gmane.mail.spam.rbl.surbl

URL Shortener Abuse Data

Ron Guerin — 2012-03-23T01:20:54

I am making this available in the event it is interesting or useful to
someone.  It is a really rough first effort, and I expect to do
something more useful with it as time goes on.

With the caveat that this should be considered "experimental data", I
have finally begun to publish some abuse data.  This data is presently
re-generated hourly.

http://tighturl.com/tighturl-abuse-ips.csv
http://tighturl.com/tighturl-abuse-domains.csv

The IP addresses are those that have submitted URLs that have been
banned at tighturl.com within the last 7 days.  They are in the format:
  unixtimestamp,IPv4address

The domains are base domains[1] that have been banned from tighturl.com
or have been submitted by currently banned IP addresses within the last
7 days.  They are in the format:
  unixtimestamp,basedomain

I have not found over time that an IP address that submits abuse also
submits non-abuse.

I'm interested in comments or suggestions.

- Ron

[1] Based upon http://www.surbl.org/tld/two-level-tlds and
http://www.surbl.org/tld/three-level-tlds

rbldnsd & IPv6?

Dave Funk — 2012-02-11T23:17:25

Anybody have experience running rbldnsd (serving surbl zones) on
IPv6 addresses?
Clearly the data -in- the zones are IPv4 values but the servers
can communicate using IPv6 addresses.

I'm in the process of a general config refresh & IPv6 deployment
and noticed that the surbl dns servers lists that my copies are in
(a.surb.org & b.surbl.org) only contain IPv4 addrs (A records), no
AAAA records.

So is this just inertial or is there a reason for not listing IPv6
addrs for rbldnsd servers? I did a local test with rbldnsd-0.996b
on SLES11-SP1 and it seems to run/answer on IPv6 just fine.

Dave

Removal request from WS blacklist

Informes — 2011-08-31T07:17:27

Hi,

We've just submitted a removal request for our domain aldaniti.net using 
lookup page in surbl.com.
We send an email with all the information about our company and we 
explain that we do e-mail marketing actively for those who previously 
agreed and accepted to receive this kind of e-mail.

But our domain is still in the blacklist.

Is there anyway to know why are we being listed in ws.surbl.org blacklist?
How long will it take for our domain to be removed from the list?

In case we will be delisted, will there be any email notification?


Regards,
Aldaniti Team.

help please

Design Office — 2011-08-25T12:28:34

I am getting this message from a few recipients

X-Supplementary-Info: < c2bthomr14.btconnect.com #5.2.0 SMTP; 550  
5.7.1 Rejected - listed at SURBL/CURBL>

any suggestions!!


Dean Harvey




Factory Furniture Ltd - specialist street furniture designers and  
manufacturers with in-house production facilities.
FSC Chain of custody certification No.CU-COC-806405. For further  
information on Forestry Stewardship Council certified timbers http://www.fsc-uk.info/

The information in this e-mail and any attachments is confidential and  
is intended for the addressee only. Unless stated to the contrary, any  
opinions or comments are personal to the writer and do not represent  
the official view of Factory Furniture Ltd

SURBL reports on short links that don't exist or aren't blacklisted

Sam Rudge — 2011-08-02T21:16:02

I run the URL shortener dft.ba. SURBL keeps sending out emails to us saying our shortener is being used for spam links. So far I have been sent around 50 of these messages, out of those messages most of them are for links that not only return a 404 error but were never even created in the first place. The other few all point to URLs which, although are correctly identified as spam manually, when querying the domains using the tool at http://www.surbl.org/surbl-analysis (And subsequently the system we use in our site) return as 'not blacklisted'.

Our application integrates with both SURBL and WebOfTrust to get reputation for URLs and automatically removes all links we detect as spammy. But what are we to do when SURBL is informing us and our ISP of URLs that don't exist or are not even blacklisted in SURBL itself. An example of this is

--
Please remove the abused shortner:
http://dft dot ba /-qTY

[etc]
--

This URL has never existed, not 'did exist but has now been deleted' because we don't fully delete things from our database just mark them deleted, this URL has never forwarded to anything other than our 404 page.

Another example of the other behaviour is this
--
Please remove the abused shortner:
http://dft dot ba /-NqD

[etc]
--


This URL did exist (but has now manually been deleted), but forwards to the domain 'li.ru', not blacklisted by SURBL. Trying to access the URL by any methods from our server (CURL, WGET etc.) returns a 500 server error so it looks like the site has blocked us from automatically figuring out where the URLs are redirecting to (I guess on an IP based block, it works from other servers). If SURBL isn't going to blacklist sites why are we being alerted that the link is being abused.

Our web host says SURBL often generates "false positives that should be ignored" but I'm trying to avoid our site getting blacklisted/flagged etc.

Any suggestions?
-Sam

Can we provide feeds?

StopForumSpam Support — 2011-06-29T00:08:48

I run stopforumspam.com and we have started taking honeypot feeds that contain URI data.

Would any of this be of any use to your project?  If you check any of our
listings for a blue hand, then
evidence of forum and blog url spam is available.

keep up the great work :)

surbl listing

Alanna Dukes — 2011-04-13T21:16:21

When sending a delivery test to my seedlist, one of the spam filters
referenced surbl.  Specifically, surbl: [c2FpbHRocnUuY29t].  Does
anyone know what this means?  I did a look-up for all of my company's
IPs and domain and none were listed.  Thanks!

removal does not work!?

Dominic John Rack — 2011-03-15T09:17:59

hi,
 
one of my customers has problems sending email to certain recipients. he
found out, that his domain "seegerundkollegen.de" is listed on surbl which
might be the reason for mails being rejected. i have thoroughly checked the
server and cleaned up all problematic files. there definitely had been
ftp-abuse so we altered all ftp-accounts also. the server is clean and
secure now.
 
we have requested removal from the surbl ph-list about ten days ago - no
effect up to now! the domain is still listed L 
 
what can we do to solve this issue quickly? it is really important to free
this domain!
 
regards.
 
dominic john rack
 
............................................
 
mediatects . media architecture and design

how to contact

Jason DeGraf — 2011-02-15T20:40:35

your whitelist"surbl.org  address does not work

multi.surbl.org.rbldnsd download

Jeff Poling — 2011-01-31T21:19:21

I recently became responsible for our SURBL system.  Last week or firewall changed and the SURBL system had issues with the rsync process.   We corrected the firewall issues, but I am still seeing the following:

You are connected to rsync40

receiving file list ... done
multi.surbl.org.rbldnsd
rsync error: received SIGUSR1 or SIGINT (code 20) at rsync.c(231) rsync error: received SIGUSR1 or SIGINT (code 20) at main.c(965)

I am kind of at a loss as to what is going on. . .any insight is greatly appreciated!

Thanks,

Jeff

SpamAssassin

Eric Lamison — 2011-01-19T16:17:34

I'm using SpamAssassin to test for problems with our email and I'm getting warnings about being on SURBL blacklists. When I do a lookup though, it says the server is not listed. Any suggestions as to what the problem is?

From SpamAssassin:

1.7 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL
blocklist
                           [URIs: logicalwebco.net]
4.5 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL
blocklist
                           [URIs: logicalwebco.net]
1.9 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL
blocklist
                           [URIs: logicalwebco.net]
0.8 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL
blocklist

Thanks,


Eric Lamison

please forwarding to the webmaster: many links arebroken on surbl.org

Martin Schiftan www.blocklist.de — 2010-12-26T23:53:34

Hello,

on the Website there are a lot of Links broken:

http://www.surbl.org/links
-> http://www.surbl.org/nameservers-output.html
-> http://www.surbl.org/datafeed/


http://www.surbl.org/contact
-> Look-Up-Link in the second section refers to http://lookup/


and on all Sites:
-> http://www.surbl.org/public-dns.html


also i have stop to read, the website is to broken and not complete.
Please forwarding this mail to the Webmaster to fix the links and
redirects. Because webmaster< at >surbl.org or a other default address does
not works.

Thanks.

Martin Schiftan
http://www.blocklist.de/en/ Fail2Ban Reporting Service

Новое сообщение

Vovan — 2010-12-13T02:43:16

http://samec.org.ua/

historical data

Likarish, Peter F — 2010-12-01T21:17:40

Hello all,

I'm a member of a university research team looking at identifying malicious content online. We're interested in acquiring a list of all malicious URIs seen in the last 6-8 months. Does SURBL maintain historical data? Is there any way to get access to this data? Please let me know if I need to direct my query elsewhere or if anyone has suggestions. Thanks much,

Peter Likarish

RFC: Changing zone files to wildcarded data format

SURBL Role — 2010-11-23T03:29:13

The proposed change:

In order to more effectively blacklist abused subdomains, we would
like to get feedback on changing the SURBL zone file data format to
use wildcards.  Currently the records look like this canonically:

domain.com  (actual result codes not shown)

For wildcarding under rbldnsd, the record would look like this:

.domain.com

For wildcarding under BIND, the record would expand to two:

*.domain.com
domain.com

The above would be the case if both domain.com and all of its
subdomains were to be listed, which is the equivalent functional case
now.  For the BIND version of the zone file, it would generally mean a
doubling of file size.

In the highly unusual, exceptional case that only an unqualified
domain were to be listed, the future record would look like for both
rbldnsd and BIND:

domain.com

In the new case that a subdomain would be listed, the record would
look like this for both rbldnsd and BIND:

subdomain1.domain.com
subdomain2.domain.com
subdomain3.domain.com



Impact on list data:

This change would allow SURBL to list more compromized subdomains of
otherwise legitimate sites without impacting the unqualified domain.
As a result, this could lead to more complete coverage of cracked
domains and abused hosts and facilitate better detection of
unsolicited messages that mention such sites.

Currently SURBL does list some abused subdomains, but only for a
relatively limited number of major hosts such as sites at Microsoft,
Google, Yahoo, etc.  This change would potentially allow any subdomain
to be listed.



Application support of subdomain handling:

To support the checking of subdomains, applications using SURBL data
would need to be modified to send the fully qualified domain to the
DNS resolver, assuming the typical DNS query method of lookup were
used.  Due to the wildcarding of domains generally, the change in
applications to support subdomains could be a simple as not reducing
domains down to their registered (unqualified) level, i.e., just
sending all fully-qualified domains and letting the wildcard in the
DNS zone match them.

In a sense this makes the design of the SURBL applications simpler
since they would no longer need to reduce domains.  For example the
two- and three-level-tld lookup tables would no longer need to be
used, simplifying operations somewhat.



Impact on existing nameservers:

The last time this subject was raised, the recalled conclusion was
that caching in nameservers would not be adversely affected since
wildcarded responses are treated correctly in cache for both rbldnsd
and BIND.  It would be good to get a confirmation of this, otherwise
there could be performance or resource impacts in nameservers.

Another potential impact is that BIND zone files would be
approximately twice as large as they are presently since BIND doesn't
support a singular, combined record type for a wildcarded subdomain
and its parent domain, unlike rbldnsd.  (See the examples above.) This
could increase zone file transfer or rsync times for example.  This
could also increase BIND resource utilization.

Most nameservers use rbldnsd, however.  rbldnsd systems may be less
affected.  The impact on rbldnsd zone file size is much less than the
doubling in BIND, for example.



Other impacts:

One less obvious issue is that a change in zone file format could
adversely impact applications that use the zone file not in a
nameserver.  For example reading the data into a database may require
that some filtering be added in order to remove the leading dot, or to
identify the records differently in the database.  They may also need
to handle subdomains more generally or in a different way than they
currently do.

Applications in general may need to be updated to take advantage of
the proposed subdomain data.  On the other hand, this change should be
backward compatible in that wildcarded domains would continue to match
queries reduced under the original (current) paradigm.  In other words
unmodified applications should continue to work as before, with the
downside that they would not detect subdomains handled the new way.

What other impacts could there be?  What other changes would be needed?

Would the added subdomain listing capability justify the various
impacts, particularly on application design?



Request for comments:

Given the potential impacts, it seems prudent to ask for comments on
the proposed change.  Feedback is welcomed.



Additional examples:

For a full domain owned by the bad guy the listing would be:

.badguy.com  (rbldnsd)

*.badguy.com (BIND)
badguy.com (BIND)


For a cracked subdomain, the listing would be:

cracked.legitimate.com


legitimate.com would not be listed.



domain.com would almost never be listed in the rbldnsd file, but
almost always in BIND.

domain.com would usually not be listed for a cracked file, except in
the very unusual case
that these were bad:

domain.com (unqualified)
subdomain1.domain.com
subdomain2.domain.com

but this was good:

NOTLISTED.domain.com (which would not be listed)

Phishtank Data and SURBL?

Johnson, Ken — 2010-10-21T14:26:10

We have been having an increase in the number of phishing messages that slip through our antispam solution. We currently use Can-IT which includes an instance of SpamAssasin which has active scanning on for SURBL.

We recognize that no current solution is going to be 100% effective - however one of the most recent phishing messages that got through was for a link which appeared to already be in phishtank.com data (see http://www.phishtank.com/phish_detail.php?phish_id=1068849)

We had been working to see if we could incorporate phishtank.com data in the Can-IT environment to add one more source of blocks for these messages to plug some more holes when we noticed per http://www.phishtank.com/friends.php that SURBL appeared to already be listed as using (in some way) phishtank data.

We presumed that http://www.surbl.org/lists.html#ph probably used it - but tests seem to have test messages with that url receiving no points inbound.

Further testing on the SURBL lookup returned that w3t.org wasn't listed (which makes sense as the underlying url above is a shortener so it's only the extended url that is listed in phishtank and worth flagging on - does SURBL only accept root domains for listing?

Basically we're just trying to figure out if this is a config error on our part or a misunderstanding on our part of how SURBL uses phishtank.com data and/or classifies reported phishing sites and subdirectories in the first place.

Thanks in advance for any insight!

Ken Johnson
Information Technology
LeTourneau University

Phishtank Data and SURBL?

Johnson, Ken — 2010-10-21T14:26:10

We have been having an increase in the number of phishing messages that slip through our antispam solution. We currently use Can-IT which includes an instance of SpamAssasin which has active scanning on for SURBL.

We recognize that no current solution is going to be 100% effective - however one of the most recent phishing messages that got through was for a link which appeared to already be in phishtank.com data (see http://www.phishtank.com/phish_detail.php?phish_id=1068849)

We had been working to see if we could incorporate phishtank.com data in the Can-IT environment to add one more source of blocks for these messages to plug some more holes when we noticed per http://www.phishtank.com/friends.php that SURBL appeared to already be listed as using (in some way) phishtank data.

We presumed that http://www.surbl.org/lists.html#ph probably used it - but tests seem to have test messages with that url receiving no points inbound.

Further testing on the SURBL lookup returned that w3t.org wasn't listed (which makes sense as the underlying url above is a shortener so it's only the extended url that is listed in phishtank and worth flagging on - does SURBL only accept root domains for listing?

Basically we're just trying to figure out if this is a config error on our part or a misunderstanding on our part of how SURBL uses phishtank.com data and/or classifies reported phishing sites and subdirectories in the first place.

Thanks in advance for any insight!

Ken Johnson
Information Technology
LeTourneau University

portion of my domain name is List

David Fletcher (SAN — 2010-10-13T18:09:06

Hello,

My domain is Sandestin.com.  We are having some issues of our emails being blocked as spam.  The message is 552 tin.com found in SURBL: Blocked, tin.com on lists [ws], See: http://www.surbl.org/lists.html.   My domain isn't on the lookup but tin.com.  Where do you think this issue lies?  Is it SURBL or the spam filtering that is using surbl?

David Fletcher
I.T. Dept

Rejected content by multi.surbl.org

Shattuck, Will — 2010-07-16T19:52:14

Hi all,

 

One of my users sent email someone and received a rejected notice. Here
it is:

 

    host mx01.lastspam.com[64.15.150.3] said: 550-5.7.1 rejected
content, 

    black listed 2010.In by multi.surbl.org. #762 #895
(m6F1MY037314479000)

 

The attachments being sent were a 38 KB Excel file, and 1 MB PowerPoint.

 

I understand that SURBL checks for websites and URLs inside the email,
but I can't seem to find anything about SURBL lists rejecting content.
I'm inquiring as we need to make sure these attachments get to the
recipient.

 

Thanks,

 

Will

Detail information for listing / Removal request

2010-07-12T14:14:16

Hello,

is there any page i can verify the source mails or urls which has led to the listing of the domain "ncsrv.de" at SURBL? 

This domain is used as a alternative url for almost every server in our network (server1 ... server99999.ncsrv.de), so websites are available even no customer domain is routed on the certain server. 

We use this domain also as internal identifier, also included in the host name configuration.

As you will understand a full control over every URL used in unsolicited messages is almost impossible because we have a lot of root systems, so we can not shut down every listed URLs immediately.

Is there a possibility to check for new entries at SURBL automatically so we can respond to that issue?

Thanks,
Rafael

How to delist from the SURBL list?

SnipURL Editor — 2010-06-30T03:23:15

Hi,

I have tried to send an email from the Lookup page, but that email is bouncing.

What am I missing? Whom can I contact to get my IP unlisted, given
that it's now been a month since it's been wrongly put in the list?

Thanks
Shanx