[SURBL-Discuss] Fw: [sniffer] Watch out... SURBL & SORBS full
of large ISPs and Antispam providres.
William Stearns
wstearns at pobox.com
Tue Jan 17 16:15:51 CET 2006
Good morning, all,
On Tue, 17 Jan 2006, Darrell (support at invariantsystems.com) wrote:
> Jeff/others,
>
> Did some issue occur to cause the domains listed below to be populated in
> SURBL?
>
> Darrell
> ------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And
> Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
> Integration, and Log Parsers.
>
> ----- Original Message ----- From: "Pete McNeil" <madscientist at microneil.com>
> To: <sniffer at sortmonster.com>
> Sent: Tuesday, January 17, 2006 4:27 AM
> Subject: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispam
> providres.
>
>> Hello Sniffer Folks,
>>
>> Watch out for false positives. This morning along with the current
>> spam storm we discovered that SURBL and SORBs are listing a large
>> number of ISP domains and anti-spam service/software providers.
>>
>> As a result, many of these were tagged by our bots due to spam
>> arriving at our system with those domains and IPs. Most IPs and
>> domains for these services are coded with "nokens" in our system to
>> prevent this kind of thing, but a few slipped through.
>>
>> We are aggressively hunting any more that might have arrived.
>>
>> You may want to temporarily reduce the weight of the experimental IP
>> and experimental ad-hoc rule groups until we have identified and
>> removed the bad rules we don't know about yet.
>>
>> Please also do your best to report any false positives that you do
>> identify so that we can remove any bad rules. I don't expect that
>> there will be too many, but I do want to clear them out quickly if
>> they are there.
>>
>> Please also, if you haven't already, review the false positive
>> procedures:
>> http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html
>>
>> Pay special attention to the rule-panic procedure and feature in
>> case you are one of the services hit by these bad entries.
>>
>> An example of some that we've found in SURBL for example are
>> declude.com, usinternet.com, and w3.org
>>
>> It's not clear yet how large the problem is, but I'm sure it will be
>> resolved soon.
>>
>> Hope this helps,
>>
>> Thanks,
>> _M
>>
>> Pete McNeil (Madscientist)
>> President, MicroNeil Research Corporation
>> Chief SortMonster (www.sortmonster.com)
>> Chief Scientist (www.armresearch.com)
>>
>> This E-Mail came from the Message Sniffer mailing list. For information and
>> (un)subscription instructions go to
>> http://www.sortmonster.com/MessageSniffer/Help/Help.html
ws.surbl.org does not have these domains, and it appears none of
the other surbls does either. From
http://www.rulesemporium.com/cgi-bin/uribl.cgi :
SURBL+ Checker Query Results
declude.com is 63.246.13.88 [ rbl lookup ]
domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs
* URIBL: multi.surbl.org: not listed [ report ]
* URIBL: multi.uribl.com: not listed [ report ]
usinternet.com is 216.17.3.239 [ rbl lookup ]
domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs
* URIBL: multi.surbl.org: not listed [ report ]
* URIBL: multi.uribl.com: not listed [ report ]
w3.org is 128.30.52.46 [ rbl lookup ]
domain registered: unknown [ full whois ]
* RBL: skipping uri lookups on ip-based RBLs
* URIBL: multi.surbl.org: not listed [ report ]
* URIBL: multi.uribl.com: not listed [ report ]
Pete, could you recheck these at your end? If you have dig
available, please try:
dig declude.com.multi.surbl.org. A
Cheers,
- Bill
---------------------------------------------------------------------------
"A 'No' uttered from deepest conviction is better and greater
than a 'Yes' merely uttered to please, or what is worse, to avoid
trouble."
-- Mahatma Ghandi
(Courtesy of Adrian Bunk <bunk at fs.tum.de>)
--------------------------------------------------------------------------
William Stearns (wstearns at pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
More information about the Discuss
mailing list