You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by mouss <us...@free.fr> on 2005/07/06 04:00:19 UTC
surbl miss
The following url is missed by uribl, eventhough medsavenow.com is
listed. is it because of the "$$"?
<a
href=3D""http://ar.atwola.com/redir/B0/NIGMELhw-OhjdGRhu9krS8hjdsxhHJMd7aZyBahYZOlB1rRxxNchtg$$/http://medsavenow.com/?name=3Drevup">You
won't believe our prices! </a>
</h3>
[SA version=3.0.4]
Re: surbl miss
Posted by mouss <us...@free.fr>.
Theo Van Dinter wrote:
> On Wed, Jul 06, 2005 at 12:18:32PM +0200, mouss wrote:
>
>>In fact, the problem seems with quoted-printable, not with the
>>redirection. here is an example (reduced to the minimum, and with munged
>>URI).
>
>
> Actually it has nothing to do with quoted-printable. The spammer put in an
> invalid HTML tag:
>
>
>><a href=3D""http://medsavenow-MUNGED.com""> Spam URI here </a>
>
>
> Notice the double double-quotes on each end. So what HTML parsers see is:
>
> <a href="" [extra crap]>
>
but if I change the content encoding to plain, it gets detected. in any
case, there is a parser problem. how to solve this?
Re: surbl miss
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Jul 06, 2005 at 12:18:32PM +0200, mouss wrote:
> In fact, the problem seems with quoted-printable, not with the
> redirection. here is an example (reduced to the minimum, and with munged
> URI).
Actually it has nothing to do with quoted-printable. The spammer put in an
invalid HTML tag:
> <a href=3D""http://medsavenow-MUNGED.com""> Spam URI here </a>
Notice the double double-quotes on each end. So what HTML parsers see is:
<a href="" [extra crap]>
--
Randomly Generated Tagline:
You tell 'em cabbage, You've got the head.
Re: surbl miss
Posted by mouss <us...@free.fr>.
Raymond Dijkxhoorn wrote:
>
> That domain is listed for quitte some time...
>
> URIBL_BLACK 3.00, URIBL_JP_SURBL 4.26, URIBL_OB_SURBL 3.21, URIBL_SBL
> 4.26, URIBL_WS_SURBL 1.46
>
> But then again, without headers we also dont know much more then you do :)
True!
In fact, the problem seems with quoted-printable, not with the
redirection. here is an example (reduced to the minimum, and with munged
URI).
------------------------ spam follows ------------------
Return-Path: <b....@mail2Jeffrey.com>
Delivered-To: none@example.com
Received: (qmail 17110 invoked from network); 5 Jul 2005 23:21:48 -0000
Received: from bgp01053765bgs.stclar01.mi.comcast.net (HELO
mail2Edwin.com) (68.43.106.2)
by mrelay5-2.free.fr with SMTP; 5 Jul 2005 23:21:48 -0000
From: "Billie W. Smart" <b....@mail2Jeffrey.com>
Date: Wed, 06 Jul 2005 02:33:02 +0300
MIME-Version: 1.0
To: none@example.com
Subject: Fun againn
Message-ID: <DA...@mail2Jeffrey.com>
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<body>
<a href=3D""http://medsavenow-MUNGED.com""> Spam URI here </a>
</body>
</html>
-------------------------------------------------
Re: Re: surbl miss
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> 3.0.4 finds it fine in my test. As usual, run with -D:
>
> debug: uri found:
> http://ar.atwola.com/redir/B0/NIGMELhw-OhjdGRhu9krS8hjdsxhHJMd7aZyBahYZOlB1rRxxNchtg$$/http://medsavenow.com/?name=revup
> debug: uri found: http://medsavenow.com/?name=revup
>
> The problem is likely that when the message came in it wasn't listed, but when
> you checked later it was. Alternately, if the lookup timed out SA wouldn't
> have registered the hit.
That domain is listed for quitte some time...
URIBL_BLACK 3.00, URIBL_JP_SURBL 4.26, URIBL_OB_SURBL 3.21, URIBL_SBL
4.26, URIBL_WS_SURBL 1.46
But then again, without headers we also dont know much more then you do :)
Bye,
Raymond.
Re: surbl miss
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Jul 06, 2005 at 04:00:19AM +0200, mouss wrote:
> The following url is missed by uribl, eventhough medsavenow.com is
> listed. is it because of the "$$"?
3.0.4 finds it fine in my test. As usual, run with -D:
debug: uri found:
http://ar.atwola.com/redir/B0/NIGMELhw-OhjdGRhu9krS8hjdsxhHJMd7aZyBahYZOlB1rRxxNchtg$$/http://medsavenow.com/?name=revup
debug: uri found: http://medsavenow.com/?name=revup
The problem is likely that when the message came in it wasn't listed, but when
you checked later it was. Alternately, if the lookup timed out SA wouldn't
have registered the hit.
--
Randomly Generated Tagline:
"A side impact by a bicycle totaled my Dauphine after only one year."
- Unknown about the Renault Dauphine