0lGODdhDgAZAOMAAP///wUCDkNBSqGgpN/f4CQhLIKAhmJgaMC/wgAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAADgAZAAAESxDISau9OOvNu/9gKHLCcA3CFAhERRSBOhiVYcRSXF
> > QFgQOxg0kyOABV
> > AERKIkAcc5Jecvd8GowHWhX36kK/gIPACP4hAs4yhfyNAAA7
> > R0lGODdhDQAXAMIAAP///wANER8rLt/g4V9nar/Cw5+kpQAAACwAAAAADQAXAA
> ADMgi63P4wykmr
> > vRiGt1dvHxB6zKiEplhyq4Oyi+AM8kIUjUEwtDEAA4PgxyMIAgICUZEAADs=
> > R0lGODdhDAAVAOMAAP///wgOEMHCwyYsLYOGh2RoaeDg4aKkpUVKSwAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAADAAVAAAENhDISau9OOvNu5/CcA2CRFbhRBRVQUyGSAUGVRzTga
> > C7hJSVQS12IbyM
> > F6IQg9BlDgNcRkaJAAA7
> > R0lGODdhBQANAIAAAP///w0KDywAAAAABQANAAACDIQfp2uJ6hqcr0pTAAA7
> > R0lGODdhDgANAMIAAP///xIJC6aioy8nKcPBwk1GSOHg4IiEhSwAAAAADgANAA
> > ADJwi63P4wShXE
> > CIPYUFcoBnB8oRB4hBdSHnO2LBwD70zLt1zn8+4rCQA7
> > R0lGODdhCgAVAOMAAP///xMPD6alpTAtLcTDw2tpaeHh4YmHh05LSwAAAAAAAA
> > AAAAAAAAAAAAAA
> > AAAAACwAAAAACgAVAAAELRDISau9OOvNu/9AIAzBQFCBCBDmpEpC4RqTMbhVMN
> > e39AIxV4tF8x1I
> > iCIgAgA7
> > R0lGODdhCQAVAMIAAP///wQKA2JlYaCjoN/g3yMoIgAAAAAAACwAAAAACQAVAA
> > ADJQi63P4wykmr
> > XWKsIRQpBPCFCgdkjaA6REAyaseYqAeK96mVcgIAOw==
> >
> > __
> >
> > SpamAssassin 3.0.1 did not catch this one, though the sender
> > IP was on the SpamCop BL (that was all it caught).
> >
> > Jeff C.
> > --
> > Don't harm innocent bystanders.
> >
> >


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From dallase at nmgi.com  Wed Jan  4 17:54:13 2006
From: dallase at nmgi.com (Dallas L. Engelken)
Date: Wed Jan  4 17:58:01 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <6E239CE693316B48B483C7273C171122563A7E@exchange.nmgi.com>

> -----Original Message-----
> From: Martin Hepworth [mailto:martinh@solid-state-logic.com] 
> Sent: Wednesday, January 04, 2006 10:36 AM
> To: Dallas L. Engelken; 'Jeff Chan'; 'SpamAssassin Users'; 
> 'SURBL Discuss'
> Subject: RE: Google search as spam URI
> 
> Dallas
> 
> Small change required for my to lint cleanly...
> 
> redirector_pattern
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
> \-\.]+)$/i
> 
> (lower case letter I at the end, not uppercase/capitol I)
> 

Arghhhh.. Did you miss this?

>> Notice the 'I' at the end should be 'i'.  Damn outlook, I know what I
want to say!
>> D

Or am I the one that's missing something??

D

From jeffc at surbl.org  Wed Jan  4 17:39:43 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Wed Jan  4 17:59:50 2006
Subject: [SURBL-Discuss] Re: Google search as spam URI
In-Reply-To: <6E239CE693316B48B483C7273C171122563A50@exchange.nmgi.com>
References: <6E239CE693316B48B483C7273C171122563A50@exchange.nmgi.com>
Message-ID: <173267942.20060104083943@surbl.org>

On Wednesday, January 4, 2006, 6:39:40 AM, Dallas Engelken wrote:
> Also FWIW, we auto-listed bluevallet.com on black.uribl.com at

> bluevallet.com   Listed: 2006-01-03 06:38:02 CDT (-0500 UTC)

> What I'm wondering is "how", since this shouldn't be showing up in the
> dns query stream if people were not using the google redirector
> pattern.... 

Perhaps they used it in a more conventional fashion first, e.g.,
without the google part.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

From Matthew.van.Eerde at hbinc.com  Wed Jan  4 19:20:49 2006
From: Matthew.van.Eerde at hbinc.com (Matthew.van.Eerde@hbinc.com)
Date: Wed Jan  4 19:20:55 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <61192FA29C719B469A2B13E57DEDF75B05456852@mail.hbinc.com>

Dallas L. Engelken wrote:
>> From: Dallas L. Engelken [mailto:dallase@nmgi.com]
>> 
>> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
>> \-\.]+)$/I 
>> 
> 
> Notice the 'I' at the end should be 'i'.
> Damn outlook,

Agreed.

> I know what I want to say!

Have you configured Outlook to use Word as the email editor?  If so that might explain the AutoCorrect you are experiencing.

-- 
Matthew.van.Eerde (at) hbinc.com               805.964.4554 x902
Hispanic Business Inc./HireDiversity.com       Software Engineer

From ler at lerctr.org  Wed Jan  4 19:26:13 2006
From: ler at lerctr.org (Larry Rosenman)
Date: Wed Jan  4 19:26:21 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
In-Reply-To: <61192FA29C719B469A2B13E57DEDF75B05456852@mail.hbinc.com>
Message-ID: <002f01c6115c$59386790$0a0a0a0a@aus.pervasive.com>

Matthew.van.Eerde@hbinc.com wrote:
> Dallas L. Engelken wrote:
>>> From: Dallas L. Engelken [mailto:dallase@nmgi.com]
>>> 
>>> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
>>> \-\.]+)$/I 
>>> 
>> 
>> Notice the 'I' at the end should be 'i'.
>> Damn outlook,
> 
> Agreed.
> 
>> I know what I want to say!
> 
> Have you configured Outlook to use Word as the email editor?  If so
> that might explain the AutoCorrect you are experiencing. 

Nope, even without word as the editor, it still does it :(

(from painful experience).



-- 
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 512-248-2683                 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893

From dhawal at netmagicsolutions.com  Wed Jan  4 21:00:53 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Wed Jan  4 21:01:01 2006
Subject: [SURBL-Discuss] Re: Google search as spam URI
In-Reply-To: <6E239CE693316B48B483C7273C171122563A49@exchange.nmgi.com>
References: <6E239CE693316B48B483C7273C171122563A49@exchange.nmgi.com>
Message-ID: <20060104200053.22029.qmail@mymail.netmagicians.com>

Dallas L. Engelken writes: 

> adding a redirector_pattern will catch this. 
> 
> redirector_pattern
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/I

better write a rule for google translate as well.. i see it being abused 
soon. 

http://translate.google.com/translate?u=www.domain.tld&langpair=en%7Cen&hl=e 
n 

 - dhawal
From csanterre at MerchantsOverseas.com  Wed Jan  4 22:55:21 2006
From: csanterre at MerchantsOverseas.com (Chris Santerre)
Date: Wed Jan  4 22:51:43 2006
Subject: [SURBL-Discuss] RE: Google search as spam URI
Message-ID: <620A4FF9B83DD511B69900062939D037012EF150@internal.merchantsoverseas.com>



> -----Original Message-----
> From: Dhawal Doshy [mailto:dhawal@netmagicsolutions.com]
> Sent: Wednesday, January 04, 2006 3:01 PM
> To: Dallas L. Engelken
> Cc: Jeff Chan; SpamAssassin Users; SURBL Discuss
> Subject: Re: Google search as spam URI
> 
> 
> Dallas L. Engelken writes: 
> 
> > adding a redirector_pattern will catch this. 
> > 
> > redirector_pattern
> > 
> /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
> \-\.]+)$/I
> 
> better write a rule for google translate as well.. i see it 
> being abused 
> soon. 
> 
> http://translate.google.com/translate?u=www.domain.tld&langpai
r=en%7Cen&hl=e 
n 

Hah! Am I reading that right? Translate English to English! I give them 1
point for coming up with that one. 

--Chris 
From dhawal at netmagicsolutions.com  Tue Jan 10 10:03:58 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Tue Jan 10 10:04:11 2006
Subject: [SURBL-Discuss] Re: Google search as spam URI
In-Reply-To: <620A4FF9B83DD511B69900062939D037012EF150@internal.merchantsoverseas.com>
References: <620A4FF9B83DD511B69900062939D037012EF150@internal.merchantsoverseas.com>
Message-ID: <43C3787E.5070708@netmagicsolutions.com>

Chris Santerre wrote:
> 
> 
>  > -----Original Message-----
>  > From: Dhawal Doshy [mailto:dhawal@netmagicsolutions.com]
>  > Sent: Wednesday, January 04, 2006 3:01 PM
>  > To: Dallas L. Engelken
>  > Cc: Jeff Chan; SpamAssassin Users; SURBL Discuss
>  > Subject: Re: Google search as spam URI
>  >
>  >
>  > Dallas L. Engelken writes:
>  >
>  > > adding a redirector_pattern will catch this.
>  > >
>  > > redirector_pattern
>  > >
>  > /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9
>  > \-\.]+)$/I
>  >
>  > better write a rule for google translate as well.. i see it
>  > being abused
>  > soon.
>  >
>  > http://translate.google.com/translate?u=www.domain.tld&langpai 
> <http://translate.google.com/translate?u=www.domain.tld&langpai>
> r=en%7Cen&hl=e
> n
> 
> Hah! Am I reading that right? Translate English to English! I give them 
> 1 point for coming up with that one.
> 
> --Chris

This possibility was borrowed from here..
http://www.oreillynet.com/pub/h/4807

- dhawal
From martin.dibble at altohiway.com  Mon Jan 16 12:16:42 2006
From: martin.dibble at altohiway.com (martin.dibble@altohiway.com)
Date: Mon Jan 16 12:14:46 2006
Subject: [SURBL-Discuss] Subscription questions
Message-ID: <43CB809A.12792.6868ED@localhost>

Hi All,

Just wondering if anyone has details about subscription times to surbl. 
We completed the forms back mid december and got redirected to a 
page which confirmed the subscription request had been passed 
through but it may take a couple of weeks to approve. As yet I havn't 
heard anything since so just wondering what the normal time scales 
are or if there are any contact addresses I can try and contact at least 
to confirm the request has been received?

thanks in advance,

-Martin Dibble
Internal Network Engineer
altoHiway Ltd


The content of this email and any attachments is confidential,and is intended only for the addressees.
If you are not the intended recipient you may not use, distribute, disclose or copy the contents.
If you have been sent this email in error please forward it to notify@altohiway.com and destroy the original.
Any opinions expressed within this email are those of the sender and do not necessarily represent the opinion of altoHiway Ltd.
Any prices quoted in this email and any attachments are subject to VAT, valid for 30 days and subject to altohiways standard Terms and Conditions of business.
E and OE.
This email has been checked for virus content by the altoHiway Mailcontroller service. However, it is the responsibility of the recipient to ensure that the contents of this email are virus free. 
altoHiway Ltd. accept no liability for any loss or damage arising from the contents of this email.
From darrell_list at dlanalyzer.com  Tue Jan 17 14:07:19 2006
From: darrell_list at dlanalyzer.com (Darrell (support@invariantsystems.com))
Date: Tue Jan 17 14:07:27 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full of
	large ISPs and Antispam providres.
Message-ID: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>

Jeff/others,

Did some issue occur to cause the domains listed below to be populated in 
SURBL?

Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And 
Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
Integration, and Log Parsers.

----- Original Message ----- 
From: "Pete McNeil" <madscientist@microneil.com>
To: <sniffer@sortmonster.com>
Sent: Tuesday, January 17, 2006 4:27 AM
Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and 
Antispam providres.


> Hello Sniffer Folks,
>
>  Watch out for false positives. This morning along with the current
>  spam storm we discovered that SURBL and SORBs are listing a large
>  number of ISP domains and anti-spam service/software providers.
>
>  As a result, many of these were tagged by our bots due to spam
>  arriving at our system with those domains and IPs. Most IPs and
>  domains for these services are coded with "nokens" in our system to
>  prevent this kind of thing, but a few slipped through.
>
>  We are aggressively hunting any more that might have arrived.
>
>  You may want to temporarily reduce the weight of the experimental IP
>  and experimental ad-hoc rule groups until we have identified and
>  removed the bad rules we don't know about yet.
>
>  Please also do your best to report any false positives that you do
>  identify so that we can remove any bad rules. I don't expect that
>  there will be too many, but I do want to clear them out quickly if
>  they are there.
>
>  Please also, if you haven't already, review the false positive
>  procedures: 
> http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
>
>  Pay special attention to the rule-panic procedure and feature in
>  case you are one of the services hit by these bad entries.
>
>  An example of some that we've found in SURBL for example are
>  declude.com, usinternet.com, and w3.org
>
>  It's not clear yet how large the problem is, but I'm sure it will be
>  resolved soon.
>
>  Hope this helps,
>
> Thanks,
> _M
>
> Pete McNeil (Madscientist)
> President, MicroNeil Research Corporation
> Chief SortMonster (www.sortmonster.com)
> Chief Scientist (www.armresearch.com)
>
>
> This E-Mail came from the Message Sniffer mailing list. For information 
> and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 

From jgrahamc at gmail.com  Tue Jan 17 14:20:16 2006
From: jgrahamc at gmail.com (John Graham-Cumming)
Date: Tue Jan 17 14:20:26 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full
	of	large ISPs and Antispam providres.
In-Reply-To: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
Message-ID: <43CCEF10.60300@jgc.org>

Darrell (support@invariantsystems.com) wrote:
> Did some issue occur to cause the domains listed below to be populated 
> in SURBL?

I do not see any of w3.org, declude.com or usinternet.com listed in any 
SURBL list at this time.

John.
From nobody at xyzzy.claranet.de  Tue Jan 17 14:46:57 2006
From: nobody at xyzzy.claranet.de (Frank Ellermann)
Date: Tue Jan 17 14:48:45 2006
Subject: [SURBL-Discuss] Re: Fw: [sniffer] Watch out... SURBL & SORBS full of
	large ISPs and Antispam providres.
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
Message-ID: <43CCF551.147F@xyzzy.claranet.de>

Darrell (support@invariantsystems.com) quoted:

>> An example of some that we've found in SURBL for example are
>> declude.com, usinternet.com, and w3.org

Murphy can strike everywhere, but those three aren't on SURBL
from my POV.  Besides w3.org is the second example on the page
http://www.surbl.org/faq.html#local-whitelist

I've no idea how to check SURBL's WL:  That might be a case of
security by obscurity, but AFAIK w3.org is "whitelisted" by SC,
so even if SURBL screws up w3.org shouldn't reach sc.surbl.org

                           Bye, Frank


From dhill+surbl at cricalix.net  Tue Jan 17 15:00:19 2006
From: dhill+surbl at cricalix.net (Duncan Hill)
Date: Tue Jan 17 15:01:52 2006
Subject: [SURBL-Discuss] Re: Fw: [sniffer] Watch out... SURBL & SORBS full
	of large ISPs and Antispam providres.
In-Reply-To: <43CCF551.147F@xyzzy.claranet.de>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
	<43CCF551.147F@xyzzy.claranet.de>
Message-ID: <200601171400.19313.dhill+surbl@cricalix.net>

On Tuesday 17 January 2006 13:46, Frank Ellermann wrote:
> Darrell (support@invariantsystems.com) quoted:
> >> An example of some that we've found in SURBL for example are
> >> declude.com, usinternet.com, and w3.org
>
> Murphy can strike everywhere, but those three aren't on SURBL
> from my POV.  Besides w3.org is the second example on the page
> http://www.surbl.org/faq.html#local-whitelist
>
> I've no idea how to check SURBL's WL:  That might be a case of
> security by obscurity, but AFAIK w3.org is "whitelisted" by SC,
> so even if SURBL screws up w3.org shouldn't reach sc.surbl.org

This smells like the DNS corruption bug that occurred in some versions of the 
DNS library used by SpamAssassin.
From jeffc at surbl.org  Tue Jan 17 16:09:47 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Tue Jan 17 16:08:56 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full of
	large ISPs and Antispam providres.
In-Reply-To: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
Message-ID: <592643214.20060117070947@surbl.org>

On Tuesday, January 17, 2006, 5:07:19 AM, Darrell (support@invariantsystems.com) wrote:
> Jeff/others,

> Did some issue occur to cause the domains listed below to be populated in 
> SURBL?

> Darrell
> ------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.

> ----- Original Message ----- 
> From: "Pete McNeil" <madscientist@microneil.com>
> To: <sniffer@sortmonster.com>
> Sent: Tuesday, January 17, 2006 4:27 AM
> Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and 
> Antispam providres.


>> Hello Sniffer Folks,
>>
>>  Watch out for false positives. This morning along with the current
>>  spam storm we discovered that SURBL and SORBs are listing a large
>>  number of ISP domains and anti-spam service/software providers.
[...]

This seems unlikely, since we 100% audit all new additions to all
SURBL lists every day.

It might be useful to have one confirmed example.

Jeff C.
--
Don't harm innocent bystanders.

From wstearns at pobox.com  Tue Jan 17 16:15:51 2006
From: wstearns at pobox.com (William Stearns)
Date: Tue Jan 17 16:16:27 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full
	of large ISPs and Antispam providres.
In-Reply-To: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
Message-ID: <Pine.LNX.4.64.0601171009570.4598@sparrow>

Good morning, all,

On Tue, 17 Jan 2006, Darrell (support@invariantsystems.com) wrote:

> Jeff/others,
>
> Did some issue occur to cause the domains listed below to be populated in 
> SURBL?
>
> Darrell
> ------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.
>
> ----- Original Message ----- From: "Pete McNeil" <madscientist@microneil.com>
> To: <sniffer@sortmonster.com>
> Sent: Tuesday, January 17, 2006 4:27 AM
> Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam 
> providres.
>
>> Hello Sniffer Folks,
>>
>>  Watch out for false positives. This morning along with the current
>>  spam storm we discovered that SURBL and SORBs are listing a large
>>  number of ISP domains and anti-spam service/software providers.
>>
>>  As a result, many of these were tagged by our bots due to spam
>>  arriving at our system with those domains and IPs. Most IPs and
>>  domains for these services are coded with "nokens" in our system to
>>  prevent this kind of thing, but a few slipped through.
>>
>>  We are aggressively hunting any more that might have arrived.
>>
>>  You may want to temporarily reduce the weight of the experimental IP
>>  and experimental ad-hoc rule groups until we have identified and
>>  removed the bad rules we don't know about yet.
>>
>>  Please also do your best to report any false positives that you do
>>  identify so that we can remove any bad rules. I don't expect that
>>  there will be too many, but I do want to clear them out quickly if
>>  they are there.
>>
>>  Please also, if you haven't already, review the false positive
>>  procedures: 
>> http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
>>
>>  Pay special attention to the rule-panic procedure and feature in
>>  case you are one of the services hit by these bad entries.
>>
>>  An example of some that we've found in SURBL for example are
>>  declude.com, usinternet.com, and w3.org
>>
>>  It's not clear yet how large the problem is, but I'm sure it will be
>>  resolved soon.
>>
>>  Hope this helps,
>> 
>> Thanks,
>> _M
>> 
>> Pete McNeil (Madscientist)
>> President, MicroNeil Research Corporation
>> Chief SortMonster (www.sortmonster.com)
>> Chief Scientist (www.armresearch.com)
>> 
>> This E-Mail came from the Message Sniffer mailing list. For information and 
>> (un)subscription instructions go to 
>> http://www.sortmonster.com/MessageSniffer/Help/Help.html

 	ws.surbl.org does not have these domains, and it appears none of 
the other surbls does either.  From 
http://www.rulesemporium.com/cgi-bin/uribl.cgi :

SURBL+ Checker Query Results

declude.com is 63.246.13.88 [ rbl lookup ]
domain registered: unknown [ full whois ]

     * RBL: skipping uri lookups on ip-based RBLs
     * URIBL: multi.surbl.org: not listed [ report ]
     * URIBL: multi.uribl.com: not listed [ report ]

usinternet.com is 216.17.3.239 [ rbl lookup ]
domain registered: unknown [ full whois ]

     * RBL: skipping uri lookups on ip-based RBLs
     * URIBL: multi.surbl.org: not listed [ report ]
     * URIBL: multi.uribl.com: not listed [ report ]

w3.org is 128.30.52.46 [ rbl lookup ]
domain registered: unknown [ full whois ]

     * RBL: skipping uri lookups on ip-based RBLs
     * URIBL: multi.surbl.org: not listed [ report ]
     * URIBL: multi.uribl.com: not listed [ report ]

 	Pete, could you recheck these at your end?  If you have dig 
available, please try:

dig declude.com.multi.surbl.org. A

 	Cheers,
 	- Bill

---------------------------------------------------------------------------
         "A 'No' uttered from deepest conviction is better and greater
than a 'Yes' merely uttered to please, or what is worse, to avoid
trouble."
         -- Mahatma Ghandi
(Courtesy of Adrian Bunk <bunk@fs.tum.de>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------
From jeffc at surbl.org  Tue Jan 17 16:25:40 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Tue Jan 17 16:24:37 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full of
	large ISPs and Antispam providres.
In-Reply-To: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
Message-ID: <1386988642.20060117072540@surbl.org>

On Tuesday, January 17, 2006, 5:07:19 AM, Darrell (support@invariantsystems.com) wrote:
> Jeff/others,

> Did some issue occur to cause the domains listed below to be populated in 
> SURBL?

> Darrell
> ------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.

> ----- Original Message ----- 
> From: "Pete McNeil" <madscientist@microneil.com>

>>  An example of some that we've found in SURBL for example are
>>  declude.com, usinternet.com, and w3.org

None of those domains has ever been on any SURBL list.   The
error may be on their end.

Jeff C.
--
Don't harm innocent bystanders.

From madscientist at microneil.com  Tue Jan 17 22:44:11 2006
From: madscientist at microneil.com (Pete McNeil)
Date: Tue Jan 17 22:44:34 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full
	of large ISPs and Antispam providres.
In-Reply-To: <Pine.LNX.4.64.0601171009570.4598@sparrow>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
	<Pine.LNX.4.64.0601171009570.4598@sparrow>
Message-ID: <1898221271.20060117164411@microneil.com>

On Tuesday, January 17, 2006, 10:15:51 AM, William wrote:


WS>         ws.surbl.org does not have these domains, and it appears none of
WS> the other surbls does either.  From 
WS> http://www.rulesemporium.com/cgi-bin/uribl.cgi :

WS> SURBL+ Checker Query Results

WS> declude.com is 63.246.13.88 [ rbl lookup ]
WS> domain registered: unknown [ full whois ]

WS>      * RBL: skipping uri lookups on ip-based RBLs
WS>      * URIBL: multi.surbl.org: not listed [ report ]
WS>      * URIBL: multi.uribl.com: not listed [ report ]

WS> usinternet.com is 216.17.3.239 [ rbl lookup ]
WS> domain registered: unknown [ full whois ]

WS>      * RBL: skipping uri lookups on ip-based RBLs
WS>      * URIBL: multi.surbl.org: not listed [ report ]
WS>      * URIBL: multi.uribl.com: not listed [ report ]

WS> w3.org is 128.30.52.46 [ rbl lookup ]
WS> domain registered: unknown [ full whois ]

WS>      * RBL: skipping uri lookups on ip-based RBLs
WS>      * URIBL: multi.surbl.org: not listed [ report ]
WS>      * URIBL: multi.uribl.com: not listed [ report ]

WS>         Pete, could you recheck these at your end?  If you have dig 
WS> available, please try:

WS> dig declude.com.multi.surbl.org. A

I'm seeing no answer for this now. It may have been a short-lived
phenomena. I wasn't able to catch it at the moment it happened.

I'm continuing to research the problem.

For now our automated systems are off-line.

Thanks,

_M


From dbfunk at engineering.uiowa.edu  Tue Jan 17 23:50:52 2006
From: dbfunk at engineering.uiowa.edu (David B Funk)
Date: Tue Jan 17 23:50:58 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full
	of large ISPs and Antispam providres.
In-Reply-To: <1386988642.20060117072540@surbl.org>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
	<1386988642.20060117072540@surbl.org>
Message-ID: <Pine.HPX.4.58.0601171644330.27161@d-is00.icaen.uiowa.edu>

On Tue, 17 Jan 2006, Jeff Chan wrote:

> > ----- Original Message -----
> > From: "Pete McNeil" <madscientist@microneil.com>
>
> >>  An example of some that we've found in SURBL for example are
> >>  declude.com, usinternet.com, and w3.org
>
> None of those domains has ever been on any SURBL list.   The
> error may be on their end.
>
> Jeff C.

True, but after being hit by back-scatter Brain-Dead anti-virus
bounces from declude protected systems with that inane message:

  The Declude Virus software on our mail server detected a virus
  If your mail server had virus protection, it would have prevented this.

I almost consider declude.com to be worthy of a spammer listing. ;(
(I have resisted the temptation to nominate but I do have a custom
SA rule to hit that garbage with a high score ;).

Dave

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
From billl at pointshare.com  Wed Jan 18 01:56:49 2006
From: billl at pointshare.com (Bill Landry)
Date: Wed Jan 18 01:57:12 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS fullof
	large ISPs and Antispam providres.
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com><1386988642.20060117072540@surbl.org>
	<Pine.HPX.4.58.0601171644330.27161@d-is00.icaen.uiowa.edu>
Message-ID: <056501c61bca$10722e60$43c6e2a5@blxp>

----- Original Message ----- 
From: "David B Funk" <dbfunk@engineering.uiowa.edu>


> On Tue, 17 Jan 2006, Jeff Chan wrote:
>
>> > ----- Original Message -----
>> > From: "Pete McNeil" <madscientist@microneil.com>
>>
>> >>  An example of some that we've found in SURBL for example are
>> >>  declude.com, usinternet.com, and w3.org
>>
>> None of those domains has ever been on any SURBL list.   The
>> error may be on their end.
>>
>> Jeff C.
>
> True, but after being hit by back-scatter Brain-Dead anti-virus
> bounces from declude protected systems with that inane message:
>
>  The Declude Virus software on our mail server detected a virus
>  If your mail server had virus protection, it would have prevented this.
>
> I almost consider declude.com to be worthy of a spammer listing. ;(
> (I have resisted the temptation to nominate but I do have a custom
> SA rule to hit that garbage with a high score ;).
>
> Dave

That is not Declude's fault, that is a configuration problem with the 
customer that is running the Declude Virus software.  In fact, Declude 
recommends against sending virus notification to senders since most viruses 
are forging these day anyway.

Bill 

From nobody at xyzzy.claranet.de  Wed Jan 18 02:08:07 2006
From: nobody at xyzzy.claranet.de (Frank Ellermann)
Date: Wed Jan 18 02:11:43 2006
Subject: [SURBL-Discuss] Re: Fw: [sniffer] Watch out... SURBL & SORBS full
	of large ISPs and Antispam providres.
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
	<1386988642.20060117072540@surbl.org>
	<Pine.HPX.4.58.0601171644330.27161@d-is00.icaen.uiowa.edu>
Message-ID: <43CD94F7.55B9@xyzzy.claranet.de>

David B Funk wrote:

> Brain-Dead anti-virus bounces from declude protected systems

Maybe submit that to SpamCop.  It's not only brain dead, it's
net abuse.  AFAIK declude suports SPF, so you could in theory
switch from NEUTRAL to FAIL, but that should be your decision,
not enforced by this net abuse.
 
> I almost consider declude.com to be worthy of a spammer
> listing. ;(

Where does "almost" enter the picture ?  If you're sure that
they send bogus bounces there's no further doubt about this.
We had this already with Barracuda and Symantec in IIRC 2004.

                         Bye, Frank



From ballard+surbl at cae.wisc.edu  Wed Jan 18 21:48:37 2006
From: ballard+surbl at cae.wisc.edu (Jeff Ballard)
Date: Wed Jan 18 21:48:59 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS fullof 
	large ISPs and Antispam providres.
In-Reply-To: Your message of "Tue, 17 Jan 2006 16:56:49 
	PST."<056501c61bca$10722e60$43c6e2a5@blxp>
Message-ID: <25646.1137617317@guinness>

On Tue, 17 Jan 2006 16:56:49 -0800  "Bill Landry" wrote:

> ----- Original Message ----- 
> From: "David B Funk" <dbfunk@engineering.uiowa.edu>
> 
> 
> > On Tue, 17 Jan 2006, Jeff Chan wrote:
> >
> >> > ----- Original Message -----
> >> > From: "Pete McNeil" <madscientist@microneil.com>
> >>
> >> >>  An example of some that we've found in SURBL for example are
> >> >>  declude.com, usinternet.com, and w3.org
> >>
> >> None of those domains has ever been on any SURBL list.   The
> >> error may be on their end.
> >>
> >> Jeff C.
> >
> > True, but after being hit by back-scatter Brain-Dead anti-virus
> > bounces from declude protected systems with that inane message:
> >
> >  The Declude Virus software on our mail server detected a virus
> >  If your mail server had virus protection, it would have prevented this.
> >
> > I almost consider declude.com to be worthy of a spammer listing. ;(
> > (I have resisted the temptation to nominate but I do have a custom
> > SA rule to hit that garbage with a high score ;).
> >
> > Dave
> 
> That is not Declude's fault, that is a configuration problem with the 
> customer that is running the Declude Virus software.  In fact, Declude 
> recommends against sending virus notification to senders since most viruses 
> are forging these day anyway.

Actually it is Declude's fault.  That particular message is from an *OLD* 
version of Declude that lots of people are still running.  The newer versions 
of this message have language that says something to the effect that you may 
not have caused this.  (At least this is what the people at Declude told me a 
while ago).

Generally when I get those I send a message to the person running the server 
saying if you upgraded your version of Declude your server wouldn't have sent 
me this message.

-Jeff

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jeff Ballard <ballard@engr.wisc.edu>   608-265-5090
Unix Systems Manager, Computer-Aided Engineering Center


From billl at pointshare.com  Wed Jan 18 23:57:54 2006
From: billl at pointshare.com (Bill Landry)
Date: Wed Jan 18 23:58:14 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS fullof
	large ISPs and Antispam providres.
References: <25646.1137617317@guinness>
Message-ID: <108101c61c82$9e61e5e0$43c6e2a5@blxp>

----- Original Message ----- 
From: "Jeff Ballard" <ballard+surbl@cae.wisc.edu>


> On Tue, 17 Jan 2006 16:56:49 -0800  "Bill Landry" wrote:
>
>> ----- Original Message ----- 
>> From: "David B Funk" <dbfunk@engineering.uiowa.edu>
>>
>>
>> > On Tue, 17 Jan 2006, Jeff Chan wrote:
>> >
>> >> > ----- Original Message -----
>> >> > From: "Pete McNeil" <madscientist@microneil.com>
>> >>
>> >> >>  An example of some that we've found in SURBL for example are
>> >> >>  declude.com, usinternet.com, and w3.org
>> >>
>> >> None of those domains has ever been on any SURBL list.   The
>> >> error may be on their end.
>> >>
>> >> Jeff C.
>> >
>> > True, but after being hit by back-scatter Brain-Dead anti-virus
>> > bounces from declude protected systems with that inane message:
>> >
>> >  The Declude Virus software on our mail server detected a virus
>> >  If your mail server had virus protection, it would have prevented 
>> > this.
>> >
>> > I almost consider declude.com to be worthy of a spammer listing. ;(
>> > (I have resisted the temptation to nominate but I do have a custom
>> > SA rule to hit that garbage with a high score ;).
>> >
>> > Dave
>>
>> That is not Declude's fault, that is a configuration problem with the
>> customer that is running the Declude Virus software.  In fact, Declude
>> recommends against sending virus notification to senders since most 
>> viruses
>> are forging these day anyway.
>
> Actually it is Declude's fault.  That particular message is from an *OLD*
> version of Declude that lots of people are still running.  The newer 
> versions
> of this message have language that says something to the effect that you 
> may
> not have caused this.  (At least this is what the people at Declude told 
> me a
> while ago).
>
> Generally when I get those I send a message to the person running the 
> server
> saying if you upgraded your version of Declude your server wouldn't have 
> sent
> me this message.

I have been running Declude Virus since it's first release, and it has 
always been configurable to not send virus notifications to senders.  Again, 
this is a configuration issue with the Declude user, not the company.

Bill 

From mouss at netoyen.net  Sat Jan 21 02:38:20 2006
From: mouss at netoyen.net (mouss)
Date: Sat Jan 21 02:37:29 2006
Subject: [SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full
	of large ISPs and Antispam providres.
In-Reply-To: <592643214.20060117070947@surbl.org>
References: <005901c61b66$f2c94a50$0329040a@us.ad.gannett.com>
	<592643214.20060117070947@surbl.org>
Message-ID: <43D1908C.1000109@netoyen.net>

Jeff Chan a ?crit :

>This seems unlikely, since we 100% audit all new additions to all
>SURBL lists every day.
>
>It might be useful to have one confirmed example.
>  
>
I once had bind 8 (didn't see that with 9 yet) claim that my own IP was
in sbl. of course, checking outside showed this to be a local error (dns
poison attack?). time for djbdns...

From johnd at cciu.org  Sun Jan 22 22:49:41 2006
From: johnd at cciu.org (John DeMillion)
Date: Sun Jan 22 22:49:56 2006
Subject: [SURBL-Discuss] domain "w" listed, causing problems
Message-ID: <fc.00802cf1012d6f3600802cf1012d6f36.12d6f57@cciu.org>


Not sure when this happened, but a plain "w" somehow got listed in the
SURBL, at least in the text list version.  I've perused the website and
the list removal section, but haven't found a way of determining what
the source of the "w" is, since the query tools do domain format
checking and won't let me query on a plain "w".

The "w" shows up in this list: 
http://www.surbl.org/dns-queries.blocklist.counts.txt
It's in the section preceeded by the number "2".

The effect of this is that domains that have a "w" in certain places
generate false positives.

It might be a good idea to run new domains through a simple domain
format parsing check to make sure that they're basically valid before
adding them to the SURBL.

John DeMillion
Director of Information Technology
Chester County Intermediate Unit

From jeffc at surbl.org  Mon Jan 23 02:58:09 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Mon Jan 23 02:57:12 2006
Subject: [SURBL-Discuss] domain "w" listed, causing problems
In-Reply-To: <fc.00802cf1012d6f3600802cf1012d6f36.12d6f57@cciu.org>
References: <fc.00802cf1012d6f3600802cf1012d6f36.12d6f57@cciu.org>
Message-ID: <251916153.20060122175809@surbl.org>

On Sunday, January 22, 2006, 1:49:41 PM, John DeMillion wrote:

> Not sure when this happened, but a plain "w" somehow got listed in the
> SURBL, at least in the text list version.  I've perused the website and
> the list removal section, but haven't found a way of determining what
> the source of the "w" is, since the query tools do domain format
> checking and won't let me query on a plain "w".

> The "w" shows up in this list: 
> http://www.surbl.org/dns-queries.blocklist.counts.txt
> It's in the section preceeded by the number "2".

> The effect of this is that domains that have a "w" in certain places
> generate false positives.

> It might be a good idea to run new domains through a simple domain
> format parsing check to make sure that they're basically valid before
> adding them to the SURBL.

> John DeMillion
> Director of Information Technology
> Chester County Intermediate Unit

Hello John,
"w" is not currently listed:


; <<>> DiG 8.3 <<>> w.multi.surbl.org a
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9855
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      w.multi.surbl.org, type = A, class = IN

;; AUTHORITY SECTION:
multi.surbl.org.        15M IN SOA      a.surbl.org. zone.surbl.org. (
                                        1137979981      ; serial
                                        15M             ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        15M )           ; minimum


;; Total query time: 58 msec
;; FROM: ns1.freeapp.net to SERVER: 127.0.0.1
;; WHEN: Sun Jan 22 17:52:58 2006
;; MSG SIZE  sent: 35  rcvd: 78


Doing a DNS query is probably the best, most authoritative way to
check the lists. 

What you saw may have been an artifact of broken DNS queries.
There are also filters in place to prevent things that cannot be
domains from getting on the lists.

Cheers,

Jeff C.
--
Don't harm innocent bystanders.

From nobody at xyzzy.claranet.de  Mon Jan 23 08:57:57 2006
From: nobody at xyzzy.claranet.de (Frank Ellermann)
Date: Mon Jan 23 08:59:41 2006
Subject: [SURBL-Discuss] Re: domain "w" listed, causing problems
References: <fc.00802cf1012d6f3600802cf1012d6f36.12d6f57@cciu.org>
	<251916153.20060122175809@surbl.org>
Message-ID: <43D48C85.54C7@xyzzy.claranet.de>

Jeff Chan wrote:
 
> What you saw may have been an artifact of broken DNS queries.
> There are also filters in place to prevent things that cannot
> be domains from getting on the lists.

Some spammers apparently try their luck with ">" in pseudo-URLs
like  http://what>ever.spammer.example  (seen in an article on
the SpamCop list).  It's a bit beyond me how any decent MUA can
accept this as link.  In that example what>ever.spammer.example
has an IP, but it's of course no valid host name.  

Apparently a hard case of "fix your MUA", I've no better idea.
Normally I hate this line of arguments when it's used against
my good old "Mozilla 3".  Of course my monster doesn't accept
this crap as host name, it stops at http://what as it should.

                           Bye, Frank


From surbl-box at devin.com  Tue Jan 24 03:19:36 2006
From: surbl-box at devin.com (Devin Carraway)
Date: Tue Jan 24 03:19:47 2006
Subject: [SURBL-Discuss] Re: domain "w" listed, causing problems
In-Reply-To: <43D48C85.54C7@xyzzy.claranet.de>
References: <fc.00802cf1012d6f3600802cf1012d6f36.12d6f57@cciu.org>
	<251916153.20060122175809@surbl.org>
	<43D48C85.54C7@xyzzy.claranet.de>
Message-ID: <20060124021935.GV22981@atlantic.devin.com>

On Mon, Jan 23, 2006 at 08:57:57AM +0100, Frank Ellermann wrote:
> Apparently a hard case of "fix your MUA", I've no better idea.
> Normally I hate this line of arguments when it's used against
> my good old "Mozilla 3".  Of course my monster doesn't accept
> this crap as host name, it stops at http://what as it should.

They're targetting Outlook -- I dug up a copy of MS Outlook (2002, FWIW), and
given mail containing the URL http://foo>bar.com, it will hyperlink the entire
thing and direct the browser to http://foo%3ebar.com/.  It tolerates < and >
equally.


Bleh.


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
From ebroo at healthydirections.com  Wed Jan 25 13:54:53 2006
From: ebroo at healthydirections.com (Edward Brookhouse)
Date: Wed Jan 25 13:54:43 2006
Subject: [SURBL-Discuss] Inconsistent list findings
Message-ID: <442b148545d45247952af04aaa5d81be@inbound>

Hi all,

I find that if I lookup my domain in question to see if it is on the
surbl via http://www.rulesemporium.com/cgi-bin/uribl.cgi


URIBL: multi.surbl.org: listed [Blocked, doctorspreferred.com on lists
[jp], See: http://www.surbl.org/lists.html] 

It says it is - specifically the jp -

However if I query their list directly
http://www.joewein.de/sw/spam-bl-d.htm I can not find my domain.

My domain is doctorspreferred.com

Any thoughts appreciated, especially in the how do I get off that list
category :)


Edward
ebrooathealthydirectionsdotcom




From jeffc at surbl.org  Wed Jan 25 16:31:23 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Wed Jan 25 16:30:19 2006
Subject: [SURBL-Discuss] Inconsistent list findings
In-Reply-To: <442b148545d45247952af04aaa5d81be@inbound>
References: <442b148545d45247952af04aaa5d81be@inbound>
Message-ID: <647919756.20060125073123@surbl.org>

On Wednesday, January 25, 2006, 4:54:53 AM, Edward Brookhouse wrote:
> Hi all,

> I find that if I lookup my domain in question to see if it is on the
> surbl via http://www.rulesemporium.com/cgi-bin/uribl.cgi


> URIBL: multi.surbl.org: listed [Blocked, doctorspreferred.com on lists
> [jp], See: http://www.surbl.org/lists.html] 

> It says it is - specifically the jp -

> However if I query their list directly
> http://www.joewein.de/sw/spam-bl-d.htm I can not find my domain.

> My domain is doctorspreferred.com

> Any thoughts appreciated, especially in the how do I get off that list
> category :)


> Edward
> ebrooathealthydirectionsdotcom

JP is a combination of two data sources.

For removal, please follow the instructions at:

  http://www.surbl.org/lists.html#removal

Jeff C.
--
Don't harm innocent bystanders.

From Guy.Rosen at bluesecurity.com  Sun Jan 29 13:31:29 2006
From: Guy.Rosen at bluesecurity.com (Guy Rosen)
Date: Sun Jan 29 13:31:31 2006
Subject: [SURBL-Discuss] GeoCities site list
Message-ID: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>

Hi,
 
As part of our BluePedia project, we've set up a list (updated
regularly) of GeoCities-based spam sites, based on what we see in the
spam our user community reports to us.
http://community.bluesecurity.com/bluepedia/DataFeeds/geocities_sites.tx
t
 
At the time of writing there are 2,175 live sites in our list, which is
a pretty big number. GeoCities remains the #1 spamvertised domain in the
spam we receive. What're your directions on how to tackle this
phenomenon?
 
 
Regards,
 
Guy Rosen
Lead Analyst, Operations Team
Blue Security
http://www.bluesecurity.com/

AIM: guyrrosen (double R)
ICQ: 294712217
 
From jeffc at surbl.org  Sun Jan 29 14:57:41 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Sun Jan 29 14:57:58 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
Message-ID: <1431446711.20060129055741@surbl.org>

On Sunday, January 29, 2006, 4:31:29 AM, Guy Rosen wrote:
> As part of our BluePedia project, we've set up a list (updated
> regularly) of GeoCities-based spam sites, based on what we see in the
> spam our user community reports to us.
> http://community.bluesecurity.com/bluepedia/DataFeeds/geocities_sites.tx
> t
 
> At the time of writing there are 2,175 live sites in our list, which is
> a pretty big number. GeoCities remains the #1 spamvertised domain in the
> spam we receive. What're your directions on how to tackle this
> phenomenon?
 
I would recommend forwarding them to abuse@yahoo.com with an
explanation of where they came from, etc.  Yahoo does read their
abuse mail.

Jeff C.
--
Don't harm innocent bystanders.

From erv at mailpeers.net  Sun Jan 29 16:17:48 2006
From: erv at mailpeers.net (=?ISO-8859-1?Q?Eric_Montr=E9al?=)
Date: Sun Jan 29 16:17:32 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
Message-ID: <43DCDC9C.5020003@mailpeers.net>

Guy Rosen wrote:

>Hi,
> 
>As part of our BluePedia project, we've set up a list (updated
>regularly) of GeoCities-based spam sites, based on what we see in the
>spam our user community reports to us.
>http://community.bluesecurity.com/bluepedia/DataFeeds/geocities_sites.txt
> 
>  
>
I have been maintaining a similar list, with detailed information about 
each target for 2 months,
so far, I have about 800 sites and a .cf ruleset for them.

http://nospam.mailpeers.net

>At the time of writing there are 2,175 live sites in our list, which is
>a pretty big number. GeoCities remains the #1 spamvertised domain in the
>spam we receive. What're your directions on how to tackle this
>phenomenon?
> 
>  
>
 From what I understand, Yahoo is quite happy with the brand exposure 
for Geocities.
Average users will see their brand many times a day, and they don't care 
if it's in spams
as long as they appear to be a victim of the spammer.

We all know they're not victims but a true spam resource provider. As I 
wrote in my Dec. 21
message in the board, their support for spammers is so entrenched that 
the only way we are going
to get rid of it is by attacking their corporate image in the press. I 
does have to be ugly, but solid
and thoroughly researched to outweigh their gains in brand exposure.

Next step would be to gather support from major anti spam organizations 
and issue a documented
press release sharply criticizing Yahoo for their continued and growing 
spam support.

Regards,

Eric
From erv at mailpeers.net  Sun Jan 29 16:26:02 2006
From: erv at mailpeers.net (=?ISO-8859-1?Q?Eric_Montr=E9al?=)
Date: Sun Jan 29 16:25:55 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <1431446711.20060129055741@surbl.org>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
	<1431446711.20060129055741@surbl.org>
Message-ID: <43DCDE8A.30809@mailpeers.net>

Jeff Chan wrote:

> [...]
>
>>At the time of writing there are 2,175 live sites in our list, which is
>>a pretty big number. GeoCities remains the #1 spamvertised domain in the
>>spam we receive. What're your directions on how to tackle this
>>phenomenon?
>>    
>>
> 
>I would recommend forwarding them to abuse@yahoo.com with an
>explanation of where they came from, etc.  Yahoo does read their
>abuse mail.
>  
>
That's a waste of time.

They only remove the sites after at least 72H  (if at all), well after 
their 'useful' life.

Their spam support service really rocks !

If you want to see how easy it would be to pre-screen and throw away 
spammy sites
have a look at : http://nospam.mailpeers.net/alive_spammy2.txt

AOL did it, Tripod did it, and spammers moved away.

It's not a technical problem, it's a 'pink contract' problem.

Regards

Eric.

>Jeff C.
>--
>Don't harm innocent bystanders.
>
>_______________________________________________
>Discuss mailing list
>Discuss@lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
>  
>

From raymond at surbl.org  Sun Jan 29 17:50:30 2006
From: raymond at surbl.org (Raymond Dijkxhoorn)
Date: Sun Jan 29 17:50:31 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <1431446711.20060129055741@surbl.org>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
	<1431446711.20060129055741@surbl.org>
Message-ID: <Pine.LNX.4.63.0601291749100.9709@control.prolocation.net>

Hi!

>> At the time of writing there are 2,175 live sites in our list, which is
>> a pretty big number. GeoCities remains the #1 spamvertised domain in the
>> spam we receive. What're your directions on how to tackle this
>> phenomenon?

> I would recommend forwarding them to abuse@yahoo.com with an
> explanation of where they came from, etc.  Yahoo does read their
> abuse mail.

Make that abuse@yahoo-inc.com

We also have some direct contacts there, so if you are sure the complete 
list is still active we can point them towards...

Bye,
Raymond.
From Guy.Rosen at bluesecurity.com  Sun Jan 29 17:56:10 2006
From: Guy.Rosen at bluesecurity.com (Guy Rosen)
Date: Sun Jan 29 17:56:15 2006
Subject: [SURBL-Discuss] GeoCities site list
Message-ID: <2E3E987BE04A804B9087521ACBE2C2C0230B96@BIG.blue.local>

There was a post not long ago on a spammer forum explaining this
"Geocities Redirects Hosting system". It costs a spammer just $100/week
to "host" his site on these redirectors, and they have a system that
automatically creates and rotates Geocities accounts to meet demand.

Interestingly, they mentioned that Yahoo have started putting ads
alongside some of their redirection sides and that they might be
profiting from it.

 - Guy.


-----Original Message-----
From: discuss-bounces@lists.surbl.org
[mailto:discuss-bounces@lists.surbl.org] On Behalf Of Eric Montr?al
Sent: Sunday, January 29, 2006 17:26
To: Jeff Chan; SURBL Discussion list
Subject: Re: [SURBL-Discuss] GeoCities site list

Jeff Chan wrote:

> [...]
>
>>At the time of writing there are 2,175 live sites in our list, which 
>>is a pretty big number. GeoCities remains the #1 spamvertised domain 
>>in the spam we receive. What're your directions on how to tackle this 
>>phenomenon?
>>    
>>
> 
>I would recommend forwarding them to abuse@yahoo.com with an 
>explanation of where they came from, etc.  Yahoo does read their abuse 
>mail.
>  
>
That's a waste of time.

They only remove the sites after at least 72H  (if at all), well after
their 'useful' life.

Their spam support service really rocks !

If you want to see how easy it would be to pre-screen and throw away
spammy sites have a look at :
http://nospam.mailpeers.net/alive_spammy2.txt

AOL did it, Tripod did it, and spammers moved away.

It's not a technical problem, it's a 'pink contract' problem.

Regards

Eric.

>Jeff C.
>--
>Don't harm innocent bystanders.
>
>_______________________________________________
>Discuss mailing list
>Discuss@lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
>  
>

_______________________________________________
Discuss mailing list
Discuss@lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss


From raymond at surbl.org  Sun Jan 29 18:00:55 2006
From: raymond at surbl.org (Raymond Dijkxhoorn)
Date: Sun Jan 29 18:00:59 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <43DCDE8A.30809@mailpeers.net>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
	<1431446711.20060129055741@surbl.org> <43DCDE8A.30809@mailpeers.net>
Message-ID: <Pine.LNX.4.63.0601291759250.12523@control.prolocation.net>

Hi!

>> I would recommend forwarding them to abuse@yahoo.com with an
>> explanation of where they came from, etc.  Yahoo does read their
>> abuse mail.

> That's a waste of time.
>
> They only remove the sites after at least 72H  (if at all), well after their 
> 'useful' life.
>
> Their spam support service really rocks !

Not really true. They use it also to track down ips and other info. They 
are not fast but i know whey are onto this.

> AOL did it, Tripod did it, and spammers moved away.
>
> It's not a technical problem, it's a 'pink contract' problem.

The size of Geocities differs a little and makes it harder for them to 
search and destroy... Dont say its right, but i do understand.

Bye,
Raymond.
From raymond at surbl.org  Sun Jan 29 18:04:31 2006
From: raymond at surbl.org (Raymond Dijkxhoorn)
Date: Sun Jan 29 18:04:42 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <2E3E987BE04A804B9087521ACBE2C2C0230B96@BIG.blue.local>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B96@BIG.blue.local>
Message-ID: <Pine.LNX.4.63.0601291803500.14106@control.prolocation.net>

Hi!

> Interestingly, they mentioned that Yahoo have started putting ads
> alongside some of their redirection sides and that they might be
> profiting from it.

Do you really think seeing Geocities in all kinds of public and local 
blacklists would help them? Dont think its as simple as you put it.

Bye,
Raymond.
From erv at mailpeers.net  Sun Jan 29 19:02:35 2006
From: erv at mailpeers.net (=?ISO-8859-1?Q?Eric_Montr=E9al?=)
Date: Sun Jan 29 19:02:17 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <Pine.LNX.4.63.0601291749100.9709@control.prolocation.net>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>	<1431446711.20060129055741@surbl.org>
	<Pine.LNX.4.63.0601291749100.9709@control.prolocation.net>
Message-ID: <43DD033B.4080100@mailpeers.net>

Raymond Dijkxhoorn wrote:

> Hi!
>
>> I would recommend forwarding them to abuse@yahoo.com with an
>> explanation of where they came from, etc.  Yahoo does read their
>> abuse mail.
>
>
> Make that abuse@yahoo-inc.com
>
> We also have some direct contacts there, so if you are sure the 
> complete list is still active we can point them towards...


It is accurate, alive and redirecting !

I just finished a test run through my detection script (could not resist 
the temptation !),
and here's the result:
http://nospam.mailpeers.net/bluesecurity_alive_spammy2.txt

The tests were not tweaked in anyway for this list, yet on average, they 
catch 94% of
them, so false positives, if any are very few and far between.

As Guy Rosen mentioned, there is exactly 2175 confirmed alive sites.

Here are the 'real' targets hidden by the redirectors (except for 
encoded scripts) with
hosting country name:
http://nospam.mailpeers.net/bluesecurity_spammy_targets.txt

and the RIP list:
http://nospam.mailpeers.net/bluesecurity_rip_spammy.txt

However, removing after the fact is ineffective because it's way too 
slow ...

Eric.

>
> Bye,
> Raymond.
> _______________________________________________
> Discuss mailing list
> Discuss@lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
>

From erv at mailpeers.net  Sun Jan 29 19:25:16 2006
From: erv at mailpeers.net (=?ISO-8859-1?Q?Eric_Montr=E9al?=)
Date: Sun Jan 29 19:24:55 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <Pine.LNX.4.63.0601291803500.14106@control.prolocation.net>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B96@BIG.blue.local>
	<Pine.LNX.4.63.0601291803500.14106@control.prolocation.net>
Message-ID: <43DD088C.9020604@mailpeers.net>

Raymond Dijkxhoorn wrote:

> Hi!
>
>> Interestingly, they mentioned that Yahoo have started putting ads
>> alongside some of their redirection sides and that they might be
>> profiting from it.
>
>
> Do you really think seeing Geocities in all kinds of public and local 
> blacklists would help them? Dont think its as simple as you put it.

And why do you think spammy is using Geocities for ?

They perfectly know no responsible administrator can 'simply' blacklist 
Geocities.

If blacklisting was an option we would not be discussing the issue.

In my view, the reason they started putting ads on the redirected links is
because they know wget is still around the corner.
Without ads, they can't claim such actions would result in any financial
losses. Now that they have put ads in the redirection, they can sue anyone
'interfering' with the spammy sites.

As the events unfold, Geocities / Yahoo spam support activities will
become more clear.

Eric



>
> Bye,
> Raymond.
> _______________________________________________
> Discuss mailing list
> Discuss@lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
>

From erv at mailpeers.net  Sun Jan 29 19:37:06 2006
From: erv at mailpeers.net (=?ISO-8859-1?Q?Eric_Montr=E9al?=)
Date: Sun Jan 29 19:36:43 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <Pine.LNX.4.63.0601291759250.12523@control.prolocation.net>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>	<1431446711.20060129055741@surbl.org>
	<43DCDE8A.30809@mailpeers.net>
	<Pine.LNX.4.63.0601291759250.12523@control.prolocation.net>
Message-ID: <43DD0B52.4030100@mailpeers.net>

Raymond Dijkxhoorn wrote:

> Hi!
>
>>> I would recommend forwarding them to abuse@yahoo.com with an
>>> explanation of where they came from, etc.  Yahoo does read their
>>> abuse mail.
>>
>> That's a waste of time.
>> They only remove the sites after at least 72H  (if at all), well 
>> after their 'useful' life.
>> Their spam support service really rocks !
>
> Not really true. They use it also to track down ips and other info. 
> They are not fast but i know whey are onto this.


What is not really true ?

They've been 'onto this', tracking down ips and other infos for more 
than a year !

See the result for yourself.

Hint ... all the IPs are on their own servers and the main relevant 
'info' they can collect is unhappy recipients / honeypot email addresses 
for listwashing ...

>> AOL did it, Tripod did it, and spammers moved away.
>> It's not a technical problem, it's a 'pink contract' problem.
>
>
> The size of Geocities differs a little and makes it harder for them to 
> search and destroy... Dont say its right, but i do understand.


Geocities is bigger, so they could easily have proportionnally bigger 
ressources
if there was a will.

They don't need to scan everything at all times.only recently changed 
index pages.
Since they process all pages (to insert the ads) I simply can't believe 
they don't have
some form of blacklisting system integrated. Whenever a page changes, 
they can
run the test once.

When there's a will there's a way.

Sorry, but they have *no* excuse.

Eric

>
> Bye,
> Raymond.
> _______________________________________________
> Discuss mailing list
> Discuss@lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
>

From jeffc at surbl.org  Mon Jan 30 03:04:37 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Mon Jan 30 03:03:15 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <43DCDE8A.30809@mailpeers.net>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>
	<1431446711.20060129055741@surbl.org> <43DCDE8A.30809@mailpeers.net>
Message-ID: <1910185669.20060129180437@surbl.org>

On Sunday, January 29, 2006, 7:26:02 AM, Eric Montr?al wrote:
> It's not a technical problem, it's a 'pink contract' problem.

Except that Geocities accounts are free.

Maybe they get ad impression money or something, but they don't
get payment from the spammers.

Jeff C.
--
Don't harm innocent bystanders.


From jeffc at surbl.org  Mon Jan 30 06:46:50 2006
From: jeffc at surbl.org (Jeff Chan)
Date: Mon Jan 30 06:45:25 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <43DD088C.9020604@mailpeers.net>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B96@BIG.blue.local>
	<Pine.LNX.4.63.0601291803500.14106@control.prolocation.net>
	<43DD088C.9020604@mailpeers.net>
Message-ID: <1591094092.20060129214650@surbl.org>

On Sunday, January 29, 2006, 10:25:16 AM, Eric Montr?al wrote:
> Raymond Dijkxhoorn wrote:

>> Hi!
>>
>>> Interestingly, they mentioned that Yahoo have started putting ads
>>> alongside some of their redirection sides and that they might be
>>> profiting from it.
>>
>>
>> Do you really think seeing Geocities in all kinds of public and local 
>> blacklists would help them? Dont think its as simple as you put it.

> And why do you think spammy is using Geocities for ?

> They perfectly know no responsible administrator can 'simply' blacklist 
> Geocities.

> If blacklisting was an option we would not be discussing the issue.

> In my view, the reason they started putting ads on the redirected links is
> because they know wget is still around the corner.
> Without ads, they can't claim such actions would result in any financial
> losses. Now that they have put ads in the redirection, they can sue anyone
> 'interfering' with the spammy sites.

> As the events unfold, Geocities / Yahoo spam support activities will
> become more clear.

> Eric


More likely Yahoo is simply incompetent at detecting and
shutting down the sites, even though multiple folks are reporting
them.


http://en.wikiquote.org/wiki/Robert_J._Hanlon

Hanlon's Razor

    * Never attribute to malice that which is adequately
explained by stupidity. 


Jeff C.
--
Don't harm innocent bystanders.


From erv at mailpeers.net  Mon Jan 30 06:59:31 2006
From: erv at mailpeers.net (=?ISO-8859-15?Q?Eric_Montr=E9al?=)
Date: Mon Jan 30 06:59:31 2006
Subject: [SURBL-Discuss] GeoCities site list
In-Reply-To: <1910185669.20060129180437@surbl.org>
References: <2E3E987BE04A804B9087521ACBE2C2C0230B50@BIG.blue.local>	<1431446711.20060129055741@surbl.org>
	<43DCDE8A.30809@mailpeers.net>
	<1910185669.20060129180437@surbl.org>
Message-ID: <43DDAB43.6040006@mailpeers.net>

Jeff Chan wrote:

>On Sunday, January 29, 2006, 7:26:02 AM, Eric Montr?al wrote:
>  
>
>>It's not a technical problem, it's a 'pink contract' problem.
>>    
>>
>
>Except that Geocities accounts are free.
>
>Maybe they get ad impression money or something, but they don't
>get payment from the spammers.
>
>  
>

It is my understanding that pink contract means:
"contract from an Internet service provider to a spammer exempting the 
spammer from
the usual terms of service prohibiting spamming."

It usually involves money but I think it's not very likely here (can't 
rule that out either).
The service being offered for free or for a fee to non spammy customers 
does not
prevent the same service from being sold to spammy with added 'pink' 
clauses.

However, I think this is more of a mutual benefit thing. Spammy is free 
to use the service
for his redirections and Yahoo gets a huge brand exposure for it's 
Geocities trademark.

As I wrote earlier, as long as the recipient of the spam thinks that 
Geocities is an
unwilling victim of the spammer, the effect of such widespread brand 
exposure is
good for them.

Changing that perception would put an end to it.

A few media outlets reporting about Yahoo's continued unwillingness to 
solve the issue and
you can bet what was impossible for more than a year will be solved in 
less than a day !

Eric.

>Jeff C.
>--
>Don't harm innocent bystanders.
>
>
>_______________________________________________
>Discuss mailing list
>Discuss@lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
>  
>