Re: [Razor-users] CF level *increased* after revoke!

Thu, 08 Jul 2004 15:18:51 -0700

At 05:32 PM 7/8/2004, Kelson Vibber wrote: 
On Thursday 08 July 2004 01:44 pm, Matt Kettler wrote:
> At 01:18 PM 7/8/2004, Kelson Vibber wrote:
> >To my surprise, the confidence level actually *increased* between the
> > first check and the second!
>
> And you're the only person in the world who reports/revokes to razor?

Sometimes it seems like it ;-)

> My guess is that while you were issuing a revoke, several others issued
> reports for the same token.

On one level, that makes sense, but on another it seemed really unlikely that
lots of people were simultaneously reporting just the one post to the
MIMEDefang list.

> In the case of e8 it's going to be a domain name such as a URL in the body.
> You can trim down the message bit by bit until the e8 hash disappears. Then
> you'll have found which part made that e8 hash.

Ah, so e8 is similar to SURBL, but using the Razor protocols instead of DNS
lookups.  (Is this right?)

Vaugely. From a 10,000 foot point-of view they are the same, but the details are a bit different.

Whiplash has some message-length information encoded in it's signatures, as well as the domain name. (as per Vipul's announcement of razor 2.61)

You can demonstrate that much by changing the length of the message without removing the URL. You can watch the last few bytes of an e8 sig change, but the first part stays the same


As near as I can tell, the URL that triggered it seems to have been none other
than (drumroll please)...

                http://groklaw_MUNGED_.net

Riiiight.

So lots of people are reporting spam advertizing GrokLaw?!? 

(note: I inserted _MUNGED_ into Kelson's text to prevent further razor hits)

Ick. That would also appear to be correct as your message got a razor hit here.

I suppose they could be getting joe-jobbed. 

Possibly

Does e8 filter out invisible links like <a href=URL></a>? 

No idea. That'd probably have to be answered by Vipul et al..



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Razor-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/razor-users

Reply via email to