Re: URI Tests and Japanese Chars (solved)
... To: Daryl C. W. O'Shea [EMAIL PROTECTED] Cc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED], users@spamassassin.apache.org Subject: Re: URI Tests and Japanese Chars (solved) In-Reply-To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] (Justin Mason) Justin, Daryl C. W. O'Shea writes: List Mail User wrote: Jeff, RFC 1630 make pretty clear that a email address in either a mailto:; or cid:; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be convinced either way from a bare address (as it stand now, maybe someone else has something to add). But a mailto:; mail: or cid:; clause should (in my opinion) be looked up by the URI rules - they are URI, not URL rules (though URLs are clearly the most common from of URIs). I was surprised to see that from the RFC, even Msg-Id: clauses are URIs. Paul Shupak [EMAIL PROTECTED] I'd agree with Paul, what's the difference between doing the lookup of the domain listed in a mailto: link and a http: link -- both of which are often found in someone's signature? Eliminating the mailto: domain lookup could lead to spam such as email us at [EMAIL PROTECTED] for all the junk you don't really want. However, it's an impedance mismatch between what's going into the backends (the SBL and SURBL uribls) and what we're matching on the other end. At least for SBL, it's definitely problematic, since a SBL escalation (of mail relays) will blocklist mail that *mentions* that domain! Thats not true in general. Since the SBL is an IP based list, a mail server escalation would have no effect on any other domain, only on messages relayed through the servers. The more common case where a SBL escalation will affect other domains is (the typical kind I've noticed) when they list all corporate servers and some otherwise innocent domains use name servers within that space (this was the Russian government/Rostelecom earlier this week). Still, you are correct, there is a big difference between the SURBL policy of zero FPs and the SBL policy, which I can best state as kill the spammers. SURBLs rarely have `collateral' damage and their default scores reflect that; The URIBL_SBL is only assigned scores of 0 0.629 0 0.996 in 3.0.2 - Only URIBL_AB_SURBL with set 3 and URIBL_WS_SURBL with set 1 are ever assigned lower scores than the URIBL_SBL. All the other SURBL have significantly higher scores - URIBL_SC_SURBL is many times what URIBL_SBL is. (You may not know, but I even proposed adding back the SPEWS lists, though with low scores, and I do use all the rfci lists with relatively low scores except for bogusmx, which may be the best single indicator I have ever found, and I still assign it fewer points than URIBL_SC_SURBL). - --j. {snipped PGP SIGNATURE] Paul Shupak [EMAIL PROTECTED] P.S. I understand the political problems with the particular FPs that SPEWS generates, but I do hope the rfci lists make it to the URIBL rulesets.
RE: URI Tests and Japanese Chars (solved)
... Subject: RE: URI Tests and Japanese Chars (solved) Date: Thu, 17 Mar 2005 17:41:03 -0500 ... From: Rose, Bobby [EMAIL PROTECTED] To: [EMAIL PROTECTED], Daryl C. W. O'Shea [EMAIL PROTECTED] Cc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED], users@spamassassin.apache.org ... But in my test messages the email address wasn't in the form of a URI. It was just the email address. I even used pine for a test to make sure it was a gui client doing some reformatting business. Do we know if it's possible to know if the results from SBL are for the domain of the URI being queried or if their results are due to some association with the domain being queried. If so then we could ignore any results other than for the domain being queried or weigh the results differently so long as they aren't accumulative points for each occurrence. Otherwise, the points would add up the more that person's email address appears in the email. It has been suggested before that the indirect name server lookup done be a different class of rules and/or scored differently than the direct lookups - by default the SBL is the only list used for name servers, but on my servers I use several other lists (and then there is Bugzilla #4106 -Original Message- all snipped] Paul Shupak [EMAIL PROTECTED] P.S. Extra points for anyone who actually knows why Bugzilla (or Mozilla) have zilla in their name (or knows who Tom Paquin is).
Re: URI Tests and Japanese Chars (solved)
List Mail User wrote: (B... (BTo: "Daryl C. W. O'Shea" [EMAIL PROTECTED] (BCc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED], (B users@spamassassin.apache.org (BSubject: Re: URI Tests and Japanese Chars (solved) (BIn-Reply-To: [EMAIL PROTECTED] (BFrom: [EMAIL PROTECTED] (Justin Mason) (B (B (B Justin, (B (B (BDaryl C. W. O'Shea writes: (B (BList Mail User wrote: (B (BJeff, (B (BRFC 1630 make pretty clear that a email address in either a "mailto:" (Bor "cid:" clause *is* a URI. It does not address whether a bare email (Baddress (Bwould count (it seems that it doesn't fit the RFC definition, but does fit (Bsome other I found by Goggle). (B (BI could be convinced either way from a bare address (as it stand now, (Bmaybe someone else has something to add). But a "mailto:" "mail:" or "cid:" (Bclause should (in my opinion) be looked up by the URI rules - they are URI, (Bnot URL rules (though URLs are clearly the most common from of URIs). (B (BI was surprised to see that from the RFC, even "Msg-Id:" clauses (Bare URIs. (B (BPaul Shupak (B[EMAIL PROTECTED] (B (BI'd agree with Paul, what's the difference between doing the lookup of (Bthe domain listed in a mailto: link and a http: link -- both of which (Bare often found in someone's signature? (B (BEliminating the mailto: domain lookup could lead to spam such as "email (Bus at [EMAIL PROTECTED] for all the junk you don't really want". (B (BHowever, it's an impedance mismatch between what's going into the backends (B(the SBL and SURBL uribls) and what we're matching on the other end. (B (BAt least for SBL, it's definitely problematic, since a SBL escalation (B(of mail relays) will blocklist mail that *mentions* that domain! (B (B (B Thats not true in general. Since the SBL is an IP based list, (B a mail server escalation would have no effect on any other domain, only (B on messages relayed through the servers. (B (B The more common case where a SBL escalation will affect other domains (B is (the typical kind I've noticed) when they list all corporate servers and (B some otherwise innocent domains use name servers within that space (this was (B the Russian government/Rostelecom earlier this week). (B (B Still, you are correct, there is a big difference between the SURBL (B policy of zero FPs and the SBL policy, which I can best state as "kill the (B spammers". SURBLs rarely have `collateral' damage and their default scores (B reflect that; The URIBL_SBL is only assigned scores of "0 0.629 0 0.996" (B in 3.0.2 - Only URIBL_AB_SURBL with set 3 and URIBL_WS_SURBL with set 1 are (B ever assigned lower scores than the URIBL_SBL. All the other SURBL have (B significantly higher scores - URIBL_SC_SURBL is many times what URIBL_SBL is. (B (You may not know, but I even proposed adding back the SPEWS lists, though (B with low scores, and I do use all the rfci lists with relatively low scores (B except for bogusmx, which may be the best single indicator I have ever found, (B and I still assign it fewer points than URIBL_SC_SURBL). (B (B- --j. (B{snipped PGP SIGNATURE] (B (B (B Paul Shupak (B [EMAIL PROTECTED] (B (B P.S. I understand the political problems with the particular FPs that SPEWS (B generates, but I do hope the rfci lists make it to the URIBL rulesets. (B (B (BSince you mentioned the scores, please note the Bobby Rose, the original (Bposter of this issue had modified the score for URIBL_SBL from its (Bdefaults to 10 ... (B (BI had suggested that he reduce the score (possibly setting it back to (Bthe defaults) (B (BWhile it doesn't negate the issues surrounding the way the URI lookups (Bwork (or should possibly work) ... it's obvious that there is enough FP (Bpotential to warrant not scoring it so high. (B (Balan
Re: URI Tests and Japanese Chars (solved)
[all sipped] Since you mentioned the scores, please note the Bobby Rose, the original poster of this issue had modified the score for URIBL_SBL from its defaults to 10 ... I had suggested that he reduce the score (possibly setting it back to the defaults) While it doesn't negate the issues surrounding the way the URI lookups work (or should possibly work) ... it's obvious that there is enough FP potential to warrant not scoring it so high. alan I think you are quite correct. If you want to have a high weight on the SBL, use it as a RBL at the SMTP level (I do). I think its score once a message hits SA is already correct given the extreme overlap with other hit rules (I have lots of filtering before that - SA is my last line of defense and seems almost impenetrable). Even my own local rules generally have very low scores - only two score above 1.5 and only 5 score above .6, out of about 25 local rules. As best I can tell, the default scoring is very well adjusted already. Paul Shupak [EMAIL PROTECTED]
Re: URI Tests and Japanese Chars (solved)
On Wednesday, March 16, 2005, 12:29:41 PM, List User wrote: (Jeff C wrote:) uridnsbl used in the default rule URIBL_SBL does check domain name servers against SBL, but I'm kind of surprised to hear it triggering on email addresses. It should definitely be checking web sites and the like. Can you give a sample of the text it hit? Was it in URI form like: mailto://[EMAIL PROTECTED] That said, I agree that the SBL listings are at times overbroad. (Paul wrote:) Spamhaus does sometimes escalate against companies that ignore issues for a long time; But this isn't one of those cases. Here the listing is: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17240 which covers exactly one IP 154.33.17.212/32 and gives a good reason for it. I should have checked further. A /32 does not seem like an escalation to me either. The more important issue for SpamAssassin is that mail addresses in message bodies should not be checked by uridnsbl. Only URIs should be checked. Bobby, Please create a bugzilla for this as Justin suggests. Be sure to include in the ticket the text that it triggered on. http://bugzilla.spamassassin.org/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URI Tests and Japanese Chars (solved)
Jeff, RFC 1630 make pretty clear that a email address in either a mailto:; or cid:; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be convinced either way from a bare address (as it stand now, maybe someone else has something to add). But a mailto:; mail: or cid:; clause should (in my opinion) be looked up by the URI rules - they are URI, not URL rules (though URLs are clearly the most common from of URIs). I was surprised to see that from the RFC, even Msg-Id: clauses are URIs. Paul Shupak [EMAIL PROTECTED]
Re: URI Tests and Japanese Chars (solved)
List Mail User wrote: Jeff, RFC 1630 make pretty clear that a email address in either a mailto:; or cid:; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be convinced either way from a bare address (as it stand now, maybe someone else has something to add). But a mailto:; mail: or cid:; clause should (in my opinion) be looked up by the URI rules - they are URI, not URL rules (though URLs are clearly the most common from of URIs). I was surprised to see that from the RFC, even Msg-Id: clauses are URIs. Paul Shupak [EMAIL PROTECTED] I'd agree with Paul, what's the difference between doing the lookup of the domain listed in a mailto: link and a http: link -- both of which are often found in someone's signature? Eliminating the mailto: domain lookup could lead to spam such as email us at [EMAIL PROTECTED] for all the junk you don't really want. Daryl
Re: URI Tests and Japanese Chars (solved)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daryl C. W. O'Shea writes: List Mail User wrote: Jeff, RFC 1630 make pretty clear that a email address in either a mailto:; or cid:; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be convinced either way from a bare address (as it stand now, maybe someone else has something to add). But a mailto:; mail: or cid:; clause should (in my opinion) be looked up by the URI rules - they are URI, not URL rules (though URLs are clearly the most common from of URIs). I was surprised to see that from the RFC, even Msg-Id: clauses are URIs. Paul Shupak [EMAIL PROTECTED] I'd agree with Paul, what's the difference between doing the lookup of the domain listed in a mailto: link and a http: link -- both of which are often found in someone's signature? Eliminating the mailto: domain lookup could lead to spam such as email us at [EMAIL PROTECTED] for all the junk you don't really want. However, it's an impedance mismatch between what's going into the backends (the SBL and SURBL uribls) and what we're matching on the other end. At least for SBL, it's definitely problematic, since a SBL escalation (of mail relays) will blocklist mail that *mentions* that domain! - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCOgPeMJF5cimLx9ARAsyZAJ9ZiuOa2Lo6iK8Xflh6G+FdddUUcACeIbrA YxiICu7MFD6uG8eKB9YK5tw= =BHlZ -END PGP SIGNATURE-
RE: URI Tests and Japanese Chars (solved)
But in my test messages the email address wasn't in the form of a URI. It was just the email address. I even used pine for a test to make sure it was a gui client doing some reformatting business. Do we know if it's possible to know if the results from SBL are for the domain of the URI being queried or if their results are due to some association with the domain being queried. If so then we could ignore any results other than for the domain being queried or weigh the results differently so long as they aren't accumulative points for each occurrence. Otherwise, the points would add up the more that person's email address appears in the email. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 5:26 PM To: Daryl C. W. O'Shea Cc: List Mail User; [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: Re: URI Tests and Japanese Chars (solved) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daryl C. W. O'Shea writes: List Mail User wrote: Jeff, RFC 1630 make pretty clear that a email address in either a mailto:; or cid:; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be convinced either way from a bare address (as it stand now, maybe someone else has something to add). But a mailto:; mail: or cid:; clause should (in my opinion) be looked up by the URI rules - they are URI, not URL rules (though URLs are clearly the most common from of URIs). I was surprised to see that from the RFC, even Msg-Id: clauses are URIs. Paul Shupak [EMAIL PROTECTED] I'd agree with Paul, what's the difference between doing the lookup of the domain listed in a mailto: link and a http: link -- both of which are often found in someone's signature? Eliminating the mailto: domain lookup could lead to spam such as email us at [EMAIL PROTECTED] for all the junk you don't really want. However, it's an impedance mismatch between what's going into the backends (the SBL and SURBL uribls) and what we're matching on the other end. At least for SBL, it's definitely problematic, since a SBL escalation (of mail relays) will blocklist mail that *mentions* that domain! - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCOgPeMJF5cimLx9ARAsyZAJ9ZiuOa2Lo6iK8Xflh6G+FdddUUcACeIbrA YxiICu7MFD6uG8eKB9YK5tw= =BHlZ -END PGP SIGNATURE-
Re: URI Tests and Japanese Chars (solved)
Rose, Bobby wrote: But in my test messages the email address wasn't in the form of a URI. It was just the email address. I even used pine for a test to make sure it was a gui client doing some reformatting business. Sorry, I shouldn't have said URI. I had said URI since SpamAssassin internally adds the appropriate resource type, turning it into a URI. It does this since many (most?) MUAs do the same thing. Do we know if it's possible to know if the results from SBL are for the domain of the URI being queried or if their results are due to some association with the domain being queried. If so then we could ignore any results other than for the domain being queried or weigh the results differently so long as they aren't accumulative points for each occurrence. No we can't. We don't lookup the domain name. We get it's NS server IPs and look them up. Since the name server IP is shared there's nothing we can do. The best solution in this case, is to convince people not to support providers who host spammers' DNS, and take their business elsewhere (or convince that provider to stop hosting spammers). Hard to convince someone to do that, but it's the intention behind Spamhaus. Otherwise, the points would add up the more that person's email address appears in the email. Nope. The list is uniqued. 10 occurrences of the same thing would still only result in one lookup and possible hit (per rule). Daryl
Re: URI Tests and Japanese Chars (solved)
On Thursday, March 17, 2005, 2:25:34 PM, Justin Mason wrote: Daryl C. W. O'Shea writes: List Mail User wrote: Jeff, RFC 1630 make pretty clear that a email address in either a mailto:; or cid:; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be convinced either way from a bare address (as it stand now, maybe someone else has something to add). But a mailto:; mail: or cid:; clause should (in my opinion) be looked up by the URI rules - they are URI, not URL rules (though URLs are clearly the most common from of URIs). I was surprised to see that from the RFC, even Msg-Id: clauses are URIs. Yes, I'm aware of that, which is why I was asking if there was an explicit mailto: in the source message. Turns out there wasn't and the mail address was bare. I'd agree with Paul, what's the difference between doing the lookup of the domain listed in a mailto: link and a http: link -- both of which are often found in someone's signature? Eliminating the mailto: domain lookup could lead to spam such as email us at [EMAIL PROTECTED] for all the junk you don't really want. In principle I agree that a URI handler should deal with all possible URI types. However... However, it's an impedance mismatch between what's going into the backends (the SBL and SURBL uribls) and what we're matching on the other end. At least for SBL, it's definitely problematic, since a SBL escalation (of mail relays) will blocklist mail that *mentions* that domain! Yes, in which case what we have in URIDNSBL are actually dealing with only web and ftp as opposed to more complete URI handling. As Justin notes that is a proper match for what are in SBL and SURBLs. It also corresponds well to URIs that appear in spam. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URI Tests and Japanese Chars
Rose, Bobby wrote: I have a user that is of Japanese origin and who converses with other individuals in Japan in his same field of study. The messages they send are in Japanese and trip the URI_SBL rule. These people are in different .jp domains and I really don't want to get into the administrative overhead of whitelisting. I don't see anything in the message bodies that even looks like a URI. Has anyone else ran into this? Bobby Rose Wayne State University School of Medicine Bobby, That seems a little strange, especially if there are no URIs in the mail. I live in Japan and have mail servers local and state-side that process Japanese email without this problem. Can you provide more details about your setup/configuration and possibly provide a sample email that triggers the rule? alan
RE: URI Tests and Japanese Chars (solved)
I figured out the problem, it' was the an individuals email address in the message body (even though not a mailto). Their email domain isn't listed at spamhaus.org but it turns out one of their ISPs DNS servers are which they are using as secondary. This makes the second time I've come across this. The last time it was an ISP's (pipex.net) DNS server in the U.K. that was tripping the URIBL_SBL rule. This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med School) who's ISP is cwidc.net and the DNS server ns03.cwidc.net (154.33.17.212) is the one in spamhaus.org which they say is hosting a long time spammer. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240 Does URI checking really need to be so thorough? Obviously there must be some bias at spamhaus if the big named ISPs don't get their name servers listed because we know that they provide services to spammers. Any idea on how to limit the scope to just the URI at it's face value? -Original Message- From: Rose, Bobby [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 15, 2005 2:14 PM To: users@spamassassin.apache.org Subject: URI Tests and Japanese Chars I have a user that is of Japanese origin and who converses with other individuals in Japan in his same field of study. The messages they send are in Japanese and trip the URI_SBL rule. These people are in different .jp domains and I really don't want to get into the administrative overhead of whitelisting. I don't see anything in the message bodies that even looks like a URI. Has anyone else ran into this? Bobby Rose Wayne State University School of Medicine
Re: URI Tests and Japanese Chars (solved)
On Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote: I figured out the problem, it' was the an individuals email address in the message body (even though not a mailto). Their email domain isn't listed at spamhaus.org but it turns out one of their ISPs DNS servers are which they are using as secondary. This makes the second time I've come across this. The last time it was an ISP's (pipex.net) DNS server in the U.K. that was tripping the URIBL_SBL rule. This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med School) who's ISP is cwidc.net and the DNS server ns03.cwidc.net (154.33.17.212) is the one in spamhaus.org which they say is hosting a long time spammer. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240 Does URI checking really need to be so thorough? Obviously there must be some bias at spamhaus if the big named ISPs don't get their name servers listed because we know that they provide services to spammers. Any idea on how to limit the scope to just the URI at it's face value? uridnsbl used in the default rule URIBL_SBL does check domain name servers against SBL, but I'm kind of surprised to hear it triggering on email addresses. It should definitely be checking web sites and the like. Can you give a sample of the text it hit? Was it in URI form like: mailto://[EMAIL PROTECTED] That said, I agree that the SBL listings are at times overbroad. Name servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and ns1.relcom.ru respectively). Listings like those can cause false positives, and I personally object to deliberately harming innocent bystanders to pressure ISPs. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: URI Tests and Japanese Chars (solved)
This is an excerpt that I used in trying to track it down. No real mailto URI (Bunless there is some translation going on with email addresses embedded in the (Bbody by the email client on send. At first, I just thought it might be a bug (Bsince the messages were using ISO-2022-JP character set but if I sent just a (Bplain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL (Bwas tripped. (B (B* (B- Original Message - (BFrom: "user1" [EMAIL PROTECTED] (BTo: "user2" [EMAIL PROTECTED] (BSent: Friday, March 11, 2005 11:14 AM (BSubject: Re: $BFb;[EMAIL PROTECTED](J (B (B*** (B (B-=B (B (B (B-Original Message- (BFrom: Jeff Chan [mailto:[EMAIL PROTECTED] (BSent: Wednesday, March 16, 2005 7:52 AM (BTo: users@spamassassin.apache.org (BSubject: Re: URI Tests and Japanese Chars (solved) (B (BOn Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote: (B (B I figured out the problem, it' was the an individuals email address in (B the message body (even though not a mailto). Their email domain isn't (B listed at spamhaus.org but it turns out one of their ISPs DNS servers (B are which they are using as secondary. This makes the second time (B I've come across this. The last time it was an ISP's (pipex.net) DNS (B server in the U.K. that was tripping the URIBL_SBL rule. (B (B This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med (B School) who's ISP is cwidc.net and the DNS server ns03.cwidc.net (B (154.33.17.212) is the one in spamhaus.org which they say is hosting a (B long time spammer. (B http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240 (B (B Does URI checking really need to be so thorough? Obviously there must (B be some bias at spamhaus if the big named ISPs don't get their name (B servers listed because we know that they provide services to spammers. (B Any idea on how to limit the scope to just the URI at it's face value? (B (Buridnsbl used in the default rule URIBL_SBL does check domain name servers (Bagainst SBL, but I'm kind of surprised to hear it triggering on email (Baddresses. It should definitely be checking web sites and the like. Can you (Bgive a sample of the text it hit? Was it in URI form like: (B (B mailto://[EMAIL PROTECTED] (B (BThat said, I agree that the SBL listings are at times overbroad. (BName servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and (Bns1.relcom.ru respectively). Listings like those can cause false positives, (Band I personally object to deliberately harming innocent bystanders to (B"pressure" ISPs. (B (BJeff C. (B-- (BJeff Chan (Bmailto:[EMAIL PROTECTED] (Bhttp://www.surbl.org/
Re: URI Tests and Japanese Chars (solved)
On Wednesday, March 16, 2005, 5:47:40 AM, Bobby Rose wrote: This is an excerpt that I used in trying to track it down. No real mailto URI unless there is some translation going on with email addresses embedded in the body by the email client on send. At first, I just thought it might be a bug since the messages were using ISO-2022-JP character set but if I sent just a plain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL was tripped. Wow, I didn't think URIBL_SBL would check that. Hopefully the developers (of which I am not one ;-) will speak up about this. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URI Tests and Japanese Chars (solved)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bobby, could you open a bug in the bugzilla about this? URI rules should not be checking mailto links. - --j. Jeff Chan writes: On Wednesday, March 16, 2005, 5:47:40 AM, Bobby Rose wrote: This is an excerpt that I used in trying to track it down. No real mailto URI unless there is some translation going on with email addresses embedded in the body by the email client on send. At first, I just thought it might be a bug since the messages were using ISO-2022-JP character set but if I sent just a plain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL was tripped. Wow, I didn't think URIBL_SBL would check that. Hopefully the developers (of which I am not one ;-) will speak up about this. Jeff C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCOIGtMJF5cimLx9ARAqlXAJ9iEOrhjJVJzfx+U5I52iz4ifmzPwCfevy6 nGD2j3C3kfGTZGPNINvGh1I= =btni -END PGP SIGNATURE-
RE: URI Tests and Japanese Chars (solved)
This is an excerpt that I used in trying to track it down. No real mailto URI unless there is some translation going on with email addresses embedded in the body by the email client on send. At first, I just thought it might be a bug since the messages were using ISO-2022-JP character set but if I sent just a plain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL was tripped. * - Original Message - From: user1 [EMAIL PROTECTED] To: user2 [EMAIL PROTECTED] Sent: Friday, March 11, 2005 11:14 AM Subject: Re: $BFb;[EMAIL PROTECTED](J *** -=B -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 16, 2005 7:52 AM To: users@spamassassin.apache.org Subject: Re: URI Tests and Japanese Chars (solved) On Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote: I figured out the problem, it' was the an individuals email address in the message body (even though not a mailto). Their email domain isn't listed at spamhaus.org but it turns out one of their ISPs DNS servers are which they are using as secondary. This makes the second time I've come across this. The last time it was an ISP's (pipex.net) DNS server in the U.K. that was tripping the URIBL_SBL rule. This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med School) who's ISP is cwidc.net and the DNS server ns03.cwidc.net (154.33.17.212) is the one in spamhaus.org which they say is hosting a long time spammer. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240 Does URI checking really need to be so thorough? Obviously there must be some bias at spamhaus if the big named ISPs don't get their name servers listed because we know that they provide services to spammers. Any idea on how to limit the scope to just the URI at it's face value? uridnsbl used in the default rule URIBL_SBL does check domain name servers against SBL, but I'm kind of surprised to hear it triggering on email addresses. It should definitely be checking web sites and the like. Can you give a sample of the text it hit? Was it in URI form like: mailto://[EMAIL PROTECTED] That said, I agree that the SBL listings are at times overbroad. Name servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and ns1.relcom.ru respectively). Listings like those can cause false positives, and I personally object to deliberately harming innocent bystanders to pressure ISPs. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/ Spamhaus does sometimes escalate against companies that ignore issues for a long time; But this isn't one of those cases. Here the listing is: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17240 which covers exactly one IP 154.33.17.212/32 and gives a good reason for it. This is similar to when I had a friend who bought a cheap hosting service and was surprised to find out it was blacklisted everywhere - They hosted spammers on the same machine. To me it looks like a good case for the people at juntendo.ac.jp to be looking for another company to do their backup DNS or at least request that the particular server be changed. Besides, shouldn't a University be able to provide their own redundant servers (they do have a legacy class 'B' net to themselves)? Sorry, we usually agree (I like that SURBLs try for zero FPs, but every blacklist has a different goal and a different target, and this site fits Spamhaus' stated objectives exactly). BTW. Did you notice that the owner of the SBL'd site is Cable and Wireless - so it is not quite true that Spamhaus lets big companies get away with any thing as someone else implied earlier. I have no idea why I'm always defending all sorts of people. Paul Shupak [EMAIL PROTECTED]
URI Tests and Japanese Chars
I have a user that is of Japanese origin and who converses with other individuals in Japan in his same field of study. The messages they send are in Japanese and trip the URI_SBL rule. These people are in different .jp domains and I really don't want to get into the administrative overhead of whitelisting. I don't see anything in the message bodies that even looks like a URI. Has anyone else ran into this? Bobby Rose Wayne State University School of Medicine