Discuss August 2004

discuss@lists.surbl.org

56 participants
207 discussions

Start a nNew thread

sc.surbl.org FP
by Brett Cove 25 Aug '04

25 Aug '04

citizensbankMUNGED.com Was likely listed due to it being a phish target. -Brett

2 1

RE: [SURBL-Discuss] FP in WS & DS?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Bill Landry [mailto:billl@pointshare.com] >Sent: Tuesday, August 24, 2004 3:06 PM >To: 'SURBL Discussion list' >Subject: Re: [SURBL-Discuss] FP in WS & DS? > > >----- Original Message ----- >From: "Chris Santerre" <csanterre(a)merchantsoverseas.com> > >> >This is from a US Bank newsletter, and I have confirmed via >> >whois that US >> >Bank does own the domain in question: >> > >> > usbank-email.MUNGEDcom >> > >> >The sending IP address is not listed in any RBL/RHSBLs: >> > >> > http://www.dnsstuff.com/tools/ip4r.ch?ip=192.168.40.122 >> > >> >Looks like a legitimate, subscription based, US Bank newsletter. >> >> We aren't seeing eye to eye today bill :) >> >> 207.189.106.22 not the reserved IP you listed. > >Yep, I corrected that in my last e-mail. > >> I see it as 4at1.com who is also: >> >> 00123.com >> 1nc002.com >> 1nc012.com >> 1nc022.com >> 4at1.com >> 4at2.com >> 4at2.net >> 4at5.net >> >> #Once ONCE (NET-207-189-106-0-1) >> 207.189.106.0 - 207.189.106.255 >> Empire Communications FORTIX-NET (NET-207-189-96-0-1) >> 207.189.96.0 - 207.189.127.255 > >Why would it matter who assigned US Bank the address space, or >who else they >assigned address space to? The IP address US Bank is using in >not listed in >any RBL/RHSBLs, and the bottom line is that the newsletter, >and the company >distributing it, are quite obviously both legitimate. What >else matters...? > Nope completely forget everything I posted. I was clearly off my rocker on that one! I entered the wrong data into my search and it spooled into the cluster Fsck I posted :) I'm taking steps to make sure that doesn't happen again today. (Translate: I'm pouring a cup of coffee!) This is what I get for doing 35 things at once and having 3 instances of firefow open with 10 tabs open in each of those! Now, where are my car keys?! --Chris

1 0

FP in WS & DS?
by Bill Landry 24 Aug '04

24 Aug '04

This is from a US Bank newsletter, and I have confirmed via whois that US Bank does own the domain in question: usbank-email.MUNGEDcom The sending IP address is not listed in any RBL/RHSBLs: http://www.dnsstuff.com/tools/ip4r.ch?ip=192.168.40.122 Looks like a legitimate, subscription based, US Bank newsletter. Bill

2 2

RE: [SURBL-Discuss] WS & DS FP?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Chris Santerre [mailto:csanterre@merchantsoverseas.com] >Sent: Tuesday, August 24, 2004 12:06 PM >To: 'SURBL Discussion list' >Subject: RE: [SURBL-Discuss] WS & DS FP? > > > > >>-----Original Message----- >>From: Bill Landry [mailto:billl@pointshare.com] >>Sent: Tuesday, August 24, 2004 11:39 AM >>To: 'SURBL Discussion list' >>Subject: Re: [SURBL-Discuss] WS & DS FP? >> >> >>----- Original Message ----- >>From: "Chris Santerre" <csanterre(a)merchantsoverseas.com> >> >>> I agree. But the legit companies were spamming. That was >>what I was trying >>> to say, although poorly :) Some of the NANAS posts have >>legit companies in >>> them, but are spam. Most likely they paid a company to >>market them. Or >>they >>> tried there hand at doing it themselves and purchased a >>list. This looks >>> like the main focus of yesmail/clickaction. A mass email marketing >>company. >>> SO they will get legit companies to pay them to >>advertise/spam for them. >>> >>> They are a spammer for hier. I don't see them in ANY legit >>mail other then >>> this one single run with itworld. And that is because of a >>seminar on how >>to >>> use email for mass marketing! I may get overruled on this >>one, but I'm >>> sticking to my guns that they are spammers. >> >>The IT World newsletter link to clickaction had nothing to do >>with a mass >>marketing seminar. If you review my original post again, you >>will see that >>it was used for a very legitimate purpose, to allow users that >>have problems >>viewing their IT World newsletter subscription in HTML format >>to be able to >>change it to a text based format - that was it, pure and simple. >> >>There are lots of other ways to block clickaction if people >>feel that that >>is necessary, however, since there are obviously very >>legitimate uses for >>clickaction services by very legitimate companies, I do not feel that >>listing them in any of the SURBL is appropriate. My vote is >>to keep them >>whitelisted for now. >> > >So once again, a spammer gets 1-2 legit companies to use them, >and they get >removed from all RBLs? If that is how we are going to operate, >we might as >well shutdown now. Game over. > >"obviously very legitimate uses for clickaction services" > >SO itworld wanted to reduce there own traffic and have this >legit bulk done >by a "Legit commercial email marketer". Well they picked the >wrong one. This >isn't the first time we have seen this and it won't be the last. > >The PROPER thing to do is inform itworld of the history of the >marketer they >are dealing with. > >Whitelist? No way in hell. Temp remove, sure go ahead, but >they are just >going to get submitted again. Then what? Why not local >whitelist then for >your site? > >I'm starting to sound like the crazy SPAM-L locals :) BUt I'm tired of >having this one single argument every week. Spammer who gets legit >businesses to sign up....we need to deal with this now. >Otherwise, like I >said, game over. > >--Chris (Antispam nut!) More info: http://www.badads.org/january02.shtml They have been providing email support for itworld since 2001! Maybe itworld needs a clue! http://emailuniverse.com/list-news/?id=298 --Chris (Still digging.)

2 1

RE: [SURBL-Discuss] WS & DS FP?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: David Hooton [mailto:david.hooton@gmail.com] >Sent: Tuesday, August 24, 2004 10:42 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] WS & DS FP? > > >On Tue, 24 Aug 2004 10:16:39 -0400, Chris Santerre ><csanterre(a)merchantsoverseas.com> wrote: >> I agree. But the legit companies were spamming. That was >what I was trying >> to say, although poorly :) Some of the NANAS posts have >legit companies in >> them, but are spam. Most likely they paid a company to >market them. Or they >> tried there hand at doing it themselves and purchased a >list. This looks >> like the main focus of yesmail/clickaction. A mass email >marketing company. >> SO they will get legit companies to pay them to >advertise/spam for them. >> >> They are a spammer for hier. I don't see them in ANY legit >mail other then >> this one single run with itworld. And that is because of a >seminar on how to >> use email for mass marketing! I may get overruled on this >one, but I'm >> sticking to my guns that they are spammers. > >I'm with Chris, string them up! > >How about a slightly more moderate approach, lets not whitelist them, >but lets remove them from the list for now. If they re-offend then we >list them until such time as they prove themselves as whitehat. > >This kind of domain is a very slippery one, it incredibly hard to put >them on either side of the FP fence. >-- >Regards, > >David Hooton Oh it gets even better according to our friend. Related domains! abii.com businesscreditusa.com businessusa.com clickaction.com databaseamerica.com dblink.com directoriesusa.com donnelleymarketing.com easymailers.org emailmarketing.com enterconnect.net infousa.com infousadomain.com infousagov.com infousaproductsupport.com insync-palm.com libraryusa.com listbazaar.com mysalesconnection.com myyesmail.com newleadsusa.com nomail.com p01.com p02.com p03.com p04.com pondmail.com postdirect.com salesgenie.net salesleadsusa.biz salesleadsusa.com yesmail-inc.com yesmail.com yesmail.net yesmail.org ym0.com ym0.net ymc0.com ymc0.net So what do you think of them now? --Chris

1 0

RE: [SURBL-Discuss] WS & DS FP?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, August 24, 2004 9:48 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] WS & DS FP? > > >On Tuesday, August 24, 2004, 6:46:01 AM, Chris Santerre wrote: >> Sorry I just noticed yesmail.com is listed is SURBL. So >clickaction.net >> should be as well. They are one in the same. > >Listings should not necessarily be associative. The real test >remains as "how spammy are they?" Do these guys do anything >legitimate? The NANAS customers of clickaction looked pretty >legitimate to me, assuming they're really customers. > >Jeff C. > I agree. But the legit companies were spamming. That was what I was trying to say, although poorly :) Some of the NANAS posts have legit companies in them, but are spam. Most likely they paid a company to market them. Or they tried there hand at doing it themselves and purchased a list. This looks like the main focus of yesmail/clickaction. A mass email marketing company. SO they will get legit companies to pay them to advertise/spam for them. They are a spammer for hier. I don't see them in ANY legit mail other then this one single run with itworld. And that is because of a seminar on how to use email for mass marketing! I may get overruled on this one, but I'm sticking to my guns that they are spammers. --Chris

3 2

RE: [SURBL-Discuss] Improved name server status page
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] >Sent: Tuesday, August 24, 2004 9:39 AM >To: SURBL Discussion list >Subject: RE: [SURBL-Discuss] Improved name server status page > > >Hi! > >> >Currently I have the DNS timeout set to 10 seconds with two >> >retries. What kind of values are more typical or standard >> >for resolvers? > >> >I will use the scripts that generate the page to send >> >notifications (probably to myself at first) once things >> >stabilize. Since events don't happen very often, it's >> >probably not necessary to show a history on the page. > >> That is very cool! However do you think it is wise to make >public the IP's >> of the servers? > ><BOFH mode=on> > >No, indeed, lets hide them, it will only cause problems if we >list them ;) > ><BOFH mode=off> > >Chris, you paranoid DONKEY :) how do you think people should >lookup the >zones if we dont publish where to get them. DNS does the exact >same thing. > >; <<>> DiG 9.2.1 <<>> ns surbl.org >;; global options: printcmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21524 >;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 12 > >;; QUESTION SECTION: >;surbl.org. IN NS > >;; ANSWER SECTION: >surbl.org. 13466 IN NS ns9.surbl.org. >surbl.org. 13466 IN NS ns8.surbl.org. >surbl.org. 13466 IN NS ns7.surbl.org. >surbl.org. 13466 IN NS ns6.surbl.org. >surbl.org. 13466 IN NS ns5.surbl.org. >surbl.org. 13466 IN NS ns3.surbl.org. >surbl.org. 13466 IN NS ns2.surbl.org. >surbl.org. 13466 IN NS ns13.surbl.org. >surbl.org. 13466 IN NS ns12.surbl.org. >surbl.org. 13466 IN NS ns11.surbl.org. >surbl.org. 13466 IN NS ns10.surbl.org. >surbl.org. 13466 IN NS ns1.surbl.org. > >;; ADDITIONAL SECTION: >ns9.surbl.org. 14175 IN A 209.234.97.11 >ns8.surbl.org. 14175 IN A 66.59.111.182 >ns7.surbl.org. 14175 IN A 130.161.128.84 >ns6.surbl.org. 14175 IN A 128.255.17.20 >ns5.surbl.org. 14175 IN A 128.255.17.19 >ns3.surbl.org. 14175 IN A 139.130.4.5 >ns2.surbl.org. 14175 IN A 209.204.159.15 >ns13.surbl.org. 14175 IN A 66.170.2.60 >ns12.surbl.org. 14175 IN A 66.170.2.50 >ns11.surbl.org. 14175 IN A 64.21.208.212 >ns10.surbl.org. 14175 IN A 66.251.133.4 >ns1.surbl.org. 14175 IN A 208.201.249.238 > LOL, yeah I realise that, but let the spammers do that. Why make it easy for them. Most can't spell DNS. :) The more hoops they have to go thru the better. I'm sure we may see a DDOS attempt by first quarter next year. --Chris

3 2

RE: [SURBL-Discuss] Improved name server status page
by Chris Santerre 24 Aug '04

24 Aug '04

Almost perfect. You have to follow RFC standards and name them either star wars or Simpsons Characters. Not ns1, ns2, ...... :) --Chris >-----Original Message----- >From: William C. Devine II [mailto:william@devine.net] >Sent: Tuesday, August 24, 2004 10:00 AM >To: Jeff Chan; SURBL Discussion list >Subject: RE: [SURBL-Discuss] Improved name server status page > > >You could keep a generic list of nameservers such as 'Server >1', 'Server >2', etc, which correlates to 'ns1', 'ns2', etc. It'd just add a level >of obscurity and require just a little more of a monkey to figure out >though. > >william > >-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, August 24, 2004 6:40 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] Improved name server status page > > >On Tuesday, August 24, 2004, 6:32:44 AM, Chris Santerre wrote: >> That is very cool! However do you think it is wise to make public the >IP's >> of the servers? > >Yeah that kind of raised some flags for me too, but the servers >are easy enough to find, and the names of the servers are not >unique due to the round robin. > >For example e.surbl.org resolves to two different name servers. > >So the only thing unique and used for the subdomains are their >IP addresses. I suppose we could set up another set of aliases >for them, but kind of don't want another set to maintain. >(The old style ns1, ns2, etc. names remain but for BIND >type servers for the parent zone. They have already diverged >from the rbldnsd servers.) > >Jeff C. > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

RE: [SURBL-Discuss] whitelist rm04.net and rm02.net?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, August 24, 2004 2:14 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] whitelist rm04.net and rm02.net? > > >On Monday, August 23, 2004, 6:12:57 PM, Jeff Chan wrote: >> We've had a request to whitelist rm04.net and rm02.net. > >> Does anyone know anything about them? They seem to belong to: > >>> SilverPOP Systems >>> (DOM-151479) >>> 200 Galleria Parkway >>> Suite 750 Atlanta >>> GA >>> 30339 US > >> And reportedly appeared in a newsletter belonging to: >> Altiris http://www.altiris.com > >Someone I trust told me SilverPOP is whitehat, so I've >whitelisted them: > >silverpop.com >rm01.net >rm02.net >rm03.net >rm04.net >rm05.net >rm06.net >rm07.net >rm08.net >rm09.net >rm10.net > > >Jeff C. > I have no comment on their spamminess. But here is the list of more silverpop domains, from a good source ;) adm02.com ecommercial.com mailsubs.com mindarrow.com mindarrow.net radicalmail.com rm01.net rm02.net rm03.net rm04.net rm06.net rm07.net rm08.net silverpop.com --Chris

2 1

RE: [SURBL-Discuss] Phish via "previewmysite.com"
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: David B Funk [mailto:dbfunk@engineering.uiowa.edu] >Sent: Monday, August 23, 2004 11:15 PM >To: 'SURBL Discussion list' >Subject: [SURBL-Discuss] Phish via "previewmysite.com" > > >Found a citibank phish that used a redirect thru go.msn.com to >'zach.com.previewmysite.com' (see attached message). > >Is previewmysite.com guilty or an innocent open site that is being >exploited? My eyes! They see nothing! Help!!!!!! I think you forgot to attach it! Without even seeing it, I think they are being exploited, and they may need to start using SURBL to check their users. --Chris

1 0

← Newer
1
2
3
4
5
6
7
...
21
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss August 2004