PDA

View Full Version : www.eset.com listed in Spamhaus URL blacklist

asmethurst
July 16th, 2008, 12:26 PM
Hi,

Is anyone else experiencing this problem:

Out of the box, NOD32 v3 appends a footer to outbound emails including the URL www.eset.com. We use Spamhaus Block Lists to assist in spam detection (like many others). Unfortunately some of our inbound replies are marked as spam due to this URL being on the SBL and scored accordingly.

I understand that this can be overcome by removing the footer or modifying our spam detection rules. Unfortunately there are many others using the same block lists, or NOD32 customers that are unaware that they could be sending out messages which might never reach their recipients.

It might be worth checking to make sure this isn't impacting your business. I know this only came to my attention after I was alerted that some important documents were not being received. It only took a few minor SpamAssassin scores to build up before these emails became blocked.

I definitely don't want to rubbish the product or Eset, but would like to share this potential issue with others.

I certainly would like Eset to look into this, and if confirmed, make the necessary actions to have the URL removed from the SBL.

Kind regards,
Andrew
ronjor
July 16th, 2008, 12:36 PM
Hello asmethurst,

-{ Quote: "Out of the box, NOD32 v3 appends a footer " }-is not correct. It appends a message only to infected email by default. Someone would have to change the default settings to have the footer appended to every email.
SmackyTheFrog
July 16th, 2008, 02:26 PM
-{ Quote: "Hello asmethurst,

is not correct. It appends a message only to infected email by default. Someone would have to change the default settings to have the footer appended to every email." }-
No, the default behavior is to add that tag on to the end of all sent email in addition to modifying the subject if an infection is detected. I saw it plenty of times when I was first piloting our install and the test users all had this until I pushed out configuration changes.

e: Or to clarify, that was the default setting around the time of the 3.0.650/657 (and likely earlier) and in place installs of new versions over the old preserved this setting.
ronjor
July 16th, 2008, 03:01 PM
It appears you're right. The default is append message to all scanned email. I missed a change somewhere along the version line. :blink:

A thousand pardons. :D
agoretsky
July 17th, 2008, 02:14 PM
Hello,

I am looking at Spamhaus (http://www.spamhaus.org/) web site and see a Spamhaus Block List (http://www.spamhaus.org/sbl/index.lasso), which is IP address-based; an Exploits Block List (http://www.spamhaus.org/xbl/index.lasso), which is IP address-based; and Policy Block List (http://www.spamhaus.org/pbl/index.lasso), which is also IP address-based. I do not see anything on their web site referencing a URL-based blocklist.

Can you please provide more information about the exact blocklist you are subscribing to from Spamhaus which is flagging the eset.com domain? It could be should be easy to resolve once that has been identified, but we need to what domain name or IP address(es) are being flagged in order to investigate further.


Regards,

Aryeh Goretsky