You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2004/07/21 01:02:56 UTC

SURBL tags Logwatch reports

I use Logwatch (http://logwatch.org/) to get nightly dumps of the 
"interesting" parts of my Linux logs. Today's report was tagged by SA 
3.0pre2 because the mailserver part listed several URI's in SURBL's:

 1.1 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
 1.3 URIBL_SBL              Contains a URL listed in the SBL blocklist
                            [URIs: detailpills.biz rosepharma.biz]
                            [justpharma.biz]
 2.0 URIBL_WS_SURBL         Contains a URL listed in the WS SURBL blocklist
                            [URIs: justpharma.biz]
 1.0 URIBL_OB_SURBL         Contains a URL listed in the OB SURBL blocklist
                            [URIs: detailpills.biz rosepharma.biz]
                            [justpharma.biz]

Extract from the problem report:

> Unresolved sender domains:
>     Industry_Leads-B@justpharma.biz: 1 Time(s)
>     Industry_Leads-SL@detailpills.biz: 1 Time(s)
>     abuse@gov.us: 1 Time(s)
>     garthmosleyld@emaxtel.pl: 1 Time(s)
>     newsletter-J@rosepharma.biz: 1 Time(s)
>
> 	Total:  5

Is whitelisting my only recourse here or is there some more elegant and 
general solution?

If I do whitelist this, how long would it be before spammers start forging 
this address and subject line?

> From: root <ro...@example.com>
> To: root@example.com
> Subject: LogWatch for example.com

Re: SURBL tags Logwatch reports

Posted by Loren Wilton <lw...@earthlink.net>.

Mailing lists like this one have known headers and sources, so can be caught
in procmail and bypassed around SA pretty easily.  Local stuff you could
probably likewise set up to bypass things pretty easily.

A Spammer *might* try to get spam through by faking it out as list mail from
sa-talk, but that would be one balsy spammer.  And a little tweaking on the
rule would end up with that trick not working anyway.

        Loren

----- Original Message ----- 
From: "Kenneth Porter" <sh...@sewingwitch.com>
To: "SpamAssassin Users" <sp...@incubator.apache.org>
Sent: Tuesday, July 20, 2004 4:43 PM
Subject: Re: SURBL tags Logwatch reports

> --On Tuesday, July 20, 2004 4:26 PM -0700 Jeff Chan <je...@surbl.org>
wrote:
>
> > The correct answer is to *not process* your spam-fighting mailing
> > list messages, log messages, or anything else that might
> > legitimately mention spammer domains with SpamAssassin.
>
> That makes sense, but how do I accurately identify those messages so that
> they evade the processing without letting forged mail through?
>

Re: SURBL tags Logwatch reports

Posted by Kenneth Porter <sh...@sewingwitch.com>.

--On Tuesday, July 20, 2004 4:26 PM -0700 Jeff Chan <je...@surbl.org> wrote:

> The correct answer is to *not process* your spam-fighting mailing
> list messages, log messages, or anything else that might
> legitimately mention spammer domains with SpamAssassin.

That makes sense, but how do I accurately identify those messages so that 
they evade the processing without letting forged mail through?

Re: SURBL tags Logwatch reports

Posted by Jeff Chan <je...@surbl.org>.

On Tuesday, July 20, 2004, 4:02:56 PM, Kenneth Porter wrote:
> I use Logwatch (http://logwatch.org/) to get nightly dumps of the 
> "interesting" parts of my Linux logs. Today's report was tagged by SA 
> 3.0pre2 because the mailserver part listed several URI's in SURBL's:

>  1.1 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
>  1.3 URIBL_SBL              Contains a URL listed in the SBL blocklist
>                             [URIs: detailpills.biz rosepharma.biz]
>                             [justpharma.biz]
>  2.0 URIBL_WS_SURBL         Contains a URL listed in the WS SURBL blocklist
>                             [URIs: justpharma.biz]
>  1.0 URIBL_OB_SURBL         Contains a URL listed in the OB SURBL blocklist
>                             [URIs: detailpills.biz rosepharma.biz]
>                             [justpharma.biz]

> Extract from the problem report:

>> Unresolved sender domains:
>>     Industry_Leads-B@justpharma.biz: 1 Time(s)
>>     Industry_Leads-SL@detailpills.biz: 1 Time(s)
>>     abuse@gov.us: 1 Time(s)
>>     garthmosleyld@emaxtel.pl: 1 Time(s)
>>     newsletter-J@rosepharma.biz: 1 Time(s)
>>
>>       Total:  5

> Is whitelisting my only recourse here or is there some more elegant and 
> general solution?

The correct answer is to *not process* your spam-fighting mailing
list messages, log messages, or anything else that might
legitimately mention spammer domains with SpamAssassin.

FWIW I whitelisted logwatch.org in SURBLs, meaning logwatch.org
itself will never appear in SURBLs.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/