[SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam providres.

William Stearns wstearns at pobox.com
Tue Jan 17 16:15:51 CET 2006


Good morning, all,

On Tue, 17 Jan 2006, Darrell (support at invariantsystems.com) wrote:

> Jeff/others,
>
> Did some issue occur to cause the domains listed below to be populated in 
> SURBL?
>
> Darrell
> ------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.
>
> ----- Original Message ----- From: "Pete McNeil" <madscientist at microneil.com>
> To: <sniffer at sortmonster.com>
> Sent: Tuesday, January 17, 2006 4:27 AM
> Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam 
> providres.
>
>> Hello Sniffer Folks,
>>
>>  Watch out for false positives. This morning along with the current
>>  spam storm we discovered that SURBL and SORBs are listing a large
>>  number of ISP domains and anti-spam service/software providers.
>>
>>  As a result, many of these were tagged by our bots due to spam
>>  arriving at our system with those domains and IPs. Most IPs and
>>  domains for these services are coded with "nokens" in our system to
>>  prevent this kind of thing, but a few slipped through.
>>
>>  We are aggressively hunting any more that might have arrived.
>>
>>  You may want to temporarily reduce the weight of the experimental IP
>>  and experimental ad-hoc rule groups until we have identified and
>>  removed the bad rules we don't know about yet.
>>
>>  Please also do your best to report any false positives that you do
>>  identify so that we can remove any bad rules. I don't expect that
>>  there will be too many, but I do want to clear them out quickly if
>>  they are there.
>>
>>  Please also, if you haven't already, review the false positive
>>  procedures: 
>> http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
>>
>>  Pay special attention to the rule-panic procedure and feature in
>>  case you are one of the services hit by these bad entries.
>>
>>  An example of some that we've found in SURBL for example are
>>  declude.com, usinternet.com, and w3.org
>>
>>  It's not clear yet how large the problem is, but I'm sure it will be
>>  resolved soon.
>>
>>  Hope this helps,
>> 
>> Thanks,
>> _M
>> 
>> Pete McNeil (Madscientist)
>> President, MicroNeil Research Corporation
>> Chief SortMonster (www.sortmonster.com)
>> Chief Scientist (www.armresearch.com)
>> 
>> This E-Mail came from the Message Sniffer mailing list. For information and 
>> (un)subscription instructions go to 
>> http://www.sortmonster.com/MessageSniffer/Help/Help.html

 	ws.surbl.org does not have these domains, and it appears none of 
the other surbls does either.  From 
http://www.rulesemporium.com/cgi-bin/uribl.cgi :

SURBL+ Checker Query Results

declude.com is 63.246.13.88 [ rbl lookup ]
domain registered: unknown [ full whois ]

     * RBL: skipping uri lookups on ip-based RBLs
     * URIBL: multi.surbl.org: not listed [ report ]
     * URIBL: multi.uribl.com: not listed [ report ]

usinternet.com is 216.17.3.239 [ rbl lookup ]
domain registered: unknown [ full whois ]

     * RBL: skipping uri lookups on ip-based RBLs
     * URIBL: multi.surbl.org: not listed [ report ]
     * URIBL: multi.uribl.com: not listed [ report ]

w3.org is 128.30.52.46 [ rbl lookup ]
domain registered: unknown [ full whois ]

     * RBL: skipping uri lookups on ip-based RBLs
     * URIBL: multi.surbl.org: not listed [ report ]
     * URIBL: multi.uribl.com: not listed [ report ]

 	Pete, could you recheck these at your end?  If you have dig 
available, please try:

dig declude.com.multi.surbl.org. A

 	Cheers,
 	- Bill

---------------------------------------------------------------------------
         "A 'No' uttered from deepest conviction is better and greater
than a 'Yes' merely uttered to please, or what is worse, to avoid
trouble."
         -- Mahatma Ghandi
(Courtesy of Adrian Bunk <bunk at fs.tum.de>)
--------------------------------------------------------------------------
William Stearns (wstearns at pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------


More information about the Discuss mailing list