Discuss October 2004

discuss@lists.surbl.org

44 participants
134 discussions

FP in OB?
by Bill Landry 16 Oct '04

16 Oct '04

Domain, thechildsafetyguide.com, was listed in a Stork Avenue Newsletter (storkavenue.com) and is listed in OB. It's a fairly new domain, but seems legit and the web site looks legit: Registrant: American Family Safety Network Christian Bezick (cbezick(a)bellsouth.net) 2938 Banyan Blvd Circle NW Boca Raton FL,33431 US Tel. +001.5619129617 Creation Date: 24-May-2004 === - No NANAS listings - No SBL listings Bill

2 1

Theory about FPs for sites with open subscriptions
by Jeff Chan 16 Oct '04

16 Oct '04

After looking at NANAS hits for FPs, in particular the reporting parties and the destination addresses, I have a theory about some of the FPs. I think some anti-spam zealots may be deliberately subscribing spam traps, either their own or third parties' like Outblaze, to sites with open subscriptions. If so, they're probably doing it to draw attention to the fact that the sites have unconfirmed subscriptions. Or they could be cracker/spammer types trying to use them to poison the spamtrap feeds and therefore diminish the usefulness of data from them. This type of poisoning is a distinct possibility since it would appear that the "spams" (usually subscription newsletters) do appear to come from those sites or senders. I think we should consider the possibilities that either type of people (or even bots) could be adding otherwise legitimate sites to traps this way. (It would be trivially easy to write a spider to subscribe spamtrap or their own address to open subscription sites, and given some of the repeated reporters in NANAS, someone may have done that.) Whatever their reasons, we should not fall into this trap and list otherwise legitimate sites just because they have open subscriptions. Doing so probably diminishes the usefulness of SURBLs by increasing false positives. Comments, Jeff C. -- "If it appears in hams, then don't list it."

2 2

Removal of original BE domains from WS.
by Chris Santerre 16 Oct '04

16 Oct '04

We are going to remove the original 3k+ BigEvil domains from WS. We feel there may be too many FPs coming from it, as our methods of checking have gotten 5 million times better then what I used to do alone. So rather then checking them all for FP, we simplt remove. We feel this shouldn't cause any problems, and any domains still being used will be reported to us, and added back in. Does anyone have any objections to this? --Chris (Yankees suck.)

4 6

Re: [SURBL-Discuss] FP?: ultimatebizsource.biz
by alden＠engineno9inc.com 16 Oct '04

16 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 11:13 AM >To: Chris Santerre >Cc: 'Jeff Chan'; 'SURBL Discussion list'; Joe Wein; Ryan Thompson >(E-mail) >Subject: Re: [SURBL-Discuss] FP?: ultimatebizsource.biz <snip> >> 2285 domains in that file. I dont' feel good about it at >all. Especially >> because the domain we are talking about seems so iffy. I'm >not one to remove >> all of these just because I don't have the archived reports. >If they are >> proved to be FPs then hell yeah I will remove those FPs. But >to remove over >> 2k of them just for 2 reported FPs in that file??? > >> --Chris > >OK fair enough. There may be more than 2 FPs though. Here are >the DMOZ hits: > >> /home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz >> >> 123go-shopping.com >> 24ktgoldcasino.com >> 3322.org >> abitz.com >> audiogalaxy.com >> bottomlinecom.net >> casinovendors.com >> chemicalhouse.com >> denversharedservices.com >> dimoskopisi.com >> dotphoto.com >> electroionic.com.ar >> etowns.net >> evite.com >> goldrush.com >> hotusa.org >> instoremag.com >> jlindustrial.com >> kinghost.com >> medica.de >> mwconsult.ru >> mypiece.com >> pcdi.com >> quevendo.com.ar >> response-o-matic.com >> spectralft.com >> telepolis.com >> tom.com >> vistaprint.com >> webwizguide.info >> wx-e.com >> zip.net >> >> Number of matches: 32 > >Do we see any FPs in those? > >Jeff C. >-- >"If it appears in hams, then don't list it." > evite.com is definitely an FP. It's an e-invitation site. Recipients may not all want the invites, and there's some (big) potential for spam, but the URL appears in LOTS of hams. Here's the source of a sample: <html> <head> </head> <body marginwidth="0" leftmargin="0" marginheight="0" topmargin="0" link="#993399" alink="#ff9900" vlink="#ff9900"> <table width="100%" cellpadding="0" cellspacing="0" border="0"> <tr> <td width="100%" height="80" align="center" valign="top"> <table width="600" cellpadding="0" cellspacing="0" border="0"> <tr> <td><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="177" height="70"></td> </tr> <tr> <td><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/html/img/hom…" width="1" height="10" border="0"></td> </tr> </table> </td> </tr> </table> <div align="center"> <table width="600" cellpadding="0" cellspacing="0" border="0"> <tr> <td valign="top" colspan="3"> <table cellpadding="0" cellspacing="0" border="0"> <tr> <td align="center" valign="top" colspan="3"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="600" height="15" border="0"></td> </tr> <tr> <td align="left" valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="20" height="45" border="0"></td> <td align="center" valign="top" width="560" height="45" style="color:#666; font-size:14px; font-family:verdana, arial, helvetica, sans-serif" bgcolor="#ffffff"><b>Melissa & Michael</b><font style="color:#666; font-size:12px"><br />have invited you to:<br /></font></td> <td align="right" valign="top" ><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="20" height="45" border="0"></td> </tr> <tr> <td valign="top" colspan="3"> <table width="600" cellpadding="0" cellspacing="0" border="0"> <tr> <td align="left" valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="117" height="65" border="0"></td> <td align="center" valign="top" width="366" height="65" colspan="3" style="color:#069; font-size:17px; font-family:verdana, arial, helvetica, sans-serif" bgcolor="#ffffff"><b>Nate's First Birthday Party</b></td> <td align="right" valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="117" height="65" border="0"></td> </tr> <tr> <td valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="117" height="163" border="0"></td> <td valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="103" height="163" border="0"></td> <td valign="top" width="160" height="57"> <table width="160" cellpadding="0" cellspacing="0" border="0"> <tr> <td align="center" valign="top" width="160" height="59" style="color:#666; font-size:11px; font-family:verdana, arial, helvetica, sans-serif" bgcolor="#ffffff"></td> </tr> <tr> <td valign="top"><a href="http://www.evite.com/pages/invite/viewInvite.jsp?inviteId=TIDNNMMWHRJIIZPUB…"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="160" height="74" border="0"></a></td> </tr> <tr> <td align="center" valign="top" width="160" height="30" background="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" style="color:#666; font-size:14px; font-family:verdana, arial, helvetica, sans-serif"><a href="http://www.evite.com/pages/invite/viewInvite.jsp?inviteId=TIDNNMMWHRJIIZPUB…"><b>View the Evite</b></a></td> </tr> </table> </td> <td valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="103" height="163" border="0" alt=""></td> <td valign="top"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="117" height="163" border="0" alt=""></td> </tr> </table> </td> </tr> </table> </td> </tr> <tr> <td align="left" valign="top" width="10" height="100%" background="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="10" height="1" border="0"></td> <td align="left" valign="top" width="580" background="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" style="color:#666; font-size:11px; font-family:verdana, arial, helvetica, sans-serif;"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/t.gif" width="580" height="1"><br /></td> <td align="right" valign="top" width="10"background="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="10" height="1" border="0"></td> </tr> <tr> <td align="center" valign="top" colspan="3"><img src="http://a1444.g.akamai.net/7/1444/9744/ZTWTGZBOST/www.evite.com/images/email…" width="600" height="17" border="0"></td> </tr> </table> <table width="600" border="0" cellspacing="0" cellpadding="2">  <tr><td style="color:#999; font-size:11px; font-family:verdana, arial, helvetica, sans-serif"><br><a href="http://www.evite.com/inviteMore?eventID=APFXZQNSIJQPZDYQWERX&iid=TIDNNMMWHR…">Invite More Friends</a> by adding them to the guest list.<br><br></td></tr>  <tr><td style="color:#999; font-size:11px; font-family:verdana, arial, helvetica, sans-serif"><b>Is this email going to your junk/bulk folder?</b>  Add <b>info(a)evite.com</b> to your address book to ensure that you receive all future Evites in your Inbox.</td></tr> <tr><td style="color:#999; font-size:11px; font-family:verdana, arial, helvetica, sans-serif"><br /><b>Was this email unwanted?</b>  Manage your <a href="http://www.evite.com/respond/rmcomm?iid=TIDNNMMWHRJIIZPUBRIW">communication preferences.</a></td></tr> <tr><td style="color:#999; font-size:11px; font-family:verdana, arial, helvetica, sans-serif" height="100%"><br> <b>Having Trouble?</b>  If you are unable to open this Evite, try copying the entire URL below into your browser:<br /> http://www.evite.com/r?iid=TIDNNMMWHRJIIZPUBRIW&li=iq&src=email</td></tr> </table> <br /> <img width=1 height=1 src="http://www.evite.com/mailDetect?iid=TIDNNMMWHRJIIZPUBRIW&src=email"> </div> </body> </html> Regards, Alden Alden Levy Engine No. 9, Inc. 130 West 57th Street, Suite 12E New York, NY 10019 (212) 981-1122 (212) 725-7202 (fax) www.engineno9inc.com

2 1

RE: [SURBL-Discuss] FP?: ultimatebizsource.biz
by Chris Santerre 15 Oct '04

15 Oct '04

Fair enough ;) Give me a bit. I've got a few things I have to get done here, and a conference call to get ready for. I'll get back to you this afternoon on these. --Chris >-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 11:13 AM >To: Chris Santerre >Cc: 'Jeff Chan'; 'SURBL Discussion list'; Joe Wein; Ryan Thompson >(E-mail) >Subject: Re: [SURBL-Discuss] FP?: ultimatebizsource.biz > > >On Friday, October 15, 2004, 7:55:54 AM, Chris Santerre wrote: >>>From: Jeff Chan [mailto:jeffc@surbl.org] >>>On Friday, October 15, 2004, 7:50:06 AM, Chris Santerre wrote: > >>>> Sorry I can't. It's the evil gaff back from 7/04 again. >>>Where none of the >>>> sumissions were being archived. >>> >>>How do you feel about removing the 7/04 list from WS? Or is there >>>a subset of those we could remove? > >> 2285 domains in that file. I dont' feel good about it at >all. Especially >> because the domain we are talking about seems so iffy. I'm >not one to remove >> all of these just because I don't have the archived reports. >If they are >> proved to be FPs then hell yeah I will remove those FPs. But >to remove over >> 2k of them just for 2 reported FPs in that file??? > >> --Chris > >OK fair enough. There may be more than 2 FPs though. Here are >the DMOZ hits: > >> /home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz >> >> 123go-shopping.com >> 24ktgoldcasino.com >> 3322.org >> abitz.com >> audiogalaxy.com >> bottomlinecom.net >> casinovendors.com >> chemicalhouse.com >> denversharedservices.com >> dimoskopisi.com >> dotphoto.com >> electroionic.com.ar >> etowns.net >> evite.com >> goldrush.com >> hotusa.org >> instoremag.com >> jlindustrial.com >> kinghost.com >> medica.de >> mwconsult.ru >> mypiece.com >> pcdi.com >> quevendo.com.ar >> response-o-matic.com >> spectralft.com >> telepolis.com >> tom.com >> vistaprint.com >> webwizguide.info >> wx-e.com >> zip.net >> >> Number of matches: 32 > >Do we see any FPs in those? > >Jeff C. >-- >"If it appears in hams, then don't list it." >

2 1

RE: [SURBL-Discuss] FP?: ultimatebizsource.biz
by Chris Santerre 15 Oct '04

15 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 10:42 AM >To: Chris Santerre >Cc: 'Jeff Chan'; 'SURBL Discussion list'; Joe Wein; Ryan Thompson >(E-mail) >Subject: Re: [SURBL-Discuss] FP?: ultimatebizsource.biz > > >On Friday, October 15, 2004, 7:25:28 AM, Chris Santerre wrote: >>>From: Jeff Chan [mailto:jeffc@surbl.org] > >>>Both domains are listed in WS: >>> >>>/home/gorilla/black-gorilla-7_04.txt:cashfromhome.com >>>/home/prolocation/black-prolocation-master:ultimatebizsource.biz >>> >>>Chris, what evidence do you have? Same question for Raymond. > >> eh? Read their site! They don't particularly care who I am >as long as I have >> money. They 'say' they have an opt in list. But if I give >them money, they >> send my ad to their list. How could their members possibly >have opt'd in to >> recieve my ads when they don't even know me yet? > >Opt-in doesn't mean they opted in because they know you. >It could mean they opted in to get ads in general (for >whatever reason). > >By evidence I was referring to spams. If you have one, >post it and how it got to you or at least a description of >how it got to you. > Sorry I can't. It's the evil gaff back from 7/04 again. Where none of the sumissions were being archived. Keeps biting me in my ass. ouch. --Chris (If it appears in spam and you can't prove it....don't list.) <-ARGH!

2 1

RE: [SURBL-Discuss] FP?: ultimatebizsource.biz
by Chris Santerre 15 Oct '04

15 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 1:01 AM >To: Joe Wein >Cc: SURBL Discussion list >Subject: Re: [SURBL-Discuss] FP?: ultimatebizsource.biz > > >On Thursday, October 14, 2004, 8:43:40 PM, Joe Wein wrote: >> ultimatebizsource.biz claims to be an opt-in list with >55,000 subscribers. >> It's currently listed on [WS] and [JP] but not my personal list. > >> I know, the name alone sounds like your typical spammer >domain, but is it? >> Today the owner of getyoursiteongoogle.info mailed me, since I had >> blacklisted their domain. > >> Turns out the evidence was a mailing from >ultimatebizsource.biz which was >> listed on WS and JP. Since the recipient was a third party from the >> Prolocation feed, I could not easily verify if it was indeed >unsolicited, >> but I checked what I could check quickly. > >> To my surprize the outgoing mailserver's IP is not listed on >any of the RBLs >> and neither are the name servers or the resolved name. > >> There is only 1 NANAS sighting for this almost one year old >domain. That >> posting is an automated one, and probably related to an >ahbl.org listing >> mentioned in the SA-tags added to the evidence mail. I can >find no listing >> for them at ahbl.org now. > >> A web search for the domain name returns a single hit: >> http://www.google.com/search?q=ultimatebizsource.biz+spam > >> That looks too little for 55,000 mails per day for one year. > >> Joe > >Perhaps the question should be: do they have legitimate uses? >Obviously their name, etc. sound very spammy, but is their >subscriber list truly opt-in or is is harvested or scraped, >etc.? If it's truly opt-in then they may have legitimate >uses. Their site claims to be opt in, but of course that's >impossible to confirm directly except perhaps by asking >everyone on it. > >However if it were not opt in, it would seem there should be >many complaints. Also 55-58k is pretty small for a scraped >or harvested list, which usually have more like millions. >So perhaps there's a chance it actually is opt in. > >The domain registration is from October 31, 2003. The >domain registration for a related domain: Cashfromhome.com >is quite a bit older: Creation Date: 08-jun-1998. These >also lead me to believe they may have legitimate uses or >at least that 1-8 years should have been enough time for >SBL, NANAS, etc. to find them as true spammers. > >(Note that there are 34 NANAS hits for the older domain, >but all are from 1998 through 2000. None are newer, so >perhaps they spammed somewhat several years ago but >cleaned up their act in recent years. Most of the NANAS >reports are apparently from the same person.) > >Both domains are listed in WS: > >/home/gorilla/black-gorilla-7_04.txt:cashfromhome.com >/home/prolocation/black-prolocation-master:ultimatebizsource.biz > >Chris, what evidence do you have? Same question for Raymond. > eh? Read their site! They don't particularly care who I am as long as I have money. They 'say' they have an opt in list. But if I give them money, they send my ad to their list. How could their members possibly have opt'd in to recieve my ads when they don't even know me yet? cashfromhome? Hell they even list MLM right on their menu! If you're going to remove these guys, then please let Ryan know to add to UC. IN THEIR DEFENSE: their domain reg is from 1998 with no NANAS hits. HOWEVER, whose to say they send out their ad capmaigns using with links to that domain at all? Could be used as a front and they use other domains in their campaigns. --Chris

2 1

RE: [SURBL-Discuss] Child porn URLs
by Chris Santerre 15 Oct '04

15 Oct '04

>I must agree. The only content criteria we have for SURBLs is >inclusion in spam and exclusion in ham. Aside from the phishing >list (which also happens to be very spammy), all the SURBL lists >contain spam domains. Spam versus ham should remain our only >criteria for inclusion or now. > Well, I think this info should be told to everyone who is an admin. You all know I'm interested in this because I send the info direct to the FBI SA contact I have. The official place to report such sites is www.missingkids.com Also the site mentioned simply redirects to http://218.189.199.18:2180/portal/portal/pbf/ If you have any more info on this site, let me know OFFLIST, and I will submit to the Special Agent. Thanks --Chris

1 0

RE: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Chris Santerre 15 Oct '04

15 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 7:58 AM >To: Tony Bea via RT >Cc: SURBL Discuss >Subject: Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ? > > >On Friday, October 15, 2004, 4:26:09 AM, Tony RT wrote: >> Thank you for your suggestions. I will look to implement, >at least a few of >> them, in the near future in hopes of stopping some of the FPs. > >Execellent! I hope they can help. (Referring to >http://www.surbl.org/policy.html ) > >> In the meantime, feel free to let the mailing list know that >> postmaster(a)outblaze.com works and gets reasonably fast >response if they notice >> anything that looks like an FP. > >> Cheers, >> TonyB > >Done. :-) > Without a doubt, those Outblaze guys are aces in my book! Keep up the great work guys! --Chris (I am the queen of spades.)

1 0

FP: vmobile.us
by Joe Wein 15 Oct '04

15 Oct '04

Got email from vmobile.us today. It's listed on [WS] and [JP]. I checked the evidence and it's kind of flakey. The mail in question was mailing by wirelessdealernetwork.com. WDN has 2 NANAS sightings to it, both dated 2004-09-19 and posted by the same guy. Registered on 2004-06-08, NS blacklisted, listed on SURBL [WS], [OB], [JP]. Whether the recipient opted-in or not is not quite clear, but he's telecom-related. It may be spam, it may be not. In any case, vmobile.us was registered on 2004-05-12 and blacklisted by me on 2004-09-14. I shouldn't have blacklisted at that age without further evidence / checks. The NS is not blacklisted, no Google hits for spam other than my own listing. Oops! The domain of the owning company, usa-telecom.net, is two years old. So I think [WS] should probably also unlist vmobile.us, as I will do. My lesson: Just because the mailing list may be spammy and the TLD notorious doesn't mean a domain mentioned deserves listing on SURBL. Joe

2 3

← Newer
1
...
4
5
6
7
8
9
10
...
14
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss October 2004