hes these two items, then the email is whitelisted.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ys
to discover.
However my original reply was referring to an MX record that did
not connect to a server of any kind, fake or real. That
arrangement some spammers seem to detect eventually.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
be
> sending an unused domain any mail.
> Honeyd.org has a live statistics page that has known spammer IPs. I
> would love
> it if they could make a DNS RBL out of this information!
Some well-known, widely-used, existing RBLs are based on such
data.
Jeff C.
--
Jeff Chan
mailt
erdomain.com .
The newer versions of SpamAssassin will detect these successfully
because the domain names are listed in SURBLs and new SA versions
are no longer fooled by this obfuscation technique.
Quick answer: upgrade!
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
se something like
postgrey to delay new connections:
http://isg.ee.ethz.ch/tools/postgrey/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
n SA rule to detect URIs that have ridiculously large
numbers of subdomain levels? If not, perhaps it could be useful
(perhaps even more useful than wildcard DNS). Note that it may
not be feasible to resolve domains found in message body URIs
to even detect wildcards.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
faq.html#numbered
"Are there plans to offer an RBL list with the domain names
resolved into IP addresses?"
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
oo.fr, yahooo.com (belongs to yahoo).
In addition wildcards seem to be pretty common on low-end shared
web hosting accounts, presumably for the reason proposed earlier
in this thread: really simple load sharing across multiple web
servers. In other words sometimes it may be used as a
convenience on low end hosting.
I'll send Paul my results off-list.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
oney. Presumably the bad guys like to
avoid that so they ask for the private number as part of their
scam.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
g, it tags
messages that look like spam. Then it's up to some other program
to decide what to do with the message.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
S. where
probably fewer than 1 in 10 people has any idea what a "World
Cup" is. Superbowl they've heard of. World Cup not. ;-)
More likely gmx.net, being a German ISP, spotted the spams
earlier, could actually read them, got offended, and decided to
filter.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
il02 sendmail[22525]: j4I6B6i22525: <[EMAIL PROTECTED]>...
> User unknown
This is called a "dictionary attack". If you search for that and
sendmail, you may find some answers. It's not specifically a
SpamAssassin question.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
tch that
catches just : at the end of URIs, etc. also catches these.
Cheers,
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
whitelist them. Here are some others we've
whitelisted:
stern.de
rp-online.de
fhtw-berlin.de
berlin1.de
bz.berlin1.de
bz-berlin.de
gofeminin.de
taz.de
berlinonline.de
zdf.de
[...]
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ts.
We're working on reducing the latency of SURBLs.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
also means they can't use clickable links, which may decrease
their response rates.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
e on the SURBL site,
they usually mention type "body" which won't work with 3.0.0 .
A newer version is probably better to use, BTW.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
up
> (multi.s
> urbl.org.:blahblahcutie.info)
> debug: URIDNSBL: queries completed: 2 started: 2
> debug: URIDNSBL: queries active: at Thu May 12 15:14:52 2005
queries completed: 2 looks ok to me, and the SURBL queries got
the right result, but they didn't get scored. That's indeed odd.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
my previous response. multi is the only list that
should be checked.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
west ?
Does your address appear in a domain registration? The
registrations are public after all.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
onfused SA 3.0 too. Let's ask Eric Kolve to please
update SpamCopURI to ignore these extra characters that appear at
the end of the host portion of URIs, like SA 3.1 now does, as a
result of this bug fix:
http://bugzilla.spamassassin.org/show_bug.cgi?id=4191
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
te. Spammers use
> software harvesting programs such as robots or spiders to
> record e-mail addresses listed on Web sites, including both
> personal Web pages and institutional (corporate or non-profit)
> Web pages.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
Cheers,
Jeff C.
> --- start spam ---
[...]
> href=3D"http://www=2Ebroadberry=2Eco=2Euk/intro=2Ehtml";> he=
> ight=3D77=20
> src=3D"http://www=2Ebroadberry=2Eco=2Euk/offers/BDSLogo=2Ejpg";
> =
> width=3D266=20
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
pletely rebuild our spam
> scanner, but I just don't have the time right now... so if anyone has any
> suggestions on things to get this box working more or less intact, I'm all
> ears.
Have you tried spamassassin -D < some_message and spamassassin
--lint?
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
call that SpamCopURI is technically a
patch and should be installed after SA, so SpamCopURI can
patch SA.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
From: Jeff Chan
To: SURBL Discus
Date: Thursday, May 5, 2005, 12:39:58 AM
Subject: [SURBL-Discuss] Brief problem with ab.surbl.org
FWIW there was a brief error where .com got into ab.surbl.org and
that caused it to hit all .com domains. This problem lasted an
hour or two today and happened
On Thursday, May 5, 2005, 12:10:32 AM, Jeff Chan wrote:
> On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote:
>> Today, I've received a number of spams containing a domain that is listed on
>> almost all the SURBL lists. I've recieved around 10 of these today, and
3]-087[3]--
> --- End Spam ---
> If you'll notice, the content type is shown as ";text/plain;". It seems that
> the semicolons are causing Spamassassin not to parse the mail properly. If I
> run the message through SA as-is, it hits on no SURBLs. However, if I remove
On Wednesday, May 4, 2005, 8:37:45 AM, martin smith wrote:
M>>From: Jeff Chan [mailto:[EMAIL PROTECTED]
M>>A good way to report spams is to use SpamCop. The SpamCop
M>>spamvertised site data goes into sc.surbl.org:
M>>
M>> http://www.surbl.org/lists.html#sc
M>
e SpamCop. The SpamCop
spamvertised site data goes into sc.surbl.org:
http://www.surbl.org/lists.html#sc
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
27;s got something to do with the recent outbreak of
Sober.P?
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
fo at our site.)
Cheers,
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
a
fake second backup MX (third MX record), but after a while spam
levels to the real backup MX seemed to come back up.
Gonna try postgrey methinks:
http://isg.ee.ethz.ch/tools/postgrey/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
x27;re
looking into that.
http://www.superbusinessmodel .com
http://www.superreply .net/ar/r.php?un=1530566
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Friday, April 29, 2005, 7:42:48 AM, Chuck Campbell wrote:
> I want to switch, but will need to get Bayes up to speed before cutting over
> to the newer version for production.
You can migrate your old Bayes DB IIRC. Please see the Wiki.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED
, then multi will work.
The DNS infrastructure is the same. Therefore please
use multi. :-)
Cheers,
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
i.surbl.org" list?
> --Rob McEwen
Absolutely. Everyone should be using multi.surbl.org with either
SpamCopURI or urirhssub. It's a combined list that checks all of
them with one DNS lookup.
http://www.surbl.org/lists.html#multi
The examples for JP on the Quick Start page both use mult
http://www.surbl.org/quickstart.html
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
;)
> Your pattern recognition skills remain top-notch. ;-)
> Daniel
Yeah, I hear 22:22:22 is definite spamware sign.... ;-) LOL!
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
pamassassin.apache.org,
>>dev@spamassassin.apache.org
>> Date: Thu, 28 Apr 2005 22:22:22 -0500 (20:22 PDT)
>
> check it out! was that deliberate? ;)
> - --j.
Nah, that would be too, too, too. ;-)
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
it's how my simple zone generation script adds the testpoints
to all the lists currently.
Bottom line: yes, it's normal.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
gt; coolestrxever.com.multi.surbl.org has address 127.0.0.80
> Will try a bit more debugging shortly, not convinced it's parsing the
> message correctly.
> Rob
Is your Net::DNS current? Are you calling SpamAssassin so as to
use network tests?
http://www.surbl.org/faq.html#nettest
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
SURBLs will catch these because of:
> href="http://ukbyfzovkfmz.net&saaplurfngdush5utq4x%2Erancejknfl%2Ecom/";>C8lick
> her9e for our pi1ll of the day s5pecial!
http://www.surbl.org/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Friday, April 22, 2005, 7:27:17 AM, John Delisle wrote:
> Even if data re average age of the domains, wouldn't they just start
> registering them earlier so as to not match that pattern?
Yeah that's always a possibility. But there seems to be some
evidence that a lot of spam domains don't get
On Friday, April 22, 2005, 9:27:56 AM, Steven Champeon wrote:
> See:
> http://www.merit.edu/mail.archives/nanog/2005-01/msg00225.html
> for one particular spamgang (dunno who); seems to be entirely dedicated
> to sending out spam in multipart with one redirector link (ends in .html,
> with embedd
Does anyone have research or references for the age profiles of
domains appearing in the URIs of spam gang (i.e. Ralsky, Lindsay,
Richter, etc.) spams? In other words, how old are the domains of
sites being spamvertised *by spam gangs*? (By age I mean how
long ago they were (most recently) create
On Thursday, April 21, 2005, 5:12:37 AM, Mike Grice wrote:
> why would SA
> time it out? The system should use the hostfile in preference to DNS
> (e.g., in nsswitch.conf), but for some bizarre reason this lookup isn't.
BIND does the forwarding to rbldnsd.
Jeff C.
--
Jeff Chan
On Thursday, April 21, 2005, 4:26:46 AM, Mike Grice wrote:
> On Thu, 2005-04-21 at 03:55 -0700, Jeff Chan wrote:
>> On Thursday, April 21, 2005, 3:46:35 AM, Mike Grice wrote:
>> >>From /etc/hosts:
>> > 127.0.0.2 dnsbl-sorbs-net.dnsbl.plus.net
>>
On Thursday, April 21, 2005, 3:46:35 AM, Mike Grice wrote:
> On Thu, 2005-04-21 at 03:01 -0700, Jeff Chan wrote:
>> Did you remember to forward the queries for your local zones to
>> the rbldnsd server? E.g.:
> Yeah. All the other zones are working, just not SORBS by the lo
p://www.surbl.org/rbldnsd-bind-freebsd.html
http://njabl.org/rsync.html
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
150 to 170 a day up to about 220 today.)
> {^_^}
Well there seem to be new viruses around. That may perhaps
correlate with expanded botnets used to send spam.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ngoddi
If those are advertising an actual site on geocities, then please
report them to:
[EMAIL PROTECTED]
so Yahoo can shut them down.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
p|aced in our membership, p|ease go here or send a blank
> e mail with No Thanks in the subject to st0ck1007 @yahoo.com
So it's time to adjust/modify that filter again.
(I guess he was behind on his reading. Hi spammy! ;-)
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
t no header
> rules that look for the word with an "ing" on the end of it.
...
The spam advertises a presumptive porn site on geocities.
Please forward the spam to yahoo so they can shut it down:
geo-abuse@ yahoo-inc.com (without the space)
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
5-20 days for the
> domain to die, bad ones can take 3-4 months; But you can blacklist them in
> almost no time.
> Good luck and have fun hunting (nobody spams my domains and gets off
> clean!),
> Paul Shupak
> [EMAIL PROTECTED]
> P.S. The "real" finds are the rare invalid netblock or ASN, but that can wait
> until you learn to check domains.
This really belongs in some kind of spam-fighting FAQ or howto
somewhere.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
might be helpful to see a small, edited, sampling of the FNs
you're seeing.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Saturday, April 9, 2005, 10:14:27 AM, List User wrote:
> I've begun sending them to [EMAIL PROTECTED] - no bounce, but no
> response
> either. Starting tomorrow, *all* the CNet editors get a copy. Todays below.
> Paul Shupak
> [EMAIL PROTECTED]
LOL, but I can't reall
See:
http://bugzilla.spamassassin.org/show_bug.cgi?id=4249
http://bugzilla.spamassassin.org/show_bug.cgi?id=3997
It would be interesting to see if folks could try the patches
added to the tickets, try a slow DNS resolution (longer than the
timeout of 3 seconds) and see if they can duplicate/elimi
of versions, paths, etc. and if those methods are mixed
*for the same program* they can get confused.
One solution is to always use CPAN, always use tarballs, always
use subversion, etc. I.e. pick one and stick with it.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Wednesday, April 6, 2005, 8:12:51 AM, Ron McKeating wrote:
> Is it just us or is there a flood of spams subject job offer, is there
> any of the rulesets that take care of this ?
I'm not getting any of those, but I am seeing a lot of stock
spams.
Jeff C.
--
Jeff Chan
mailto:[EMAI
n-up for newsletters
> without verifying the email address first. It's not inconceivable that
> they are, therefore, sending unsolicited emails to people who didn't
> sign up.
> Rod.
If that's correct, then maybe someone should mention to them
that's a very poor practice that leads to abuse
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
RBL instead.
A good suggestion! :-)
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Sunday, April 3, 2005, 10:34:12 AM, Pete Geenhuizen wrote:
> 2. Any idea how do I go about changing RDJ and bigevil.cf over to use
> ws.surbl.org?
Yes, please use ws.surbl.org instead:
http://www.surbl.org/quickstart.html
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ight. There are a couple of differences last nights gave 0.8 for the
> auto-whitelist, while tonights gave -0.0, last nights only hit on PYZOR while
> tonights hit on PYZOR and DCC:
Perhaps DCC took these out. Please ask Pyzor to do the same.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
of 5.0. I've saved some of the
> previous editions and am wondering if I ran sa-learn --ham on these would it
> eventually make enough of a difference to have these tagged as ham?
What is it triggering on?
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
Set your trust path correctly:
(quoteing Matt Kettler:)
> Please see the Wiki:
> http://wiki.apache.org/spamassassin/TrustPath/
>
> and look up trusted_networks in man Mail::SpamAssassin::Conf
And enable network tests:
http://www.surbl.org/faq.html#nettest
And things should work much
web
servers. So it won't match most of the IP address RBL checks a
plain old MTA would do. SURBLs are meant to match message body
URIs, not mail senders.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Tuesday, March 29, 2005, 1:08:43 AM, Jeff Chan wrote:
> On Tuesday, March 29, 2005, 12:38:25 AM, Alex Broens wrote:
>> Good Morning!
>> New redir?
>> --
>> For more information or to have a broker contact you please visit:
>> http://g.msn.com/0MNBUS0
s is a change from SpamAssassin 3.0.0, where body above was
> previously header. Here is the changelog reference:
>
> r54022 | felicity | 2004-10-07 22:21:30 + (Thu, 07 Oct 2004) | 1 line
>
> bug 3734: uridnsbl rules work on body data, not header data, so change
&g
ES_POISON_NXM SARE_OEM
> SARE_RANDOM SARE_HEADER_ABUSE SARE_CODING_HTML";
If SURBLs are active you should be detecting at least 90% of
spams (more like 99+%). The rules above are SARE rules, not
SURBL ones, BTW.
In order to use SURBLs you need to have Network tests enabled:
http://www.
rough is because
> I've set up MailWatch for MailScanner(works great, makes it easy to see
> what's going on).
Try using SURBLs:
http://www.surbl.org/
specifically:
http://www.surbl.org/lists.html#ph
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
red domains like zdnet.com
and not subdomains. Obviously we're not going to blacklist
zdnet.com; it has too many legitimate uses.
2. Similarly we can't list chkpt.zdnet.com. It's being abused,
but it clearly has legitimate uses too.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Monday, March 21, 2005, 9:43:02 PM, Jeff Chan wrote:
> On Monday, March 21, 2005, 7:34:56 AM, Larry Rosenbaum wrote:
>> We received a drug spam containing the following URL:
>> http://chkpt.zdnet.com/chkpt/supposedtoallow/fdl%2ev%69%61%67%73.co%6d/p/b/kmioa
>> This URL w
at
least filter it so spammers get denied or flagged:
http://www.surbl.org/redirect.html
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
rlier. It's being abused very similarly to
the zdnet redirector.
We've tried to contact nate.com and KISA in Korea, but may not
be getting through.
Does anyone have good contacts in Korea or who can write to them
in Korean?
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
t; www.simply-rx.net). As far as I know, the SA SURBL check will check
> zdnet.com, not the spammer domain viags.com. What is going on here, and
> what should we do about it?
> Larry
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
> coming out to target porn. Is it ready? Anyone have any advise? Is there a
> good list of known spamming porn domains we could plug into hosts.deny or
> something?
Try SURBLs:
http://www.surbl.org/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
e little downside.
I.e.
@ IN MX 5 realprimary.domain.com
@ IN MX 10 realbackup.domain.com
@ IN MX 20 fakebackup.domain.com
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
delays so if the mail from the same triple comes back
> after a specified timeout, it'll be accepted.
Yep, a couple that I was pointed to are:
http://isg.ee.ethz.ch/tools/postgrey/
http://policyd.sourceforge.net/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
nailed down a little tighter than the primaries.
We're applying more RBLs to our backup server than our primary
MXer.
What was the trick for making a mail server delay or reject
responses the first time an IP connects? I've heard this is very
effective against spamware/zombies, etc. We're using Postfix, so
this is definitely off topic.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
luding ones that belong to spammers.)
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ould be pretty good...
Bill allows web grabs of sa-blacklist, but SURBLs are usually
used though DNS query or rsync only for high volume mail servers.
You may want to discuss this further on the SURBL discussion list:
http://lists.surbl.org/
Cheers,
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
etween what's going into the backends
> (the SBL and SURBL uribls) and what we're matching on the other end.
> At least for SBL, it's definitely problematic, since a SBL escalation
> (of mail relays) will blocklist mail that *mentions* that domain!
Yes, in which case what we have in URIDNSBL are actually dealing
with only web and ftp as opposed to more complete URI handling.
As Justin notes that is a proper match for what are in SBL and
SURBLs. It also corresponds well to URIs that appear in spam.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
rs:
> Network hooha and DNS are all properly enabled and yet... doing nothing
> valuable seems to be happening as far as I can tell. The empty list of
> domains to query seems to be a big clue that something is very wrong.
>>debug: URIDNSBL: domains to query:
Yes, that could b
clude in the ticket the text that it triggered on.
http://bugzilla.spamassassin.org/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
e CF_BAD_URL4 .net Junk site
> I received a piece of mail containing the string
>http://www.gh6.net/
> Yet the rule did not fire
Don't make a rule, use SURBLs. This one is listed five times
over:
gh6.net on lists [sc][ws][ob][ab][jp], See: http://www.surbl.org/lists.html
J
etwork tests". You only need to have it configured in init.pre (I
> think's commented out by default). I assume you have to have
> "dns_available yes". Test it with spamassassin -D.
Yes, what Kai said. Run:
spamassassin -D < message_to_test
and look at the output.
not one ;-) will speak up about this.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
are at times overbroad.
Name servers for gov.ru and spb.ru for example are listed
(ns.rtcomm.ru and ns1.relcom.ru respectively). Listings like
those can cause false positives, and I personally object to
deliberately harming innocent bystanders to "pressure" ISPs.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Tuesday, March 15, 2005, 9:27:50 PM, Vicki Brown wrote:
> Does anyone else find this just too absurdly silly for words?
> Although I guess it surely does prove the point Jeff Chan made for URIDNSBL
> and SURBL - most eloquently in fact :-)
>>SpamAssassin, running on "mail.
amassassin.apache.org/full/3.0.x/dist/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm
http://www.surbl.org/
which are built into SpamAssassin 3 and enabled by default if
network tests are enabled.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
RBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL net
score URIBL_JP_SURBL4.0
They tend to catch new domains pretty quickly.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
here.
> List harvesting is a bonus.
Well when they can sell spams that don't advertise a web site
for the same price as those that do, let us know. Until
then SURBLs have them.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
A friend who wishes to remain anonymous forwarded me this patch
and note:
> Jeff, Saw the thread on sa-users list about using SURBL without other
> networks
>
> Attached is a ugly patch which I think might do the trick.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://w
On Thursday, February 17, 2005, 4:46:28 PM, Jeff Chan wrote:
> IMO The correct answer is for eBay not to have an open redirector
> or for them to protect it better, for example as Matthew suggests.
> We could ask them follow the lead of other redirection sites and
> use SURBLs to ch
It would probably help if I explained that I brought up two
different but related ides in quick succession:
1. Asking for URI domains of messages sent through zombies, open
relays, open proxies, etc. detected by XBL that mentioned SURBL URIs.
2. Asking for URI domains of messages sent through z
have to maintain a whitelist like you do now for people like
> w3c.org who are always being abused (or the phishing spam target companies,
> whose own pictures and logos usually appear, or newspapers and magazines
> who end up in 419s).
Yes our whitelist always applies, and additional proc
reliable list of compromised hosts. Other
lists like list.dsbl.org may be ok too, but those are the only
two RBLs I have a lot of confidence in. The goal would not be to
get all data but to get all reliable data.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
7;m asking to look for XBL hits,
then take the URIs from messages that hit XBL. In other words
I want to get the sites that are being advertised through
exploited hosts.
Nothing to do with traps or SBL. ;-)
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Sunday, March 13, 2005, 5:12:30 AM, Jeff Chan wrote:
> On Friday, March 11, 2005, 11:27:52 PM, Jeff Chan wrote:
>> Does anyone have or know about a list of spam-advertised URIs
>> where the spam they appeared in was sent through open relays,
>> zombies, open proxies, etc.
301 - 400 of 765 matches
Mail list logo
