You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bill Landry <bi...@inetmsg.com> on 2011/03/08 20:58:13 UTC
The one year anniversary of the Spamhaus DBL brings a new zone
FYI: "Spamhaus created a new "URL shortener/redirector" zone in the
DBL." See:
http://www.spamhaus.org/news.lasso?article=667
Will Spamassassin be adding support for this new DBL
shortener/redirector response code?:
127.0.1.3 spammed redirector domain
For details, see:
http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291
Regards,
Bill
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by "Lawrence @ Rogers" <la...@nl.rogers.com>.
On 08/03/2011 5:12 PM, Yet Another Ninja wrote:
> On 2011-03-08 21:24, Darxus@chaosreigns.com wrote:
>> Looks like that would be something like this?
>>
>> urirhssub URIBL_DBL_REDIRECTOR dbl.spamhaus.org. A
>> 127.0.1.3
>> body URIBL_DBL_REDIRECTOR
>> eval:check_uridnsbl('URIBL_DBL_SPAM')
>> describe URIBL_DBL_REDIRECTOR Contains a URL listed in the
>> DBL as a spammed redirector domain
>> tflags URIBL_DBL_REDIRECTOR net domains_only
>> score URIBL_DBL_REDIRECTOR 0.1
>>
>>
>> Anybody know of a domain that hits this?
>>
>
> tried to post a list of the domains but Apache's infra rejected it with.
>
> Delivery to the following recipient failed permanently:
>
> users@spamassassin.apache.org
>
> Technical details of permanent failure:
> Google tried to deliver your message, but it was rejected by the
> recipient domain. We recommend contacting the other email provider for
> further information about the cause of this error. The error that the
> other server returned was: 552 552 spam score (13.3) exceeded
> threshold
> (FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_SURBL_MULTI1,T_SURBL_MULTI2,T_TO_NO_BRKTS_FREEMAIL,T_URIBL_BLACK_OVERLAP,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_WS_SURBL
> (state 18).
>
>
> pretty amazing...
>
How so? You posted a list of spam domains, and SpamAssassin picked up on
them. Why not try making them a bit mangled like
www dot crappydomain dot com
??
Regards,
Lawrence
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Yet Another Ninja <ax...@gmail.com>.
On 2011-03-08 21:24, Darxus@chaosreigns.com wrote:
> Looks like that would be something like this?
>
> urirhssub URIBL_DBL_REDIRECTOR dbl.spamhaus.org. A 127.0.1.3
> body URIBL_DBL_REDIRECTOR eval:check_uridnsbl('URIBL_DBL_SPAM')
> describe URIBL_DBL_REDIRECTOR Contains a URL listed in the DBL as a spammed redirector domain
> tflags URIBL_DBL_REDIRECTOR net domains_only
> score URIBL_DBL_REDIRECTOR 0.1
>
>
> Anybody know of a domain that hits this?
>
tried to post a list of the domains but Apache's infra rejected it with.
Delivery to the following recipient failed permanently:
users@spamassassin.apache.org
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 552 552 spam score (13.3) exceeded threshold
(FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_SURBL_MULTI1,T_SURBL_MULTI2,T_TO_NO_BRKTS_FREEMAIL,T_URIBL_BLACK_OVERLAP,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_WS_SURBL
(state 18).
pretty amazing...
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Da...@chaosreigns.com.
On 03/08, Lawrence @ Rogers wrote:
> eval:check_uridnsbl('URIBL_DBL_REDIRECTOR')
Thanks. Looks like the way to go about getting this in SA is opening a bug
to get it tested via mass checks, so I did:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6550
--
"Force, my friends, is violence; the supreme authority
from which all other authority is derived."
- Michael Ironside, Starship Troopers
http://www.ChaosReigns.com
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by "Lawrence @ Rogers" <la...@nl.rogers.com>.
On 08/03/2011 4:54 PM, Darxus@chaosreigns.com wrote:
> Looks like that would be something like this?
>
> urirhssub URIBL_DBL_REDIRECTOR dbl.spamhaus.org. A 127.0.1.3
> body URIBL_DBL_REDIRECTOR eval:check_uridnsbl('URIBL_DBL_SPAM')
> describe URIBL_DBL_REDIRECTOR Contains a URL listed in the DBL as a spammed redirector domain
> tflags URIBL_DBL_REDIRECTOR net domains_only
> score URIBL_DBL_REDIRECTOR 0.1
>
>
> Anybody know of a domain that hits this?
>
Close.
I believe that you should be using this
eval:check_uridnsbl('URIBL_DBL_REDIRECTOR')
Instead of this
eval:check_uridnsbl('URIBL_DBL_SPAM')
So the correct rule would be
urirhssub URIBL_DBL_REDIRECTOR dbl.spamhaus.org. A 127.0.1.3
body URIBL_DBL_REDIRECTOR
eval:check_uridnsbl('URIBL_DBL_REDIRECTOR')
describe URIBL_DBL_REDIRECTOR Contains a URL listed in the DBL
as a spammed redirector domain
tflags URIBL_DBL_REDIRECTOR net domains_only
score URIBL_DBL_REDIRECTOR 0.1
Regards,
Lawrence
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Da...@chaosreigns.com.
Looks like that would be something like this?
urirhssub URIBL_DBL_REDIRECTOR dbl.spamhaus.org. A 127.0.1.3
body URIBL_DBL_REDIRECTOR eval:check_uridnsbl('URIBL_DBL_SPAM')
describe URIBL_DBL_REDIRECTOR Contains a URL listed in the DBL as a spammed redirector domain
tflags URIBL_DBL_REDIRECTOR net domains_only
score URIBL_DBL_REDIRECTOR 0.1
Anybody know of a domain that hits this?
--
"The price of freedom is the willingness to do sudden battle, anywhere,
at any time, and with utter recklessness." - Robert A. Heinlein
http://www.ChaosReigns.com
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Yet Another Ninja <ax...@gmail.com>.
On 2011-03-08 22:12, Warren Togami Jr. wrote:
> On 3/8/2011 9:58 AM, Bill Landry wrote:
>> FYI: "Spamhaus created a new "URL shortener/redirector" zone in the
>> DBL." See:
>>
>> http://www.spamhaus.org/news.lasso?article=667
>>
>> Will Spamassassin be adding support for this new DBL
>> shortener/redirector response code?:
>>
>> 127.0.1.3 spammed redirector domain
>>
>> For details, see:
>>
>> http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291
>>
>> Regards,
>>
>> Bill
>
> OK, so this is meant to be used as a URIBL. I don't see this as anything
> special because there is no way to query the pathname portion of a URI
> which would allow more fine-grained detection of spammy URI's even on a
> non-evil shortening service.
it's nothing more than what it say it is.
> Is this new DBL return code meant to be a lower score than ordinary
> URIBL's that often choose to list evil shortener domains?
I'd say, depends on your traffic.
> My point is this is no different than an ordinary URIBL listing.
nope.. just a separate return code for a small data subset.
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by "Warren Togami Jr." <wt...@gmail.com>.
On 3/8/2011 9:58 AM, Bill Landry wrote:
> FYI: "Spamhaus created a new "URL shortener/redirector" zone in the
> DBL." See:
>
> http://www.spamhaus.org/news.lasso?article=667
>
> Will Spamassassin be adding support for this new DBL
> shortener/redirector response code?:
>
> 127.0.1.3 spammed redirector domain
>
> For details, see:
>
> http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291
>
> Regards,
>
> Bill
OK, so this is meant to be used as a URIBL. I don't see this as
anything special because there is no way to query the pathname portion
of a URI which would allow more fine-grained detection of spammy URI's
even on a non-evil shortening service.
Is this new DBL return code meant to be a lower score than ordinary
URIBL's that often choose to list evil shortener domains? My point is
this is no different than an ordinary URIBL listing.
Warren
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Adam Katz <an...@khopis.com>.
On 03/08/2011 01:46 PM, Yet Another Ninja wrote:
> I'll never grasp why one would use one of those in mail.
Many shortened links allow you to anonymously track click-throughs
(clicks-through?), e.g. adding a plus sign to any bit.ly or j.mp URI
will bring anybody to the stats (and target) of the link.
Marketing emailers love using obfuscated URI redirectors to track users.
I've always been confused about why the resulting tracking links are so
enormously long.
There are still plenty of email and IM clients out there that fail to
properly wrap enormously long URIs (such as google maps links). I'm
actually surprised google doesn't use goo.gl or whatever for the "Link"
button in that interface.
I can't remember the last time I sent somebody a non-shortened link that
was over 150 characters.
> I thought there was consense to educate users *not* to visit links
> they don't know and now we hear that something which hides potential
> danger is ok to be used?
The conscious effort to educate users about the targets of their links
is for phish rather than things that are introduced as new.
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Rob McEwen <ro...@invaluement.com>.
On 3/8/2011 4:46 PM, Yet Another Ninja wrote:
> I'll never grasp why one would use one of those in mail.
Many legitimate social networks auto-generate shortened URLs. These then
get copied into e-mails... sometimes in automated ways, sometimes via
people copying a twitter post (or whatever) and then pasting that into
an e-mail.
Therefore, many of these make it into e-mails desired by recipients.
At the same time, many of these URL shortening services are highly
abused. For a while now, many of the most abused shorteners didn't have
a very large footprint in legitimate mail. And the more legitimate
services may have seemed to have much abuse, but really had a small
amount in comparison to their legitimate uses. This made decisions to
blacklist not that particularly difficult.
As I understand it, what has occurred more recently is that some of the
services which have a larger number of legitimate uses have had
increasing amounts of abuse. In some cases, it seemed as though the
abuse was flagrant... almost like the service felt it was "too big to
list"... or maybe even was working with the spammers as partners in
crime. Of course, I'm painting with broad strokes and not specifically
mentioning any providers... but I think that is the context for
understanding why SpamHaus felt that it was necessary to get more
aggressive with blacklisting some of these services, even if some of
those domains are found in legitimate e-mails.
Now, with this other new zone, I think that Joseph Brennan when he
stated that he could use this for scoring instead of blocking... for
those redirectors which are heavily abused but have legit uses as well.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Yet Another Ninja <ax...@gmail.com>.
On 2011-03-08 22:28, Joseph Brennan wrote:
>
>> http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291
>
>
> quote,
>
>> One way to address this problem would have been to treat URL shortener
>> domains the same way as any other spammed domain and include them in our
>> main DBL zone. But, as mentioned, most of these URL shortener serve a
>> legitimate purpose and are used in non-spam emailings. Spamhaus has
>> always worked to avoid the blocklisting of assets that would cause
>> unjustified false positives.
I'll never grasp why one would use one of those in mail.
I thought there was consense to educate users *not* to visit links they
don't know and now we hear that something which hides potential danger
is ok to be used?
>
> In fact Spamhaus *has* been treating them the same as other domains,
> and causing false positives on shorteners widely used for legitimate
> purposes, such as bit.ly, tinyurl.com, fly2.ws, and is.gd.
ever though of doing uridnsbl_skip_domain for those "Open Relay 2.0" you
consider "legitimate"?
> But they've been doing it on the IP-based SBL, not the domain name
> list. I hope the IP blocks for shorteners will stop. It's degraded
> the quality of SBL, which in the past was so accurate on spammer-owned
> hosts that we were willing to 550 based on a match.
> I could see scoring for shorteners. So this is good news.
As soon as this data is widespread, they won't be abused any longer and
new smaller sites will take over, In fact, they already are.
At the moment its owl.ly and durl.me being massively hammered. As soon
as they get their homework done, it'll be someone else.
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Joseph Brennan <br...@columbia.edu>.
> http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291
quote,
> One way to address this problem would have been to treat URL shortener
> domains the same way as any other spammed domain and include them in our
> main DBL zone. But, as mentioned, most of these URL shortener serve a
> legitimate purpose and are used in non-spam emailings. Spamhaus has
> always worked to avoid the blocklisting of assets that would cause
> unjustified false positives.
In fact Spamhaus *has* been treating them the same as other domains,
and causing false positives on shorteners widely used for legitimate
purposes, such as bit.ly, tinyurl.com, fly2.ws, and is.gd.
But they've been doing it on the IP-based SBL, not the domain name
list. I hope the IP blocks for shorteners will stop. It's degraded
the quality of SBL, which in the past was so accurate on spammer-owned
hosts that we were willing to 550 based on a match.
I could see scoring for shorteners. So this is good news.
Joseph Brennan
Columbia University Information Technology
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Chris Owen <ow...@hubris.net>.
On Mar 8, 2011, at 3:07 PM, Yet Another Ninja wrote:
> Dunno if mirrors are beign served the same data atm.. seems so.
My mirror is also commented out.
Chris
--
-------------------------------------------------------------------------
Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
President - Wichita (316) 858-3000 - A stupidity tax
Hubris Communications Inc www.hubris.net
-------------------------------------------------------------------------
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Yet Another Ninja <ax...@gmail.com>.
On 2011-03-08 22:02, Darxus@chaosreigns.com wrote:
> On 03/08, Yet Another Ninja wrote:
>> http://pastebin.com/CdDPHnTX
>
> It doesn't look like it's working.
>
> $ host dbltest.com.dbl.spamhaus.org
> dbltest.com.dbl.spamhaus.org has address 127.0.1.2
>
> Good.
>
>
> $ host rdrct.us.dbl.spamhaus.org
> Host rdrct.us.dbl.spamhaus.org not found: 3(NXDOMAIN)
>
> $ host access.im.dbl.spamhaus.org
> Host access.im.dbl.spamhaus.org not found: 3(NXDOMAIN)
>
> $ host lx2.net.dbl.spamhaus.org
> Host lx2.net.dbl.spamhaus.org not found: 3(NXDOMAIN)
>
>
> Those last three should be 127.0.1.3, right?
>
as you can see the whole lot is commented out by #
atm, this is the way SH is serving the datafeed subscribers.
I assume we're expected to remove the comments.
also see some domains which aren't cloackers/redirectors:
.110mb.com
.t35.com
.livejournal.com
Dunno if mirrors are beign served the same data atm.. seems so.
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Da...@chaosreigns.com.
On 03/08, Yet Another Ninja wrote:
> http://pastebin.com/CdDPHnTX
It doesn't look like it's working.
$ host dbltest.com.dbl.spamhaus.org
dbltest.com.dbl.spamhaus.org has address 127.0.1.2
Good.
$ host rdrct.us.dbl.spamhaus.org
Host rdrct.us.dbl.spamhaus.org not found: 3(NXDOMAIN)
$ host access.im.dbl.spamhaus.org
Host access.im.dbl.spamhaus.org not found: 3(NXDOMAIN)
$ host lx2.net.dbl.spamhaus.org
Host lx2.net.dbl.spamhaus.org not found: 3(NXDOMAIN)
Those last three should be 127.0.1.3, right?
--
"No human thing is of serious importance." - Plato
http://www.ChaosReigns.com
Re: The one year anniversary of the Spamhaus DBL brings a new zone
Posted by Yet Another Ninja <ax...@gmail.com>.
On 2011-03-08 20:58, Bill Landry wrote:
> FYI: "Spamhaus created a new "URL shortener/redirector" zone in the
> DBL." See:
>
> http://www.spamhaus.org/news.lasso?article=667
>
> Will Spamassassin be adding support for this new DBL
> shortener/redirector response code?:
>
> 127.0.1.3 spammed redirector domain
>
> For details, see:
>
> http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291
>
> Regards,
>
> Bill
http://pastebin.com/CdDPHnTX