Re: Hot News
On 16/03/13 00:04, Christian Recktenwald wrote: On Fri, Mar 15, 2013 at 02:39:17PM -0500, David B Funk wrote: On Fri, 15 Mar 2013, Christian Recktenwald wrote: On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote: On Fri, 15 Mar 2013, Kevin A. McGrail wrote: On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs ... listing the URLs in some kind of RBL will be probelmatic for FPs. not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not used in normal operation of this site. The whole raison-detre for RBLs is that they're lists that can be implemented via the DNS system (created, updated, distributed, queried, etc). As such they can -only- contain IP addresses or hostnames, NOT URLs. that's not exactly right. I've been distributing other data via DNS for quite some years now like temperature[1], OUIs (mac addresses prefixes)[2] and originating time stamps[3] just to name some. For demonstration purposes please just try: dig +short txt http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs.url.rbl.citecs.de. you would get 1363389581 which is the epoch timestamp[3] the entry was created. Why does this work? It's because it uses TXT records, not A or PTR records. Maybe there would be some funny characters I did not think of right now - then, some quoting would help. Creating another rbl providing compromized email addresses would be the same thing. The issue isn't A .vs. TXT - it's that certain characters aren't allowed in DNS names. Listing e-mail addresses and URL paths could be done by normalizing them (e.g. lower-case, stripping query parameters etc.) and then hashing them (e.g. MD5/SHA1 etc) and listing the hash. As you say though - the issue is collecting the data and populating the lists along and maintaining the rest of the infrastructure that serves it. Regards, Steve.
Re: Hot News
On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc.com/aah/pabfjd/pgrezs Now this is a guy with cahona's grande' for spamming the spamassassin list. Poor sucker.
Re: Hot News
On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs http://www.naturalstonesinc.com/aah/pabfjd/pgrezs Now this is a guy with cahona's grande' for spamming the spamassassin list. Poor sucker. It's a compromised Yahoo! account. One of the #1 spamming issues right now for us. Regards, KAM
Re: Hot News
On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
On 15/03/2013 15:11, Christopher Nido wrote:
http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
Now this is a guy with cahona's grande' for spamming the spamassassin list.
Poor sucker.
It's a compromised Yahoo! account. One of the #1 spamming issues right now for
us.
Regards,
KAM
Not only a compromised Yahoo! account but also a compromised website so
listing the URLs in some kind of RBL will be probelmatic for FPs.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Hot News
On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote: On Fri, 15 Mar 2013, Kevin A. McGrail wrote: On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs ... listing the URLs in some kind of RBL will be probelmatic for FPs. not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not used in normal operation of this site.
Re: Hot News
On 3/15/2013 11:38 AM, Dave Funk wrote: On Fri, 15 Mar 2013, Kevin A. McGrail wrote: On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs Now this is a guy with cahona's grande' for spamming the spamassassin list. Poor sucker. It's a compromised Yahoo! account. One of the #1 spamming issues right now for us. Regards, KAM Not only a compromised Yahoo! account but also a compromised website so listing the URLs in some kind of RBL will be probelmatic for FPs. Hence I used the accepted -munged addition to discuss the compromised URL with safety. Regards, KAM
RE: Hot News
Dave Funk wrote: On Fri, 15 Mar 2013, Kevin A. McGrail wrote: On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs Now this is a guy with cahona's grande' for spamming the spamassassin list. Poor sucker. It's a compromised Yahoo! account. One of the #1 spamming issues right now for us. Regards, KAM Not only a compromised Yahoo! account but also a compromised website so listing the URLs in some kind of RBL will be probelmatic for FPs. I wrote a custom plug-in to detect certain things about these messages that, so far, have not resulted in any FPs (one would have to have a yahoo account and make the message look just like the spams) and I have looked a some of the messages caught and something I noticed in all, so far cases, is that if you attempt to pull the link from wget without using a user agent string you will get ERROR 405: Not Allowed every time, so far. I also find that there are *several* common traits within the body of the web pages, for instance a fox news copyright, specific class names and links names such as 'lia href=http--//www.buy-berryrasp.com/order.phpHome/a/li' (remove the --) If anyone has a chance to verify this, especially the 404 without a user-agent string I would think something could easily be done with a custom plug-in to detect that. Oh, and they all do a 301 or 302 redirect at the intial request Rick
Re: Hot News
Tom Kinghorn skrev den 2013-03-15 14:17: Poor sucker. and unknown url in uribl hmm maybe sa-learn --spam msg does care :)
Re: Hot News
Kevin A. McGrail skrev den 2013-03-15 14:18: It's a compromised Yahoo! account. One of the #1 spamming issues right now for us. some more examples to the corpus ? :) i dont see yahoo signed spam mails right here now, but clamav died last night here, still waiting for update to be roled out in gentoo
Re: Hot News
On Fri, 15 Mar 2013, Christian Recktenwald wrote:
On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote:
On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
On 15/03/2013 15:11, Christopher Nido wrote:
http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
... listing the URLs in some kind of RBL will be probelmatic for FPs.
not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not
used in normal operation of this site.
The whole raison-detre for RBLs is that they're lists that can be
implemented via the DNS system (created, updated, distributed, queried, etc).
As such they can -only- contain IP addresses or hostnames, NOT URLs.
So using something like SURBL or URIBL you can only list the host name
part of that URL. If it's a legit site (albeit a compromised site)
this will result in false-positives for normal mail that references the site.
It would be possible to create explicit SA rules to hit the full URLs but
that becomes a whack-a-mole proposition and more resource intensive than
just dropping a new entry in a RBL master zone file.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Hot News
On Fri, 2013-03-15 at 14:39 -0500, David B Funk wrote: The whole raison-detre for RBLs is that they're lists that can be implemented via the DNS system (created, updated, distributed, queried, etc). As such they can -only- contain IP addresses or hostnames, NOT URLs. So using something like SURBL or URIBL you can only list the host name part of that URL. If it's a legit site (albeit a compromised site) this will result in false-positives for normal mail that references the site. ... alternatively it would be reasonable to consider that the site deserves to be blacklisted until its owner disinfects it. Telling its webmaster that his site is infected would be a right neighbourly thing to do too, especially if the site has a generally good reputation. Martin
Re: Hot News
On Fri, Mar 15, 2013 at 02:39:17PM -0500, David B Funk wrote: On Fri, 15 Mar 2013, Christian Recktenwald wrote: On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote: On Fri, 15 Mar 2013, Kevin A. McGrail wrote: On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs ... listing the URLs in some kind of RBL will be probelmatic for FPs. not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not used in normal operation of this site. The whole raison-detre for RBLs is that they're lists that can be implemented via the DNS system (created, updated, distributed, queried, etc). As such they can -only- contain IP addresses or hostnames, NOT URLs. that's not exactly right. I've been distributing other data via DNS for quite some years now like temperature[1], OUIs (mac addresses prefixes)[2] and originating time stamps[3] just to name some. For demonstration purposes please just try: dig +short txt http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs.url.rbl.citecs.de. you would get 1363389581 which is the epoch timestamp[3] the entry was created. Why does this work? It's because it uses TXT records, not A or PTR records. Maybe there would be some funny characters I did not think of right now - then, some quoting would help. Creating another rbl providing compromized email addresses would be the same thing. So, this was the easy part. More challenging (at least to me): where would one collect the data to constantly feed this lists? Some kind of honeypot or something? [1] dig +short txt janus.temp.citecs.de This is the actual outside temperature near where I live, updated every minute. [2] dig +short txt 00:00:00.eth.citecs.de. [3] So, there's an additional benefit to publish the timestamp the entry was created: the one using the rbl may decide by herself how old entries they wish to rely on - some feature most other rbls don't provide. If there are reasonable suggestions I could provide a DNS with dynamic updating for a test or even production if it turns out to work.
