Re: URI Tests and Japanese Chars (solved)

2005-03-18 Thread List Mail User
...
To: Daryl C. W. O'Shea [EMAIL PROTECTED]
Cc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED],
users@spamassassin.apache.org
Subject: Re: URI Tests and Japanese Chars (solved) 
In-Reply-To: [EMAIL PROTECTED] 
From: [EMAIL PROTECTED] (Justin Mason)

Justin,

Daryl C. W. O'Shea writes:
 List Mail User wrote:
 Jeff,
  
 RFC 1630 make pretty clear that a email address in either a mailto:;
  or cid:; clause *is* a URI.  It does not address whether a bare email 
  address
  would count (it seems that it doesn't fit the RFC definition, but does fit
  some other I found by Goggle).
  
 I could be convinced either way from a bare address (as it stand now,
  maybe someone else has something to add).  But a mailto:; mail: or 
  cid:;
  clause should (in my opinion) be looked up by the URI rules - they are URI,
  not URL rules (though URLs are clearly the most common from of URIs).
  
 I was surprised to see that from the RFC, even Msg-Id: clauses
  are URIs.
  
 Paul Shupak
 [EMAIL PROTECTED]
 
 I'd agree with Paul, what's the difference between doing the lookup of 
 the domain listed in a mailto: link and a http: link -- both of which 
 are often found in someone's signature?
 
 Eliminating the mailto: domain lookup could lead to spam such as email 
 us at [EMAIL PROTECTED] for all the junk you don't really want.

However, it's an impedance mismatch between what's going into the backends
(the SBL and SURBL uribls) and what we're matching on the other end.

At least for SBL, it's definitely problematic, since a SBL escalation
(of mail relays) will blocklist mail that *mentions* that domain!

Thats not true in general.  Since the SBL is an IP based list,
a mail server escalation would have no effect on any other domain, only
on messages relayed through the servers.

The more common case where a SBL escalation will affect other domains
is (the typical kind I've noticed) when they list all corporate servers and
some otherwise innocent domains use name servers within that space (this was
the Russian government/Rostelecom earlier this week).

Still, you are correct, there is a big difference between the SURBL
policy of zero FPs and the SBL policy, which I can best state as kill the
spammers.  SURBLs rarely have `collateral' damage and their default scores
reflect that;  The URIBL_SBL is only assigned scores of 0 0.629 0 0.996
in 3.0.2 - Only URIBL_AB_SURBL with set 3 and URIBL_WS_SURBL with set 1 are
ever assigned lower scores than the URIBL_SBL.  All the other SURBL have
significantly higher scores - URIBL_SC_SURBL is many times what URIBL_SBL is.
(You may not know, but I even proposed adding back the SPEWS lists, though
with low scores, and I do use all the rfci lists with relatively low scores
except for bogusmx, which may be the best single indicator I have ever found,
and I still assign it fewer points than URIBL_SC_SURBL).

- --j.
{snipped PGP SIGNATURE]

Paul Shupak
[EMAIL PROTECTED]

P.S. I understand the political problems with the particular FPs that SPEWS
generates, but I do hope the rfci lists make it to the URIBL rulesets.


RE: URI Tests and Japanese Chars (solved)

2005-03-18 Thread List Mail User
...
Subject: RE: URI Tests and Japanese Chars (solved)
Date: Thu, 17 Mar 2005 17:41:03 -0500
...
From: Rose, Bobby [EMAIL PROTECTED]
To: [EMAIL PROTECTED], Daryl C. W. O'Shea [EMAIL PROTECTED]
Cc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED],
users@spamassassin.apache.org
...

But in my test messages the email address wasn't in the form of a URI.
It was just the email address.  I even used pine for a test to make sure
it was a gui client doing some reformatting business.

Do we know if it's possible to know if the results from SBL are for the
domain of the URI being queried or if their results are due to some
association with the domain being queried.  If so then we could ignore
any results other than for the domain being queried or weigh the results
differently so long as they aren't accumulative points for each
occurrence.  Otherwise, the points would add up the more that person's
email address appears in the email.

It has been suggested before that the indirect name server lookup
done be a different class of rules and/or scored differently than the direct
lookups - by default the SBL is the only list used for name servers, but on
my servers I use several other lists (and then there is Bugzilla #4106

-Original Message-
all snipped]

Paul Shupak
[EMAIL PROTECTED]

P.S. Extra points for anyone who actually knows why Bugzilla (or Mozilla) have
zilla in their name (or knows who Tom Paquin is).


Re: URI Tests and Japanese Chars (solved)

2005-03-18 Thread Alan Premselaar
List Mail User wrote:
(B...
(BTo: "Daryl C. W. O'Shea" [EMAIL PROTECTED]
(BCc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED],
(B   users@spamassassin.apache.org
(BSubject: Re: URI Tests and Japanese Chars (solved) 
(BIn-Reply-To: [EMAIL PROTECTED] 
(BFrom: [EMAIL PROTECTED] (Justin Mason)
(B
(B 
(B   Justin,
(B 
(B 
(BDaryl C. W. O'Shea writes:
(B
(BList Mail User wrote:
(B
(BJeff,
(B
(BRFC 1630 make pretty clear that a email address in either a "mailto:"
(Bor "cid:" clause *is* a URI.  It does not address whether a bare email 
(Baddress
(Bwould count (it seems that it doesn't fit the RFC definition, but does fit
(Bsome other I found by Goggle).
(B
(BI could be convinced either way from a bare address (as it stand now,
(Bmaybe someone else has something to add).  But a "mailto:" "mail:" or "cid:"
(Bclause should (in my opinion) be looked up by the URI rules - they are URI,
(Bnot URL rules (though URLs are clearly the most common from of URIs).
(B
(BI was surprised to see that from the RFC, even "Msg-Id:" clauses
(Bare URIs.
(B
(BPaul Shupak
(B[EMAIL PROTECTED]
(B
(BI'd agree with Paul, what's the difference between doing the lookup of 
(Bthe domain listed in a mailto: link and a http: link -- both of which 
(Bare often found in someone's signature?
(B
(BEliminating the mailto: domain lookup could lead to spam such as "email 
(Bus at [EMAIL PROTECTED] for all the junk you don't really want".
(B
(BHowever, it's an impedance mismatch between what's going into the backends
(B(the SBL and SURBL uribls) and what we're matching on the other end.
(B
(BAt least for SBL, it's definitely problematic, since a SBL escalation
(B(of mail relays) will blocklist mail that *mentions* that domain!
(B 
(B 
(B   Thats not true in general.  Since the SBL is an IP based list,
(B a mail server escalation would have no effect on any other domain, only
(B on messages relayed through the servers.
(B 
(B   The more common case where a SBL escalation will affect other domains
(B is (the typical kind I've noticed) when they list all corporate servers and
(B some otherwise innocent domains use name servers within that space (this was
(B the Russian government/Rostelecom earlier this week).
(B 
(B   Still, you are correct, there is a big difference between the SURBL
(B policy of zero FPs and the SBL policy, which I can best state as "kill the
(B spammers".  SURBLs rarely have `collateral' damage and their default scores
(B reflect that;  The URIBL_SBL is only assigned scores of "0 0.629 0 0.996"
(B in 3.0.2 - Only URIBL_AB_SURBL with set 3 and URIBL_WS_SURBL with set 1 are
(B ever assigned lower scores than the URIBL_SBL.  All the other SURBL have
(B significantly higher scores - URIBL_SC_SURBL is many times what URIBL_SBL is.
(B (You may not know, but I even proposed adding back the SPEWS lists, though
(B with low scores, and I do use all the rfci lists with relatively low scores
(B except for bogusmx, which may be the best single indicator I have ever found,
(B and I still assign it fewer points than URIBL_SC_SURBL).
(B 
(B- --j.
(B{snipped PGP SIGNATURE]
(B 
(B 
(B   Paul Shupak
(B   [EMAIL PROTECTED]
(B 
(B P.S. I understand the political problems with the particular FPs that SPEWS
(B generates, but I do hope the rfci lists make it to the URIBL rulesets.
(B
(B
(BSince you mentioned the scores, please note the Bobby Rose, the original
(Bposter of this issue had modified the score for URIBL_SBL from its
(Bdefaults to 10 ...
(B
(BI had suggested that he reduce the score (possibly setting it back to
(Bthe defaults)
(B
(BWhile it doesn't negate the issues surrounding the way the URI lookups
(Bwork (or should possibly work) ... it's obvious that there is enough FP
(Bpotential to warrant not scoring it so high.
(B
(Balan

Re: URI Tests and Japanese Chars (solved)

2005-03-18 Thread List Mail User
[all sipped]


Since you mentioned the scores, please note the Bobby Rose, the original
poster of this issue had modified the score for URIBL_SBL from its
defaults to 10 ...

I had suggested that he reduce the score (possibly setting it back to
the defaults)

While it doesn't negate the issues surrounding the way the URI lookups
work (or should possibly work) ... it's obvious that there is enough FP
potential to warrant not scoring it so high.

alan

I think you are quite correct.  If you want to have a high weight
on the SBL, use it as a RBL at the SMTP level (I do).  I think its score
once a message hits SA is already correct given the extreme overlap with
other hit rules (I have lots of filtering before that - SA is my last line
of defense and seems almost impenetrable).  Even my own local rules generally
have very low scores - only two score above 1.5 and only 5 score above .6,
out of about 25 local rules.  As best I can tell, the default scoring is
very well adjusted already.

Paul Shupak
[EMAIL PROTECTED]


Re: URI Tests and Japanese Chars (solved)

2005-03-17 Thread Jeff Chan
On Wednesday, March 16, 2005, 12:29:41 PM, List User wrote:
(Jeff C wrote:)
uridnsbl used in the default rule URIBL_SBL does check domain
name servers against SBL, but I'm kind of surprised to hear it
triggering on email addresses.  It should definitely be
checking web 
sites and the like.  Can you give a sample of the text it hit?
Was it in URI form like: 

  mailto://[EMAIL PROTECTED]

That said, I agree that the SBL listings are at times overbroad.

(Paul wrote:)
 Spamhaus does sometimes escalate against companies that ignore
 issues for a long time;  But this isn't one of those cases.  Here the listing
 is:
 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17240
 which covers exactly one IP 154.33.17.212/32 and gives a good reason for it.

I should have checked further.   A /32 does not seem like an
escalation to me either.

The more important issue for SpamAssassin is that mail addresses
in message bodies should not be checked by uridnsbl.  Only URIs
should be checked.

Bobby,
Please create a bugzilla for this as Justin suggests.  Be sure
to include in the ticket the text that it triggered on.

  http://bugzilla.spamassassin.org/

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/



Re: URI Tests and Japanese Chars (solved)

2005-03-17 Thread List Mail User
Jeff,

RFC 1630 make pretty clear that a email address in either a mailto:;
or cid:; clause *is* a URI.  It does not address whether a bare email address
would count (it seems that it doesn't fit the RFC definition, but does fit
some other I found by Goggle).

I could be convinced either way from a bare address (as it stand now,
maybe someone else has something to add).  But a mailto:; mail: or cid:;
clause should (in my opinion) be looked up by the URI rules - they are URI,
not URL rules (though URLs are clearly the most common from of URIs).

I was surprised to see that from the RFC, even Msg-Id: clauses
are URIs.

Paul Shupak
[EMAIL PROTECTED]


Re: URI Tests and Japanese Chars (solved)

2005-03-17 Thread Daryl C. W. O'Shea
List Mail User wrote:
Jeff,
RFC 1630 make pretty clear that a email address in either a mailto:;
or cid:; clause *is* a URI.  It does not address whether a bare email address
would count (it seems that it doesn't fit the RFC definition, but does fit
some other I found by Goggle).
I could be convinced either way from a bare address (as it stand now,
maybe someone else has something to add).  But a mailto:; mail: or cid:;
clause should (in my opinion) be looked up by the URI rules - they are URI,
not URL rules (though URLs are clearly the most common from of URIs).
I was surprised to see that from the RFC, even Msg-Id: clauses
are URIs.
Paul Shupak
[EMAIL PROTECTED]
I'd agree with Paul, what's the difference between doing the lookup of 
the domain listed in a mailto: link and a http: link -- both of which 
are often found in someone's signature?

Eliminating the mailto: domain lookup could lead to spam such as email 
us at [EMAIL PROTECTED] for all the junk you don't really want.

Daryl


Re: URI Tests and Japanese Chars (solved)

2005-03-17 Thread Justin Mason
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Daryl C. W. O'Shea writes:
 List Mail User wrote:
  Jeff,
  
  RFC 1630 make pretty clear that a email address in either a mailto:;
  or cid:; clause *is* a URI.  It does not address whether a bare email 
  address
  would count (it seems that it doesn't fit the RFC definition, but does fit
  some other I found by Goggle).
  
  I could be convinced either way from a bare address (as it stand now,
  maybe someone else has something to add).  But a mailto:; mail: or cid:;
  clause should (in my opinion) be looked up by the URI rules - they are URI,
  not URL rules (though URLs are clearly the most common from of URIs).
  
  I was surprised to see that from the RFC, even Msg-Id: clauses
  are URIs.
  
  Paul Shupak
  [EMAIL PROTECTED]
 
 I'd agree with Paul, what's the difference between doing the lookup of 
 the domain listed in a mailto: link and a http: link -- both of which 
 are often found in someone's signature?
 
 Eliminating the mailto: domain lookup could lead to spam such as email 
 us at [EMAIL PROTECTED] for all the junk you don't really want.

However, it's an impedance mismatch between what's going into the backends
(the SBL and SURBL uribls) and what we're matching on the other end.

At least for SBL, it's definitely problematic, since a SBL escalation
(of mail relays) will blocklist mail that *mentions* that domain!

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCOgPeMJF5cimLx9ARAsyZAJ9ZiuOa2Lo6iK8Xflh6G+FdddUUcACeIbrA
YxiICu7MFD6uG8eKB9YK5tw=
=BHlZ
-END PGP SIGNATURE-



RE: URI Tests and Japanese Chars (solved)

2005-03-17 Thread Rose, Bobby
But in my test messages the email address wasn't in the form of a URI.
It was just the email address.  I even used pine for a test to make sure
it was a gui client doing some reformatting business.

Do we know if it's possible to know if the results from SBL are for the
domain of the URI being queried or if their results are due to some
association with the domain being queried.  If so then we could ignore
any results other than for the domain being queried or weigh the results
differently so long as they aren't accumulative points for each
occurrence.  Otherwise, the points would add up the more that person's
email address appears in the email.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 17, 2005 5:26 PM
To: Daryl C. W. O'Shea
Cc: List Mail User; [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: Re: URI Tests and Japanese Chars (solved)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Daryl C. W. O'Shea writes:
 List Mail User wrote:
  Jeff,
  
  RFC 1630 make pretty clear that a email address in either a
mailto:;
  or cid:; clause *is* a URI.  It does not address whether a bare 
  email address would count (it seems that it doesn't fit the RFC 
  definition, but does fit some other I found by Goggle).
  
  I could be convinced either way from a bare address (as it stand

  now, maybe someone else has something to add).  But a mailto:;
mail: or cid:;
  clause should (in my opinion) be looked up by the URI rules - they 
  are URI, not URL rules (though URLs are clearly the most common from
of URIs).
  
  I was surprised to see that from the RFC, even Msg-Id: clauses

  are URIs.
  
  Paul Shupak
  [EMAIL PROTECTED]
 
 I'd agree with Paul, what's the difference between doing the lookup of

 the domain listed in a mailto: link and a http: link -- both of which 
 are often found in someone's signature?
 
 Eliminating the mailto: domain lookup could lead to spam such as 
 email us at [EMAIL PROTECTED] for all the junk you don't really
want.

However, it's an impedance mismatch between what's going into the
backends (the SBL and SURBL uribls) and what we're matching on the other
end.

At least for SBL, it's definitely problematic, since a SBL escalation
(of mail relays) will blocklist mail that *mentions* that domain!

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCOgPeMJF5cimLx9ARAsyZAJ9ZiuOa2Lo6iK8Xflh6G+FdddUUcACeIbrA
YxiICu7MFD6uG8eKB9YK5tw=
=BHlZ
-END PGP SIGNATURE-



Re: URI Tests and Japanese Chars (solved)

2005-03-17 Thread Daryl C. W. O'Shea
Rose, Bobby wrote:
But in my test messages the email address wasn't in the form of a URI.
It was just the email address.  I even used pine for a test to make sure
it was a gui client doing some reformatting business.
Sorry, I shouldn't have said URI.  I had said URI since SpamAssassin 
internally adds the appropriate resource type, turning it into a URI. It 
does this since many (most?) MUAs do the same thing.


Do we know if it's possible to know if the results from SBL are for the
domain of the URI being queried or if their results are due to some
association with the domain being queried.  If so then we could ignore
any results other than for the domain being queried or weigh the results
differently so long as they aren't accumulative points for each
occurrence.  
No we can't.  We don't lookup the domain name.  We get it's NS server 
IPs and look them up.  Since the name server IP is shared there's 
nothing we can do.

The best solution in this case, is to convince people not to support 
providers who host spammers' DNS, and take their business elsewhere (or 
convince that provider to stop hosting spammers).  Hard to convince 
someone to do that, but it's the intention behind Spamhaus.

Otherwise, the points would add up the more that person's
email address appears in the email.
Nope.  The list is uniqued.  10 occurrences of the same thing would 
still only result in one lookup and possible hit (per rule).

Daryl


Re: URI Tests and Japanese Chars (solved)

2005-03-17 Thread Jeff Chan
On Thursday, March 17, 2005, 2:25:34 PM, Justin Mason wrote:

 Daryl C. W. O'Shea writes:
 List Mail User wrote:
  Jeff,
  
  RFC 1630 make pretty clear that a email address in either a mailto:;
  or cid:; clause *is* a URI.  It does not address whether a bare email 
  address
  would count (it seems that it doesn't fit the RFC definition, but does fit
  some other I found by Goggle).
  
  I could be convinced either way from a bare address (as it stand now,
  maybe someone else has something to add).  But a mailto:; mail: or 
  cid:;
  clause should (in my opinion) be looked up by the URI rules - they are URI,
  not URL rules (though URLs are clearly the most common from of URIs).
  
  I was surprised to see that from the RFC, even Msg-Id: clauses
  are URIs.

Yes, I'm aware of that, which is why I was asking if there was an
explicit mailto: in the source message.  Turns out there wasn't
and the mail address was bare.

 I'd agree with Paul, what's the difference between doing the lookup of 
 the domain listed in a mailto: link and a http: link -- both of which 
 are often found in someone's signature?
 
 Eliminating the mailto: domain lookup could lead to spam such as email 
 us at [EMAIL PROTECTED] for all the junk you don't really want.

In principle I agree that a URI handler should deal with all
possible URI types.  However...

 However, it's an impedance mismatch between what's going into the backends
 (the SBL and SURBL uribls) and what we're matching on the other end.

 At least for SBL, it's definitely problematic, since a SBL escalation
 (of mail relays) will blocklist mail that *mentions* that domain!

Yes, in which case what we have in URIDNSBL are actually dealing
with only web and ftp as opposed to more complete URI handling.
As Justin notes that is a proper match for what are in SBL and
SURBLs.  It also corresponds well to URIs that appear in spam.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/



Re: URI Tests and Japanese Chars

2005-03-16 Thread alan premselaar
Rose, Bobby wrote:
I have a user that is of Japanese origin and who converses with other
individuals in Japan in his same field of study.  The messages they send
are in Japanese and trip the URI_SBL rule.  These people are in
different .jp domains and I really don't want to get into the
administrative overhead of whitelisting. I don't see anything in the
message bodies that even looks like a URI.  Has anyone else ran into
this?
Bobby Rose
Wayne State University School of Medicine 


Bobby,
 That seems a little strange, especially if there are no URIs in the 
mail.  I live in Japan and have mail servers local and state-side that 
process Japanese email without this problem.

Can you provide more details about your setup/configuration and possibly 
provide a sample email that triggers the rule?

alan


RE: URI Tests and Japanese Chars (solved)

2005-03-16 Thread Rose, Bobby
 
I figured out the problem, it' was the an individuals email address in
the message body (even though not a mailto).  Their email domain isn't
listed at spamhaus.org but it turns out one of their ISPs DNS servers
are which they are using as secondary.  This makes the second time I've
come across this.  The last time it was an ISP's (pipex.net) DNS server
in the U.K. that was tripping the URIBL_SBL rule.

This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med
School) who's ISP is cwidc.net and the DNS server  ns03.cwidc.net
(154.33.17.212) is the one in spamhaus.org which they say is hosting a
long time spammer.  http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240

Does URI checking really need to be so thorough?  Obviously there must
be some bias at spamhaus if the big named ISPs don't get their name
servers listed because we know that they provide services to spammers.
Any idea on how to limit the scope to just the URI at it's face value?

-Original Message-
From: Rose, Bobby [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 15, 2005 2:14 PM
To: users@spamassassin.apache.org
Subject: URI Tests and Japanese Chars

I have a user that is of Japanese origin and who converses with other
individuals in Japan in his same field of study.  The messages they send
are in Japanese and trip the URI_SBL rule.  These people are in
different .jp domains and I really don't want to get into the
administrative overhead of whitelisting. I don't see anything in the
message bodies that even looks like a URI.  Has anyone else ran into
this?


Bobby Rose
Wayne State University School of Medicine 



Re: URI Tests and Japanese Chars (solved)

2005-03-16 Thread Jeff Chan
On Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote:
 
 I figured out the problem, it' was the an individuals email address in
 the message body (even though not a mailto).  Their email domain isn't
 listed at spamhaus.org but it turns out one of their ISPs DNS servers
 are which they are using as secondary.  This makes the second time I've
 come across this.  The last time it was an ISP's (pipex.net) DNS server
 in the U.K. that was tripping the URIBL_SBL rule.

 This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med
 School) who's ISP is cwidc.net and the DNS server  ns03.cwidc.net
 (154.33.17.212) is the one in spamhaus.org which they say is hosting a
 long time spammer.  http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240

 Does URI checking really need to be so thorough?  Obviously there must
 be some bias at spamhaus if the big named ISPs don't get their name
 servers listed because we know that they provide services to spammers.
 Any idea on how to limit the scope to just the URI at it's face value?

uridnsbl used in the default rule URIBL_SBL does check domain
name servers against SBL, but I'm kind of surprised to hear it
triggering on email addresses.  It should definitely be checking
web sites and the like.  Can you give a sample of the text it
hit?  Was it in URI form like:

  mailto://[EMAIL PROTECTED]

That said, I agree that the SBL listings are at times overbroad.
Name servers for gov.ru and spb.ru for example are listed
(ns.rtcomm.ru and ns1.relcom.ru respectively).  Listings like
those can cause false positives, and I personally object to
deliberately harming innocent bystanders to pressure ISPs.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/



RE: URI Tests and Japanese Chars (solved)

2005-03-16 Thread Rose, Bobby
This is an excerpt that I used in trying to track it down.  No real mailto URI 
(Bunless there is some translation going on with email addresses embedded in the 
(Bbody by the email client on send.  At first, I just thought it might be a bug 
(Bsince the messages were using ISO-2022-JP character set but if I sent just a 
(Bplain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL 
(Bwas tripped. 
(B
(B*
(B- Original Message -
(BFrom: "user1" [EMAIL PROTECTED]
(BTo: "user2" [EMAIL PROTECTED]
(BSent: Friday, March 11, 2005 11:14 AM
(BSubject: Re: $BFb;[EMAIL PROTECTED](J 
(B
(B***
(B
(B-=B
(B
(B
(B-Original Message-
(BFrom: Jeff Chan [mailto:[EMAIL PROTECTED] 
(BSent: Wednesday, March 16, 2005 7:52 AM
(BTo: users@spamassassin.apache.org
(BSubject: Re: URI Tests and Japanese Chars (solved)
(B
(BOn Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote:
(B 
(B I figured out the problem, it' was the an individuals email address in 
(B the message body (even though not a mailto).  Their email domain isn't 
(B listed at spamhaus.org but it turns out one of their ISPs DNS servers 
(B are which they are using as secondary.  This makes the second time 
(B I've come across this.  The last time it was an ISP's (pipex.net) DNS 
(B server in the U.K. that was tripping the URIBL_SBL rule.
(B
(B This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med
(B School) who's ISP is cwidc.net and the DNS server  ns03.cwidc.net
(B (154.33.17.212) is the one in spamhaus.org which they say is hosting a 
(B long time spammer.  
(B http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240
(B
(B Does URI checking really need to be so thorough?  Obviously there must 
(B be some bias at spamhaus if the big named ISPs don't get their name 
(B servers listed because we know that they provide services to spammers.
(B Any idea on how to limit the scope to just the URI at it's face value?
(B
(Buridnsbl used in the default rule URIBL_SBL does check domain name servers 
(Bagainst SBL, but I'm kind of surprised to hear it triggering on email 
(Baddresses.  It should definitely be checking web sites and the like.  Can you 
(Bgive a sample of the text it hit?  Was it in URI form like:
(B
(B  mailto://[EMAIL PROTECTED]
(B
(BThat said, I agree that the SBL listings are at times overbroad.
(BName servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and 
(Bns1.relcom.ru respectively).  Listings like those can cause false positives, 
(Band I personally object to deliberately harming innocent bystanders to 
(B"pressure" ISPs.
(B
(BJeff C.
(B--
(BJeff Chan
(Bmailto:[EMAIL PROTECTED]
(Bhttp://www.surbl.org/

Re: URI Tests and Japanese Chars (solved)

2005-03-16 Thread Jeff Chan
On Wednesday, March 16, 2005, 5:47:40 AM, Bobby Rose wrote:
 This is an excerpt that I used in trying to track it down.  No
 real mailto URI unless there is some translation going on with
 email addresses embedded in the body by the email client on send.  At 
 first, I just thought it might be a bug since the messages were
 using ISO-2022-JP character set but if I sent just a plain text
 message with just the [EMAIL PROTECTED] in the body, then 
 URIBL_SBL was tripped. 

Wow, I didn't think URIBL_SBL would check that.  Hopefully the
developers (of which I am not one ;-) will speak up about this.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/



Re: URI Tests and Japanese Chars (solved)

2005-03-16 Thread Justin Mason
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Bobby, could you open a bug in the bugzilla about this?  URI rules
should not be checking mailto links.

- --j.

Jeff Chan writes:
 On Wednesday, March 16, 2005, 5:47:40 AM, Bobby Rose wrote:
  This is an excerpt that I used in trying to track it down.  No
  real mailto URI unless there is some translation going on with
  email addresses embedded in the body by the email client on send.  At 
  first, I just thought it might be a bug since the messages were
  using ISO-2022-JP character set but if I sent just a plain text
  message with just the [EMAIL PROTECTED] in the body, then 
  URIBL_SBL was tripped. 
 
 Wow, I didn't think URIBL_SBL would check that.  Hopefully the
 developers (of which I am not one ;-) will speak up about this.
 
 Jeff C.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCOIGtMJF5cimLx9ARAqlXAJ9iEOrhjJVJzfx+U5I52iz4ifmzPwCfevy6
nGD2j3C3kfGTZGPNINvGh1I=
=btni
-END PGP SIGNATURE-



RE: URI Tests and Japanese Chars (solved)

2005-03-16 Thread List Mail User

This is an excerpt that I used in trying to track it down.  No real mailto URI 
unless there is some translation going on with email addresses embedded in the 
body by the email client on send.  At first, I just thought it might be a bug 
since the messages were using ISO-2022-JP character set but if I sent just a 
plain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL 
was tripped. 

*
- Original Message -
From: user1 [EMAIL PROTECTED]
To: user2 [EMAIL PROTECTED]
Sent: Friday, March 11, 2005 11:14 AM
Subject: Re: $BFb;[EMAIL PROTECTED](J 

***

-=B


-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 16, 2005 7:52 AM
To: users@spamassassin.apache.org
Subject: Re: URI Tests and Japanese Chars (solved)

On Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote:
 
 I figured out the problem, it' was the an individuals email address in 
 the message body (even though not a mailto).  Their email domain isn't 
 listed at spamhaus.org but it turns out one of their ISPs DNS servers 
 are which they are using as secondary.  This makes the second time 
 I've come across this.  The last time it was an ISP's (pipex.net) DNS 
 server in the U.K. that was tripping the URIBL_SBL rule.

 This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med
 School) who's ISP is cwidc.net and the DNS server  ns03.cwidc.net
 (154.33.17.212) is the one in spamhaus.org which they say is hosting a 
 long time spammer.  
 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240

 Does URI checking really need to be so thorough?  Obviously there must 
 be some bias at spamhaus if the big named ISPs don't get their name 
 servers listed because we know that they provide services to spammers.
 Any idea on how to limit the scope to just the URI at it's face value?

uridnsbl used in the default rule URIBL_SBL does check domain name servers 
against SBL, but I'm kind of surprised to hear it triggering on email 
addresses.  It should definitely be checking web sites and the like.  Can you 
give a sample of the text it hit?  Was it in URI form like:

  mailto://[EMAIL PROTECTED]

That said, I agree that the SBL listings are at times overbroad.
Name servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and 
ns1.relcom.ru respectively).  Listings like those can cause false positives, 
and I personally object to deliberately harming innocent bystanders to 
pressure ISPs.

Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/


Spamhaus does sometimes escalate against companies that ignore
issues for a long time;  But this isn't one of those cases.  Here the listing
is:
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17240
which covers exactly one IP 154.33.17.212/32 and gives a good reason for it.

This is similar to when I had a friend who bought a cheap hosting
service and was surprised to find out it was blacklisted everywhere - They
hosted spammers on the same machine.

To me it looks like a good case for the people at juntendo.ac.jp to
be looking for another company to do their backup DNS or at least request
that the particular server be changed.  Besides, shouldn't a University
be able to provide their own redundant servers (they do have a legacy class
'B' net to themselves)?

Sorry, we usually agree (I like that SURBLs try for zero FPs, but
every blacklist has a different goal and a different target, and this site
fits Spamhaus' stated objectives exactly).  BTW. Did you notice that the
owner of the SBL'd site is Cable and Wireless - so it is not quite true
that Spamhaus lets big companies get away with any thing as someone else
implied earlier.

I have no idea why I'm always defending all sorts of people.

Paul Shupak
[EMAIL PROTECTED]


URI Tests and Japanese Chars

2005-03-15 Thread Rose, Bobby
I have a user that is of Japanese origin and who converses with other
individuals in Japan in his same field of study.  The messages they send
are in Japanese and trip the URI_SBL rule.  These people are in
different .jp domains and I really don't want to get into the
administrative overhead of whitelisting. I don't see anything in the
message bodies that even looks like a URI.  Has anyone else ran into
this?


Bobby Rose
Wayne State University School of Medicine