RE: URI Tests and Japanese Chars (solved)

16 Mar 2005 20:30:23 -0000 

>
>This is an excerpt that I used in trying to track it down.  No real mailto URI 
>unless there is some translation going on with email addresses embedded in the 
>body by the email client on send.  At first, I just thought it might be a bug 
>since the messages were using ISO-2022-JP character set but if I sent just a 
>plain text message with just the [EMAIL PROTECTED] in the body, then URIBL_SBL 
>was tripped. 
>
>*****
>----- Original Message -----
>From: "user1" <[EMAIL PROTECTED]>
>To: "user2" <[EMAIL PROTECTED]>
>Sent: Friday, March 11, 2005 11:14 AM
>Subject: Re: $BFb;[EMAIL PROTECTED](J 
>
>*******
>
>-=B
>
>
>-----Original Message-----
>From: Jeff Chan [mailto:[EMAIL PROTECTED] 
>Sent: Wednesday, March 16, 2005 7:52 AM
>To: users@spamassassin.apache.org
>Subject: Re: URI Tests and Japanese Chars (solved)
>
>On Wednesday, March 16, 2005, 3:55:52 AM, Bobby Rose wrote:
> 
>> I figured out the problem, it' was the an individuals email address in 
>> the message body (even though not a mailto).  Their email domain isn't 
>> listed at spamhaus.org but it turns out one of their ISPs DNS servers 
>> are which they are using as secondary.  This makes the second time 
>> I've come across this.  The last time it was an ISP's (pipex.net) DNS 
>> server in the U.K. that was tripping the URIBL_SBL rule.
>
>> This time the user is in the med.juntendo.ac.jp (Juntendo Univ Med
>> School) who's ISP is cwidc.net and the DNS server  ns03.cwidc.net
>> (154.33.17.212) is the one in spamhaus.org which they say is hosting a 
>> long time spammer.  
>> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17240
>
>> Does URI checking really need to be so thorough?  Obviously there must 
>> be some bias at spamhaus if the big named ISPs don't get their name 
>> servers listed because we know that they provide services to spammers.
>> Any idea on how to limit the scope to just the URI at it's face value?
>
>uridnsbl used in the default rule URIBL_SBL does check domain name servers 
>against SBL, but I'm kind of surprised to hear it triggering on email 
>addresses.  It should definitely be checking web sites and the like.  Can you 
>give a sample of the text it hit?  Was it in URI form like:
>
>  mailto://[EMAIL PROTECTED]
>
>That said, I agree that the SBL listings are at times overbroad.
>Name servers for gov.ru and spb.ru for example are listed (ns.rtcomm.ru and 
>ns1.relcom.ru respectively).  Listings like those can cause false positives, 
>and I personally object to deliberately harming innocent bystanders to 
>"pressure" ISPs.
>
>Jeff C.
>--
>Jeff Chan
>mailto:[EMAIL PROTECTED]
>http://www.surbl.org/
>
>
        Spamhaus does sometimes "escalate" against companies that ignore
issues for a long time;  But this isn't one of those cases.  Here the listing
is:
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17240
which covers exactly one IP 154.33.17.212/32 and gives a good reason for it.

        This is similar to when I had a friend who bought a cheap hosting
service and was surprised to find out it was blacklisted everywhere - They
hosted spammers on the same machine.

        To me it looks like a good case for the people at juntendo.ac.jp to
be looking for another company to do their backup DNS or at least request
that the particular server be changed.  Besides, shouldn't a University
be able to provide their own redundant servers (they do have a legacy class
'B' net to themselves)?

        Sorry, we usually agree (I like that SURBLs try for zero FPs, but
every blacklist has a different goal and a different target, and this site
fits Spamhaus' stated objectives exactly).  BTW. Did you notice that the
owner of the SBL'd site is "Cable and Wireless" - so it is not quite true
that Spamhaus lets "big" companies get away with any thing as someone else
implied earlier.

        I have no idea why I'm always defending all sorts of people.

        Paul Shupak
        [EMAIL PROTECTED]

Reply via email to