headers
Sam Rudge | 2 Aug 23:16
Picon

SURBL reports on short links that don't exist or aren't blacklisted

I run the URL shortener dft.ba. SURBL keeps sending out emails to us saying our shortener is being used for
spam links. So far I have been sent around 50 of these messages, out of those messages most of them are for
links that not only return a 404 error but were never even created in the first place. The other few all point
to URLs which, although are correctly identified as spam manually, when querying the domains using the
tool at http://www.surbl.org/surbl-analysis (And subsequently the system we use in our site) return as
'not blacklisted'.

Our application integrates with both SURBL and WebOfTrust to get reputation for URLs and automatically
removes all links we detect as spammy. But what are we to do when SURBL is informing us and our ISP of URLs that
don't exist or are not even blacklisted in SURBL itself. An example of this is

--
Please remove the abused shortner:
http://dft dot ba /-qTY

[etc]
--

This URL has never existed, not 'did exist but has now been deleted' because we don't fully delete things
from our database just mark them deleted, this URL has never forwarded to anything other than our 404 page.

Another example of the other behaviour is this
--
Please remove the abused shortner:
http://dft dot ba /-NqD

[etc]
--

This URL did exist (but has now manually been deleted), but forwards to the domain 'li.ru', not blacklisted
(Continue reading)

Permalink | Reply | 11 comments |
headers
gilles | 2 Aug 23:16
Picon

Re: SURBL reports on short links that don't exist or aren't blacklisted

Bonjour. En vacances, je serai de retour au bureau le lundi 15 août 2011. Merci de vous adresser en mon
absence à societes <at> jmhsa.ch. 

Hallo. Ich bin in den Ferien und werde zurück im Büro am Montag 15. August sein. Wenden Sie sich bitte in der
Zwischenzeit an societes <at> jmhsa.ch.

_______________________________________________
Discuss mailing list
Discuss <at> lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
Permalink | Reply | 2 comments |
headers
Ron Guerin | 3 Aug 01:49

Re: SURBL reports on short links that don't exist or aren't blacklisted

Sam Rudge wrote:

> 
> This URL has never existed, not 'did exist but has now been deleted' because we don't fully delete things
from our database just mark them deleted, this URL has never forwarded to anything other than our 404 page.
> 
> Another example of the other behaviour is this
> --
> Please remove the abused shortner:
> http://dft dot ba /-NqD
> 
> [etc]
> --
> 
> 
> This URL did exist (but has now manually been deleted), but forwards to the domain 'li.ru', not
blacklisted by SURBL. Trying to access the URL by any methods from our server (CURL, WGET etc.) returns a
500 server error so it looks like the site has blocked us from automatically figuring out where the URLs are
redirecting to (I guess on an IP based block, it works from other servers). If SURBL isn't going to
blacklist sites why are we being alerted that the link is being abused.
> 
> Our web host says SURBL often generates "false positives that should be ignored" but I'm trying to avoid
our site getting blacklisted/flagged etc.
> 
> Any suggestions?

I also run a URL shortener (Also known as "A dozen lines of PHP to
shorten, and thousands of lines of anti-abuse code"), have had some
run-ins with blacklists including this one.  So far, I have found SURBL
is the only one of the bunch that wasn't tedious or outright impossible
(Continue reading)

Permalink | Reply | 10 comments |
headers
gilles | 3 Aug 01:50
Picon

Re: SURBL reports on short links that don't exist or aren't blacklisted

Bonjour. En vacances, je serai de retour au bureau le lundi 15 août 2011. Merci de vous adresser en mon
absence à societes <at> jmhsa.ch. 

Hallo. Ich bin in den Ferien und werde zurück im Büro am Montag 15. August sein. Wenden Sie sich bitte in der
Zwischenzeit an societes <at> jmhsa.ch.

_______________________________________________
Discuss mailing list
Discuss <at> lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
Permalink | Reply | 0 comments |
headers
SURBL Whitelisters | 3 Aug 09:48

Re: SURBL reports on short links that don't exist or aren't blacklisted

On Tue, Aug 2, 2011 at 4:49 PM, Ron Guerin <ron <at> vnetworx.net> wrote:
> Sam Rudge wrote:
>
>>
>> This URL has never existed, not 'did exist but has now been deleted' because we don't fully delete things
from our database just mark them deleted, this URL has never forwarded to anything other than our 404 page.
>>
>> Another example of the other behaviour is this
>> --
>> Please remove the abused shortner:
>> http://dft dot ba /-NqD
>>
>> [etc]
>> --
>>
>>
>> This URL did exist (but has now manually been deleted), but forwards to the domain 'li.ru', not
blacklisted by SURBL. Trying to access the URL by any methods from our server (CURL, WGET etc.) returns a
500 server error so it looks like the site has blocked us from automatically figuring out where the URLs are
redirecting to (I guess on an IP based block, it works from other servers). If SURBL isn't going to
blacklist sites why are we being alerted that the link is being abused.
>>
>> Our web host says SURBL often generates "false positives that should be ignored" but I'm trying to avoid
our site getting blacklisted/flagged etc.
>>
>> Any suggestions?
>
> I also run a URL shortener (Also known as "A dozen lines of PHP to
> shorten, and thousands of lines of anti-abuse code"), have had some
> run-ins with blacklists including this one.  So far, I have found SURBL
(Continue reading)

Permalink | Reply | 9 comments |
headers
Ron Guerin | 4 Aug 00:33

Re: SURBL reports on short links that don't exist or aren't blacklisted

SURBL Whitelisters wrote:
> Perhaps the abusers have code that creates a shortened link but
> doesn't check that it works, and they spam the shortened link anyway
> whether it works or not.

I have found it to be the case, that abuse links are most often never
checked to see if they actually work after creation.  I don't really
track hits to disabled redirections, so I'm not speaking from facts now,
but I suspect at least some of the already disabled URLs do in fact get
used even though they'd been disabled long before the actual abuse takes
place.  The kind of attention to detail I see in the abuse (I have one
IP address that I blocked years ago that continually tries to submit
abuse still) would not lead me to conclude they bother checking the URLs
 just before use either.

- Ron
Permalink | Reply | 8 comments |
headers
gilles | 4 Aug 00:34
Picon

Re: SURBL reports on short links that don't exist or aren't blacklisted

Bonjour. En vacances, je serai de retour au bureau le lundi 15 août 2011. Merci de vous adresser en mon
absence à societes <at> jmhsa.ch. 

Hallo. Ich bin in den Ferien und werde zurück im Büro am Montag 15. August sein. Wenden Sie sich bitte in der
Zwischenzeit an societes <at> jmhsa.ch.

_______________________________________________
Discuss mailing list
Discuss <at> lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
Permalink | Reply | 0 comments |
headers
Dave Warren | 4 Aug 01:54
Favicon
Gravatar

Re: SURBL reports on short links that don't exist or aren't blacklisted

On 8/3/2011 3:33 PM, Ron Guerin wrote:
> SURBL Whitelisters wrote:
>> Perhaps the abusers have code that creates a shortened link but
>> doesn't check that it works, and they spam the shortened link anyway
>> whether it works or not.
> I have found it to be the case, that abuse links are most often never
> checked to see if they actually work after creation.  I don't really
> track hits to disabled redirections, so I'm not speaking from facts now,
> but I suspect at least some of the already disabled URLs do in fact get
> used even though they'd been disabled long before the actual abuse takes
> place.  The kind of attention to detail I see in the abuse (I have one
> IP address that I blocked years ago that continually tries to submit
> abuse still) would not lead me to conclude they bother checking the URLs
>   just before use either.
>

This makes sense, given the lack of attention to detail spammers put 
into their craft in general.  Perhaps it would be worthwhile if SURBL's 
(and others') processes included checking pages for 400 error codes 
before sending (automated?) abuse reports?
Permalink | Reply | 7 comments |
headers
Lyle Giese | 4 Aug 02:07
Favicon

Re: SURBL reports on short links that don't exist or aren't blacklisted

On 08/03/11 18:54, Dave Warren wrote:
> On 8/3/2011 3:33 PM, Ron Guerin wrote:
>> SURBL Whitelisters wrote:
>>> Perhaps the abusers have code that creates a shortened link but
>>> doesn't check that it works, and they spam the shortened link anyway
>>> whether it works or not.
>> I have found it to be the case, that abuse links are most often never
>> checked to see if they actually work after creation.  I don't really
>> track hits to disabled redirections, so I'm not speaking from facts now,
>> but I suspect at least some of the already disabled URLs do in fact get
>> used even though they'd been disabled long before the actual abuse takes
>> place.  The kind of attention to detail I see in the abuse (I have one
>> IP address that I blocked years ago that continually tries to submit
>> abuse still) would not lead me to conclude they bother checking the URLs
>>    just before use either.
>>
>
> This makes sense, given the lack of attention to detail spammers put
> into their craft in general.  Perhaps it would be worthwhile if SURBL's
> (and others') processes included checking pages for 400 error codes
> before sending (automated?) abuse reports?
>

Not sure if this is material to this discussion or not.  This morning, 
we got some spam with URL's in it that pointed to fake 404 pages, which 
then tried to download a trojan exe from yet another site.

This was part of the Federal tax payment rejected (yes I am in the US) 
series that appeared overnight on my mail servers.
(Continue reading)

Permalink | Reply | 5 comments |
headers
Sam Rudge | 4 Aug 09:05
Picon

Re: SURBL reports on short links that don't exist or aren't blacklisted

So from my POV as operator of the link shortener, so long as I keep an eye
on things and make sure our protection system is working and reported links
return 404's I shouldn't really worry about the SURBL notifications too
much?
-Sam

On 4 Aug 2011 01:08, "Lyle Giese" <lyle <at> lcrcomputer.net> wrote:

On 08/03/11 18:54, Dave Warren wrote:
> On 8/3/2011 3:33 PM, Ron Guerin wrote:
>> SURBL Whitelisters...
Not sure if this is material to this discussion or not.  This morning,
we got some spam with URL's in it that pointed to fake 404 pages, which
then tried to download a trojan exe from yet another site.

This was part of the Federal tax payment rejected (yes I am in the US)
series that appeared overnight on my mail servers.

BTW, I routinely click on these as my normal workstation is a linux box
and 99.9% of these target Windoze boxes.

Lyle Giese
LCR Computer Services, Inc.

_______________________________________________
Discuss mailing list
Discuss <at> lists.surbl.org
http:...
Permalink | Reply | 3 comments |

Gmane