> >This is an excerpt that I used in trying to track it down. No real mailto URI >unless there is some translation going on with email addresses embedded in the >body by the email client on send. At first, I just thought it might be a bug >since the messages were using ISO-2022-JP character set but if I sent just a >plain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL >was tripped. > >***** >----- Original Message ----- >From: "user1" <[EMAIL PROTECTED]> >To: "user2" <[EMAIL PROTECTED]> >Sent: Friday, March 11, 2005 11:14 AM >Subject: Re: $BFb;[EMAIL PROTECTED](J > >******* > >-=B > > >-----Original Message----- >From: Jeff Chan [mailto:[EMAIL PROTECTED] >Sent: Wednesday, March 16, 2005 7:52 AM >To: users@spamassassin.apache.org >Subject: Re: URI Tests and Japanese Chars (solved) > >On Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote: > >> I figured out the problem, it' was the an individuals email address in >> the message body (even though not a mailto). Their email domain isn't >> listed at spamhaus.org but it turns out one of their ISPs DNS servers >> are which they are using as secondary. This makes the second time >> I've come across this. The last time it was an ISP's (pipex.net) DNS >> server in the U.K. that was tripping the URIBL_SBL rule. > >> This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med >> School) who's ISP is cwidc.net and the DNS server ns03.cwidc.net >> (154.33.17.212) is the one in spamhaus.org which they say is hosting a >> long time spammer. >> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240 > >> Does URI checking really need to be so thorough? Obviously there must >> be some bias at spamhaus if the big named ISPs don't get their name >> servers listed because we know that they provide services to spammers. >> Any idea on how to limit the scope to just the URI at it's face value? > >uridnsbl used in the default rule URIBL_SBL does check domain name servers >against SBL, but I'm kind of surprised to hear it triggering on email >addresses. It should definitely be checking web sites and the like. Can you >give a sample of the text it hit? Was it in URI form like: > > mailto://[EMAIL PROTECTED] > >That said, I agree that the SBL listings are at times overbroad. >Name servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and >ns1.relcom.ru respectively). Listings like those can cause false positives, >and I personally object to deliberately harming innocent bystanders to >"pressure" ISPs. > >Jeff C. >-- >Jeff Chan >mailto:[EMAIL PROTECTED] >http://www.surbl.org/ > > Spamhaus does sometimes "escalate" against companies that ignore issues for a long time; But this isn't one of those cases. Here the listing is: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17240 which covers exactly one IP 154.33.17.212/32 and gives a good reason for it.
This is similar to when I had a friend who bought a cheap hosting service and was surprised to find out it was blacklisted everywhere - They hosted spammers on the same machine. To me it looks like a good case for the people at juntendo.ac.jp to be looking for another company to do their backup DNS or at least request that the particular server be changed. Besides, shouldn't a University be able to provide their own redundant servers (they do have a legacy class 'B' net to themselves)? Sorry, we usually agree (I like that SURBLs try for zero FPs, but every blacklist has a different goal and a different target, and this site fits Spamhaus' stated objectives exactly). BTW. Did you notice that the owner of the SBL'd site is "Cable and Wireless" - so it is not quite true that Spamhaus lets "big" companies get away with any thing as someone else implied earlier. I have no idea why I'm always defending all sorts of people. Paul Shupak [EMAIL PROTECTED]