You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt <mh...@gmail.com> on 2004/10/08 14:43:26 UTC
New blacklist with URI
Hi,
I have a question on the new(ish) scanning that spamassassin does on
URI's. It seems to be working very well for us here, but I have a
question..
WIll it catch:
http://www.blah.com/?jj38942
as well as
http://www.blah.com/?34223
We are beginning to notice alot of e-mails (being marked right now)
coming through with what seems like random characters in them at the
end, and was wondering if a spammer could possibly use this technique
to avoid being detected? ie, just put random characters after the
trailing slash?
Re: New blacklist with URI
Posted by Jeff Chan <je...@surbl.org>.
On Friday, October 8, 2004, 8:01:44 AM, Matt Kettler wrote:
> At 08:43 AM 10/8/2004, Matt wrote:
>>I have a question on the new(ish) scanning that spamassassin does on
>>URI's. It seems to be working very well for us here, but I have a
>>question..
>>WIll it catch:
>>
>>http://www.blah.com/?jj38942
>>
>>as well as
>>
>>http://www.blah.com/?34223
> The URI blacklists only check the domain name, not the full target of the link.
> Theoretically, it should also match if the hostname changes, as long as the
> domain+TLD part is the same (ie: foo.blah.com)
> That said I've heard some mumblings the SA 3.0 implementation of domain
> stripping is a bit different than the Mail::SpamCopURI version, and the
> latter matches the SURBL back-end behavior more closely. However, this is
> really a subject for Jeff Chan.
It looks like urirhsbl and urirhssub in SA 3 check gtld domains
at two levels: i.e. host.domain.com and domain.com are both
checked if host.domain.com or blah.blah.blah.host.domain.com
is found in a URI. cctlds (country code top level domains) are
checked at more levels under the control of
RegistrarBoundaries.pm. Please see that code for details.
SpamCopURI may handle these a little differently but in all
cases domains are reduced to their base (registered) domain
and sometimes a level above. The data un the SURBL lists
usually only has the base domains.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
RE: New blacklist with URI
Posted by "Michele Neylon :: Blacknight Solutions" <mi...@blacknightsolutions.com>.
Matt Kettler wrote:
> Theoretically, it should also match if the hostname changes, as long
> as the domain+TLD part is the same (ie: foo.blah.com)
>
> That said I've heard some mumblings the SA 3.0 implementation
> of domain stripping is a bit different than the
> Mail::SpamCopURI version, and the latter matches the SURBL
> back-end behavior more closely. However, this is really a
> subject for Jeff Chan.
The SURBL data contains domains as far as I can see from looking at our
local copies
M
Mr Michele Neylon
Blacknight Internet Solutions Ltd
Hosting, co-location & domains
http://www.blacknight.ie/
Tel. +353 59 9137101
--
Email scanned by Blacknight for viruses and dangerous content.
Visit http://www.blacknight.ie for more information
Re: New blacklist with URI
Posted by Matt Kettler <mk...@evi-inc.com>.
At 08:43 AM 10/8/2004, Matt wrote:
>I have a question on the new(ish) scanning that spamassassin does on
>URI's. It seems to be working very well for us here, but I have a
>question..
>WIll it catch:
>
>http://www.blah.com/?jj38942
>
>as well as
>
>http://www.blah.com/?34223
The URI blacklists only check the domain name, not the full target of the link.
Theoretically, it should also match if the hostname changes, as long as the
domain+TLD part is the same (ie: foo.blah.com)
That said I've heard some mumblings the SA 3.0 implementation of domain
stripping is a bit different than the Mail::SpamCopURI version, and the
latter matches the SURBL back-end behavior more closely. However, this is
really a subject for Jeff Chan.
Re: New blacklist with URI
Posted by Keith Hackworth <ke...@rpemail.com>.
It only looks at the domain.
For example, it will catch:
www.blah.com/<anything>
anything.blah.com
anything.anything.more.subdomains.blah.com/anything
Keith
> Hi,
> I have a question on the new(ish) scanning that spamassassin does on
> URI's. It seems to be working very well for us here, but I have a
> question..
>
> WIll it catch:
>
> http://www.blah.com/?jj38942
>
> as well as
>
> http://www.blah.com/?34223
>
> We are beginning to notice alot of e-mails (being marked right now)
> coming through with what seems like random characters in them at the
> end, and was wondering if a spammer could possibly use this technique
> to avoid being detected? ie, just put random characters after the
> trailing slash?
>