>-----Original Message-----
>From: Bill Landry [mailto:billl@pointshare.com]
>Sent: Tuesday, August 24, 2004 3:06 PM
>To: 'SURBL Discussion list'
>Subject: Re: [SURBL-Discuss] FP in WS & DS?
>
>
>----- Original Message -----
>From: "Chris Santerre" <csanterre(a)merchantsoverseas.com>
>
>> >This is from a US Bank newsletter, and I have confirmed via
>> >whois that US
>> >Bank does own the domain in question:
>> >
>> > usbank-email.MUNGEDcom
>> >
>> >The sending IP address is not listed in any RBL/RHSBLs:
>> >
>> > http://www.dnsstuff.com/tools/ip4r.ch?ip=192.168.40.122
>> >
>> >Looks like a legitimate, subscription based, US Bank newsletter.
>>
>> We aren't seeing eye to eye today bill :)
>>
>> 207.189.106.22 not the reserved IP you listed.
>
>Yep, I corrected that in my last e-mail.
>
>> I see it as 4at1.com who is also:
>>
>> 00123.com
>> 1nc002.com
>> 1nc012.com
>> 1nc022.com
>> 4at1.com
>> 4at2.com
>> 4at2.net
>> 4at5.net
>>
>> #Once ONCE (NET-207-189-106-0-1)
>> 207.189.106.0 - 207.189.106.255
>> Empire Communications FORTIX-NET (NET-207-189-96-0-1)
>> 207.189.96.0 - 207.189.127.255
>
>Why would it matter who assigned US Bank the address space, or
>who else they
>assigned address space to? The IP address US Bank is using in
>not listed in
>any RBL/RHSBLs, and the bottom line is that the newsletter,
>and the company
>distributing it, are quite obviously both legitimate. What
>else matters...?
>
Nope completely forget everything I posted. I was clearly off my rocker on
that one! I entered the wrong data into my search and it spooled into the
cluster Fsck I posted :) I'm taking steps to make sure that doesn't happen
again today. (Translate: I'm pouring a cup of coffee!)
This is what I get for doing 35 things at once and having 3 instances of
firefow open with 10 tabs open in each of those!
Now, where are my car keys?!
--Chris
This is from a US Bank newsletter, and I have confirmed via whois that US
Bank does own the domain in question:
usbank-email.MUNGEDcom
The sending IP address is not listed in any RBL/RHSBLs:
http://www.dnsstuff.com/tools/ip4r.ch?ip=192.168.40.122
Looks like a legitimate, subscription based, US Bank newsletter.
Bill
>-----Original Message-----
>From: Chris Santerre [mailto:csanterre@merchantsoverseas.com]
>Sent: Tuesday, August 24, 2004 12:06 PM
>To: 'SURBL Discussion list'
>Subject: RE: [SURBL-Discuss] WS & DS FP?
>
>
>
>
>>-----Original Message-----
>>From: Bill Landry [mailto:billl@pointshare.com]
>>Sent: Tuesday, August 24, 2004 11:39 AM
>>To: 'SURBL Discussion list'
>>Subject: Re: [SURBL-Discuss] WS & DS FP?
>>
>>
>>----- Original Message -----
>>From: "Chris Santerre" <csanterre(a)merchantsoverseas.com>
>>
>>> I agree. But the legit companies were spamming. That was
>>what I was trying
>>> to say, although poorly :) Some of the NANAS posts have
>>legit companies in
>>> them, but are spam. Most likely they paid a company to
>>market them. Or
>>they
>>> tried there hand at doing it themselves and purchased a
>>list. This looks
>>> like the main focus of yesmail/clickaction. A mass email marketing
>>company.
>>> SO they will get legit companies to pay them to
>>advertise/spam for them.
>>>
>>> They are a spammer for hier. I don't see them in ANY legit
>>mail other then
>>> this one single run with itworld. And that is because of a
>>seminar on how
>>to
>>> use email for mass marketing! I may get overruled on this
>>one, but I'm
>>> sticking to my guns that they are spammers.
>>
>>The IT World newsletter link to clickaction had nothing to do
>>with a mass
>>marketing seminar. If you review my original post again, you
>>will see that
>>it was used for a very legitimate purpose, to allow users that
>>have problems
>>viewing their IT World newsletter subscription in HTML format
>>to be able to
>>change it to a text based format - that was it, pure and simple.
>>
>>There are lots of other ways to block clickaction if people
>>feel that that
>>is necessary, however, since there are obviously very
>>legitimate uses for
>>clickaction services by very legitimate companies, I do not feel that
>>listing them in any of the SURBL is appropriate. My vote is
>>to keep them
>>whitelisted for now.
>>
>
>So once again, a spammer gets 1-2 legit companies to use them,
>and they get
>removed from all RBLs? If that is how we are going to operate,
>we might as
>well shutdown now. Game over.
>
>"obviously very legitimate uses for clickaction services"
>
>SO itworld wanted to reduce there own traffic and have this
>legit bulk done
>by a "Legit commercial email marketer". Well they picked the
>wrong one. This
>isn't the first time we have seen this and it won't be the last.
>
>The PROPER thing to do is inform itworld of the history of the
>marketer they
>are dealing with.
>
>Whitelist? No way in hell. Temp remove, sure go ahead, but
>they are just
>going to get submitted again. Then what? Why not local
>whitelist then for
>your site?
>
>I'm starting to sound like the crazy SPAM-L locals :) BUt I'm tired of
>having this one single argument every week. Spammer who gets legit
>businesses to sign up....we need to deal with this now.
>Otherwise, like I
>said, game over.
>
>--Chris (Antispam nut!)
More info:
http://www.badads.org/january02.shtml
They have been providing email support for itworld since 2001! Maybe itworld
needs a clue!
http://emailuniverse.com/list-news/?id=298
--Chris (Still digging.)
>-----Original Message-----
>From: David Hooton [mailto:david.hooton@gmail.com]
>Sent: Tuesday, August 24, 2004 10:42 AM
>To: SURBL Discussion list
>Subject: Re: [SURBL-Discuss] WS & DS FP?
>
>
>On Tue, 24 Aug 2004 10:16:39 -0400, Chris Santerre
><csanterre(a)merchantsoverseas.com> wrote:
>> I agree. But the legit companies were spamming. That was
>what I was trying
>> to say, although poorly :) Some of the NANAS posts have
>legit companies in
>> them, but are spam. Most likely they paid a company to
>market them. Or they
>> tried there hand at doing it themselves and purchased a
>list. This looks
>> like the main focus of yesmail/clickaction. A mass email
>marketing company.
>> SO they will get legit companies to pay them to
>advertise/spam for them.
>>
>> They are a spammer for hier. I don't see them in ANY legit
>mail other then
>> this one single run with itworld. And that is because of a
>seminar on how to
>> use email for mass marketing! I may get overruled on this
>one, but I'm
>> sticking to my guns that they are spammers.
>
>I'm with Chris, string them up!
>
>How about a slightly more moderate approach, lets not whitelist them,
>but lets remove them from the list for now. If they re-offend then we
>list them until such time as they prove themselves as whitehat.
>
>This kind of domain is a very slippery one, it incredibly hard to put
>them on either side of the FP fence.
>--
>Regards,
>
>David Hooton
Oh it gets even better according to our friend. Related domains!
abii.combusinesscreditusa.combusinessusa.comclickaction.comdatabaseamerica.comdblink.comdirectoriesusa.comdonnelleymarketing.comeasymailers.orgemailmarketing.comenterconnect.netinfousa.cominfousadomain.cominfousagov.cominfousaproductsupport.cominsync-palm.comlibraryusa.comlistbazaar.commysalesconnection.commyyesmail.comnewleadsusa.comnomail.comp01.comp02.comp03.comp04.compondmail.compostdirect.comsalesgenie.net
salesleadsusa.biz
salesleadsusa.comyesmail-inc.comyesmail.comyesmail.netyesmail.orgym0.comym0.netymc0.comymc0.net
So what do you think of them now?
--Chris
>-----Original Message-----
>From: Jeff Chan [mailto:jeffc@surbl.org]
>Sent: Tuesday, August 24, 2004 9:48 AM
>To: SURBL Discuss
>Subject: Re: [SURBL-Discuss] WS & DS FP?
>
>
>On Tuesday, August 24, 2004, 6:46:01 AM, Chris Santerre wrote:
>> Sorry I just noticed yesmail.com is listed is SURBL. So
>clickaction.net
>> should be as well. They are one in the same.
>
>Listings should not necessarily be associative. The real test
>remains as "how spammy are they?" Do these guys do anything
>legitimate? The NANAS customers of clickaction looked pretty
>legitimate to me, assuming they're really customers.
>
>Jeff C.
>
I agree. But the legit companies were spamming. That was what I was trying
to say, although poorly :) Some of the NANAS posts have legit companies in
them, but are spam. Most likely they paid a company to market them. Or they
tried there hand at doing it themselves and purchased a list. This looks
like the main focus of yesmail/clickaction. A mass email marketing company.
SO they will get legit companies to pay them to advertise/spam for them.
They are a spammer for hier. I don't see them in ANY legit mail other then
this one single run with itworld. And that is because of a seminar on how to
use email for mass marketing! I may get overruled on this one, but I'm
sticking to my guns that they are spammers.
--Chris
>-----Original Message-----
>From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net]
>Sent: Tuesday, August 24, 2004 9:39 AM
>To: SURBL Discussion list
>Subject: RE: [SURBL-Discuss] Improved name server status page
>
>
>Hi!
>
>> >Currently I have the DNS timeout set to 10 seconds with two
>> >retries. What kind of values are more typical or standard
>> >for resolvers?
>
>> >I will use the scripts that generate the page to send
>> >notifications (probably to myself at first) once things
>> >stabilize. Since events don't happen very often, it's
>> >probably not necessary to show a history on the page.
>
>> That is very cool! However do you think it is wise to make
>public the IP's
>> of the servers?
>
><BOFH mode=on>
>
>No, indeed, lets hide them, it will only cause problems if we
>list them ;)
>
><BOFH mode=off>
>
>Chris, you paranoid DONKEY :) how do you think people should
>lookup the
>zones if we dont publish where to get them. DNS does the exact
>same thing.
>
>; <<>> DiG 9.2.1 <<>> ns surbl.org
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21524
>;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 12
>
>;; QUESTION SECTION:
>;surbl.org. IN NS
>
>;; ANSWER SECTION:
>surbl.org. 13466 IN NS ns9.surbl.org.
>surbl.org. 13466 IN NS ns8.surbl.org.
>surbl.org. 13466 IN NS ns7.surbl.org.
>surbl.org. 13466 IN NS ns6.surbl.org.
>surbl.org. 13466 IN NS ns5.surbl.org.
>surbl.org. 13466 IN NS ns3.surbl.org.
>surbl.org. 13466 IN NS ns2.surbl.org.
>surbl.org. 13466 IN NS ns13.surbl.org.
>surbl.org. 13466 IN NS ns12.surbl.org.
>surbl.org. 13466 IN NS ns11.surbl.org.
>surbl.org. 13466 IN NS ns10.surbl.org.
>surbl.org. 13466 IN NS ns1.surbl.org.
>
>;; ADDITIONAL SECTION:
>ns9.surbl.org. 14175 IN A 209.234.97.11
>ns8.surbl.org. 14175 IN A 66.59.111.182
>ns7.surbl.org. 14175 IN A 130.161.128.84
>ns6.surbl.org. 14175 IN A 128.255.17.20
>ns5.surbl.org. 14175 IN A 128.255.17.19
>ns3.surbl.org. 14175 IN A 139.130.4.5
>ns2.surbl.org. 14175 IN A 209.204.159.15
>ns13.surbl.org. 14175 IN A 66.170.2.60
>ns12.surbl.org. 14175 IN A 66.170.2.50
>ns11.surbl.org. 14175 IN A 64.21.208.212
>ns10.surbl.org. 14175 IN A 66.251.133.4
>ns1.surbl.org. 14175 IN A 208.201.249.238
>
LOL, yeah I realise that, but let the spammers do that. Why make it easy for
them. Most can't spell DNS. :) The more hoops they have to go thru the
better. I'm sure we may see a DDOS attempt by first quarter next year.
--Chris
Almost perfect. You have to follow RFC standards and name them either star
wars or Simpsons Characters. Not ns1, ns2, ......
:)
--Chris
>-----Original Message-----
>From: William C. Devine II [mailto:william@devine.net]
>Sent: Tuesday, August 24, 2004 10:00 AM
>To: Jeff Chan; SURBL Discussion list
>Subject: RE: [SURBL-Discuss] Improved name server status page
>
>
>You could keep a generic list of nameservers such as 'Server
>1', 'Server
>2', etc, which correlates to 'ns1', 'ns2', etc. It'd just add a level
>of obscurity and require just a little more of a monkey to figure out
>though.
>
>william
>
>-----Original Message-----
>From: Jeff Chan [mailto:jeffc@surbl.org]
>Sent: Tuesday, August 24, 2004 6:40 AM
>To: SURBL Discuss
>Subject: Re: [SURBL-Discuss] Improved name server status page
>
>
>On Tuesday, August 24, 2004, 6:32:44 AM, Chris Santerre wrote:
>> That is very cool! However do you think it is wise to make public the
>IP's
>> of the servers?
>
>Yeah that kind of raised some flags for me too, but the servers
>are easy enough to find, and the names of the servers are not
>unique due to the round robin.
>
>For example e.surbl.org resolves to two different name servers.
>
>So the only thing unique and used for the subdomains are their
>IP addresses. I suppose we could set up another set of aliases
>for them, but kind of don't want another set to maintain.
>(The old style ns1, ns2, etc. names remain but for BIND
>type servers for the parent zone. They have already diverged
>from the rbldnsd servers.)
>
>Jeff C.
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
>-----Original Message-----
>From: David B Funk [mailto:dbfunk@engineering.uiowa.edu]
>Sent: Monday, August 23, 2004 11:15 PM
>To: 'SURBL Discussion list'
>Subject: [SURBL-Discuss] Phish via "previewmysite.com"
>
>
>Found a citibank phish that used a redirect thru go.msn.com to
>'zach.com.previewmysite.com' (see attached message).
>
>Is previewmysite.com guilty or an innocent open site that is being
>exploited?
My eyes! They see nothing! Help!!!!!!
I think you forgot to attach it!
Without even seeing it, I think they are being exploited, and they may need
to start using SURBL to check their users.
--Chris