On Thu, 10 Sep 2009 21:23:11 -0400 MySQL Student <mysqlstud...@gmail.com> wrote:
> Hi, > > >> http://pastebin.com/m4a4d990e > >> > >> Is the criteria for being listed on the JMF_W simply that it > >> contains a domain that is whitelisted, despite whether it contains > >> another URL that is blacklisted? > > > > I'm not sure what you are saying here, it's not as if the people > > running the whitelist could lookup the IP address on razor. > > I'm saying that it appears odd that it would be listed on both RAZOR > and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR > rules found the bogus > http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com > is a legitimate kraftfoods site? Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. DNS whitelists are hard to spoof. Both examples involve exchange server, perhaps a spammer is exploiting a Windows or exchange vulnerability.
