Mailing List Archive

On 8/25/22 16:10, Benny Pedersen wrote:
>
> https://phishtank.com/phish_detail.php?phish_id=7691984
> https://phishtank.com/phish_detail.php?phish_id=7680788
>
> why is page.link have subdomain tjeking ?, is it marked at sa as a
> redirector ?

tjeking?

> i consider block all page.link, whois says its hosted by google :/
go ahead..

> report it to google phish reports helps notning
> pmc members can get the whole spample if needed

SURBL lists based on Phishtank data... no need for further action

Axb skrev den 2022-08-25 17:48:
> On 8/25/22 16:10, Benny Pedersen wrote:
>>
>> https://phishtank.com/phish_detail.php?phish_id=7691984
>> https://phishtank.com/phish_detail.php?phish_id=7680788
>>
>> why is page.link have subdomain tjeking ?, is it marked at sa as a
>> redirector ?
>
> tjeking?

microsoft swiftkey spelling error :)

>> i consider block all page.link, whois says its hosted by google :/
> go ahead..

/var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf:url_shortener
.page.link
/var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/nonKAMrules.cf:util_rb_2tld
page.link
/var/lib/spamassassin/3.004006/updates_spamassassin_org/20_aux_tlds.cf:util_rb_2tld
page.tl page.link
/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_url_shortener.cf:url_shortener
.page.link

how ?

>> report it to google phish reports helps notning
>> pmc members can get the whole spample if needed
>
> SURBL lists based on Phishtank data... no need for further action

surbl list page.link as blocked ?

https://multirbl.valli.org/lookup/page.link.html

how ?

Benny,

Sorry for the top posting.

SURBL doesn’t list that base domain. And please check on the SURBL page not on some third party site that might even be acl’ed.

https://www.surbl.org/surbl-analysis

page.link is NOT listed

SURBL lists the subdomains, and we list many of them. It’s a firebase service and it’s abused for a long time unfortunately.

Your mail is very confusing. With the ‘how?’ Without any further context and false assumptions.

I would also suggest you update to SA4 so some of the items will be handled different. Such as the 2/3ld entries that are no longer needed for several of the datasources.

With kind regards,
Raymond Dijkxhoorn - SURBL

> Op 25 aug. 2022 om 23:27 heeft Benny Pedersen <me@junc.eu> het volgende geschreven:
>
> ?Axb skrev den 2022-08-25 17:48:
>>> On 8/25/22 16:10, Benny Pedersen wrote:
>>> https://phishtank.com/phish_detail.php?phish_id=7691984
>>> https://phishtank.com/phish_detail.php?phish_id=7680788
>>> why is page.link have subdomain tjeking ?, is it marked at sa as a redirector ?
>> tjeking?
>
> microsoft swiftkey spelling error :)
>
>>> i consider block all page.link, whois says its hosted by google :/
>> go ahead..
>
> /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf:url_shortener .page.link
> /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/nonKAMrules.cf:util_rb_2tld page.link
> /var/lib/spamassassin/3.004006/updates_spamassassin_org/20_aux_tlds.cf:util_rb_2tld page.tl page.link
> /var/lib/spamassassin/3.004006/updates_spamassassin_org/25_url_shortener.cf:url_shortener .page.link
>
> how ?
>
>>> report it to google phish reports helps notning
>>> pmc members can get the whole spample if needed
>> SURBL lists based on Phishtank data... no need for further action
>
> surbl list page.link as blocked ?
>
> https://multirbl.valli.org/lookup/page.link.html
>
> how ?
>

Benny Pedersen wrote:
> Axb skrev den 2022-08-25 17:48:
>> On 8/25/22 16:10, Benny Pedersen wrote:
>>> i consider block all page.link, whois says its hosted by google :/
>> go ahead..
>
> /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf:url_shortener
> .page.link
> /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/nonKAMrules.cf:util_rb_2tld
>    page.link
> /var/lib/spamassassin/3.004006/updates_spamassassin_org/20_aux_tlds.cf:util_rb_2tld
> page.tl page.link
> /var/lib/spamassassin/3.004006/updates_spamassassin_org/25_url_shortener.cf:url_shortener
> .page.link
>
> how ?

Explicit URI rules always match irrespective of the util_rb_*tld entries
- those only affect DNSBL lookups.

uri FIREBASE_PAGE_LINK /page\.link/

I don't have this particular TLD flagged this way but I do have a number
of others.

-kgd

Raymond Dijkxhoorn via users skrev den 2022-08-25 23:45:
> Benny,
>
> Sorry for the top posting.

australians :)

>
> SURBL doesn’t list that base domain. And please check on the SURBL
> page not on some third party site that might even be acl’ed.
>
> https://www.surbl.org/surbl-analysis
>
> PAGE.LINK IS NOT LISTED
>
> SURBL lists the subdomains, and we list many of them. It’s a
> firebase service and it’s abused for a long time unfortunately.

https://page.link/

Invalid Dynamic Link

Requested URL must be a parsable and complete DynamicLink.

If you are the developer of this app, ensure that your Dynamic Links
domain is correctly configured and that the path component of this URL
is valid.

missing abuse report on that page to be usefull

like bit.ly have it redirects to https://bitly.com/ :=)

>
> Your mail is very confusing. With the ‘how?’ Without any further
> context and false assumptions.

its just i dont know how to make local rules make it local listed in my
stable sa 3.4.6 with is still latest on gentoo

> I would also suggest you update to SA4 so some of the items will be
> handled different. Such as the 2/3ld entries that are no longer needed
> for several of the datasources.

help make it happend is welcomed imho as the pmc members have a long
hard work on that job, when i started using spamassassin there was lots
of more pmc members that worked on make rules updates, and i still
remember SARA 3dr party rules

Kris Deugau skrev den 2022-08-26 00:12:
> Benny Pedersen wrote:
>> Axb skrev den 2022-08-25 17:48:
>>> On 8/25/22 16:10, Benny Pedersen wrote:
>>>> i consider block all page.link, whois says its hosted by google :/
>>> go ahead..
>>
>> /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf:url_shortener
>> .page.link
>> /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/nonKAMrules.cf:util_rb_2tld
>>    page.link
>> /var/lib/spamassassin/3.004006/updates_spamassassin_org/20_aux_tlds.cf:util_rb_2tld
>> page.tl page.link
>> /var/lib/spamassassin/3.004006/updates_spamassassin_org/25_url_shortener.cf:url_shortener
>> .page.link
>>
>> how ?
>
> Explicit URI rules always match irrespective of the util_rb_*tld
> entries - those only affect DNSBL lookups.
>
> uri FIREBASE_PAGE_LINK /page\.link/
>
> I don't have this particular TLD flagged this way but I do have a
> number of others.

good and thanks, i will add this to local rules here, but maybe
spamassassin should not do the util_rb_2tld ?, the url_shortener works
without imho ?

KAM clean up your rules above

Axb skrev den 2022-08-25 17:48:
> On 8/25/22 16:10, Benny Pedersen wrote:
>>
>> https://phishtank.com/phish_detail.php?phish_id=7691984
>> https://phishtank.com/phish_detail.php?phish_id=7680788
>>
>> why is page.link have subdomain tjeking ?, is it marked at sa as a
>> redirector ?
>
> tjeking?
>
>> i consider block all page.link, whois says its hosted by google :/
> go ahead..
>
>> report it to google phish reports helps notning
>> pmc members can get the whole spample if needed
>
> SURBL lists based on Phishtank data... no need for further action


# dont waste cyrkles

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

uridnsbl_skip_domain page.link
uridnsbl_skip_domain .page.link

endif # Mail::SpamAssassin::Plugin::URIDNSBL

# firebase have no abuse reporting, so blocking localy

uri FIREBASE_PAGE_LINK /page\.link/
describe FIREBASE_PAGE_LINK http://random.page.link :)
score FIREBASE_PAGE_LINK 50

# dont learn in awl

ifplugin Mail::SpamAssassin::Plugin::AWL
tflags FIREBASE_PAGE_LINK noawl
endif # Mail::SpamAssassin::Plugin::AWL


hope it works, can i make it better ?

i still have coffee left :-)

Axb skrev den 2022-08-25 17:48:

<fuglu reject spam, hopefully fixed now to not do from spamassassin
maillist, ups>

# dont waste cyrkles

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

uridnsbl_skip_domain page.link
uridnsbl_skip_domain .page.link

endif # Mail::SpamAssassin::Plugin::URIDNSBL

# firebase have no abuse reporting, so blocking localy

uri FIREBASE_PAGE_LINK /page\.link/
describe FIREBASE_PAGE_LINK http://random.page.link :)
score FIREBASE_PAGE_LINK 50

# dont learn in awl

ifplugin Mail::SpamAssassin::Plugin::AWL
tflags FIREBASE_PAGE_LINK noawl
endif # Mail::SpamAssassin::Plugin::AWL


hope it works, can i make it better ?

no more coffee left :-)

On Thu, 25 Aug 2022, Axb wrote:

> On 8/25/22 16:10, Benny Pedersen wrote:
>>
>> https://phishtank.com/phish_detail.php?phish_id=7691984
>> https://phishtank.com/phish_detail.php?phish_id=7680788
>>
>> why is page.link have subdomain tjeking ?, is it marked at sa as a
>> redirector ?
>
> tjeking?
>
>> i consider block all page.link, whois says its hosted by google :/
> go ahead..

There are legitimate sites using that domain.

I added it as a 2tld for URIBL, so please report such domains to URIBL.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The one political issue that strips all politicians bare is
individual gun rights.
-----------------------------------------------------------------------
Today: the 1943rd anniversary of the destruction of Pompeii

John Hardin skrev den 2022-08-26 02:32:
> On Thu, 25 Aug 2022, Axb wrote:
>
>> On 8/25/22 16:10, Benny Pedersen wrote:
>>>
>>> https://phishtank.com/phish_detail.php?phish_id=7691984
>>> https://phishtank.com/phish_detail.php?phish_id=7680788
>>>
>>> why is page.link have subdomain tjeking ?, is it marked at sa as a
>>> redirector ?
>>
>> tjeking?
>>
>>> i consider block all page.link, whois says its hosted by google :/
>> go ahead..
>
> There are legitimate sites using that domain.

i can add them later

> I added it as a 2tld for URIBL, so please report such domains to URIBL.

it was imho already listed as so, util_rb_2tld should imho have not
being defined, so only the uri_shortner handled random spam/phish
domains, while still blocking page.link would be simple as all other

not possible ?

Benny,

It’s not a redirector in that sense.

The 2ld is correct and SHOULD be used.

It’s abused subdomains of page.link that we see and list.

I don’t see samples of the base domain beeing used and abused as a redirector. Could it be that that one is added mistakenly?

With the 2ld listing SURBL lookups will be done on the right level.

With kind regards,
Raymond Dijkxhoorn - SURBL

> Op 26 aug. 2022 om 02:47 heeft Benny Pedersen <me@junc.eu> het volgende geschreven:
>
> ?John Hardin skrev den 2022-08-26 02:32:
>>> On Thu, 25 Aug 2022, Axb wrote:
>>> On 8/25/22 16:10, Benny Pedersen wrote:
>>>> https://phishtank.com/phish_detail.php?phish_id=7691984
>>>> https://phishtank.com/phish_detail.php?phish_id=7680788
>>>> why is page.link have subdomain tjeking ?, is it marked at sa as a
>>>> redirector ?
>>> tjeking?
>>>> i consider block all page.link, whois says its hosted by google :/
>>> go ahead..
>> There are legitimate sites using that domain.
>
> i can add them later
>
>> I added it as a 2tld for URIBL, so please report such domains to URIBL.
>
> it was imho already listed as so, util_rb_2tld should imho have not being defined, so only the uri_shortner handled random spam/phish domains, while still blocking page.link would be simple as all other
>
> not possible ?

Hello Benny,

Many of the SARE people are around but are now doing things RBL style. Including me and Alex to name just two.

And the link -subdomains- you see in spams you can report to various lists if needed (feedback@surbl.org for example).

In case you want to send abuse reports to google who operates this service:

https://firebase.google.com/support/troubleshooter/contact

It’s not a ‘normal’ webpage as such I think they didn’t add a abuse or contact on the page you mentioned. It’s more like a abused api system. But just thinking out loud on that.

As mentioned there are many legit subdomains you definately don’t want to block.

With kind regards,
Raymond Dijkxhoorn

> Op 26 aug. 2022 om 00:40 heeft Benny Pedersen <me@junc.eu> het volgende geschreven:
>
> ?Raymond Dijkxhoorn via users skrev den 2022-08-25 23:45:
>> Benny,
>> Sorry for the top posting.
>
> australians :)
>
>> SURBL doesn’t list that base domain. And please check on the SURBL
>> page not on some third party site that might even be acl’ed.
>> https://www.surbl.org/surbl-analysis
>> PAGE.LINK IS NOT LISTED
>> SURBL lists the subdomains, and we list many of them. It’s a
>> firebase service and it’s abused for a long time unfortunately.
>
> https://page.link/
>
> Invalid Dynamic Link
>
> Requested URL must be a parsable and complete DynamicLink.
>
> If you are the developer of this app, ensure that your Dynamic Links domain is correctly configured and that the path component of this URL is valid.
>
> missing abuse report on that page to be usefull
>
> like bit.ly have it redirects to https://bitly.com/ :=)
>
>> Your mail is very confusing. With the ‘how?’ Without any further
>> context and false assumptions.
>
> its just i dont know how to make local rules make it local listed in my stable sa 3.4.6 with is still latest on gentoo
>
>> I would also suggest you update to SA4 so some of the items will be
>> handled different. Such as the 2/3ld entries that are no longer needed
>> for several of the datasources.
>
> help make it happend is welcomed imho as the pmc members have a long hard work on that job, when i started using spamassassin there was lots of more pmc members that worked on make rules updates, and i still remember SARA 3dr party rules

Raymond Dijkxhoorn via users wrote:
> Hello Benny,
>
> Many of the SARE people are around but are now doing things RBL style.
> Including me and Alex to name just two.
>
> And the link -subdomains- you see in spams you can report to various
> lists if needed (feedback@surbl.org for example).
>
> In case you want to send abuse reports to google who operates this service:
>
> https://firebase.google.com/support/troubleshooter/contact

<clicks link>

"You must sign in to access this page".

That's... rather unhelpful, Google.

It's not the only place Google won't let you report problems from
outside their ecosystem either - you can't report spam coming through
Google Groups with the link in the messages without logging in to a
Google account.

I gave up trying to report these, and just set up another local DNSBL
dataset listing normalized List-IDs, and extended a local SA plugin to
pull the List-ID out of a message and drop in in a tag for lookup. This
is scored quite high due to all of the beneficial rules that hit on mail
from Google Groups. More recently I've been eyeing up extracting
similar/related list identifiers for mail sent through a number of
bulk-mail platforms with... problematic.... mail flows, by local
standards, for the same lookup.

-kgd

Raymond Dijkxhoorn skrev den 2022-08-25 23:45:

> SURBL doesn’t list that base domain. And please check on the SURBL
> page not on some third party site that might even be acl’ed.

new redirector https://phishtank.com/phish_detail.php?phish_id=7699418

missed to add mxout1-he-de.apache.org ipv6 skip spamtest in fuglu,
should not reject maillist now

page.link tester

Benny Pedersen skrev den 2022-08-26 02:26:

> no more coffee left :-)

on phishtank its more phishes

Currently at 39,000 online, usually around 12,000.

sadly so much free ride :/

On Fri, 26 Aug 2022, Kris Deugau wrote:

> Raymond Dijkxhoorn via users wrote:
>> Hello Benny,
>>
>> Many of the SARE people are around but are now doing things RBL style.
>> Including me and Alex to name just two.
>>
>> And the link -subdomains- you see in spams you can report to various lists
>> if needed (feedback@surbl.org for example).
>>
>> In case you want to send abuse reports to google who operates this
>> service:
>>
>> https://firebase.google.com/support/troubleshooter/contact
>
> <clicks link>
>
> "You must sign in to access this page".
>
> That's... rather unhelpful, Google.

...see Hoops, Jumping Through. "Go away and stop bothering us."

> It's not the only place Google won't let you report problems from outside
> their ecosystem either - you can't report spam coming through Google Groups
> with the link in the messages without logging in to a Google account.
>
> I gave up trying to report these,

Me, too.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The problem with socialism is that you can vote your way into it
but you need to shoot your way out of it. -- Larry Lambert
-----------------------------------------------------------------------
2 days until Exercise Your Rights day