Discuss May 2005

discuss@lists.surbl.org

34 participants
64 discussions

embedded image spams
by Rakesh 27 May '05

27 May '05

Hi I have been bugged a lot by embedded image spams recently, although some of these spams got trapped due URI checks, some managed to pass as well as the url wasn't yet blocked in the SURBLs. I probably found something tht i wanted to share with u guys and try and see if we can trap those spams further on the basis of tht. I have classified those embedded image spams into two classes. Class 1 of image of fulllist of viagra and other meds and Class 2 of image of one liner information on cheap softwares or viagra. I was thinking of if possibly we can understand a common pattern and try and make a ruleset on top of tht so tht we dont have to wait for updates at URIbl, then it would be really some thing good. These image only spams apparently have a prob tht we can trap on :). The loophole is in most of the cases the message id of the mail and the content id or cid of the embedded image is exactly same. For e.g. Message-ID: <1066724820.2422(a)boschkitchencentre.com> Content-ID: <1066724820.2422(a)boschkitchencentre.com> some variations also had something like this Message-ID: <1064962549.5961(a)cal.cybersurf.net> Content-ID: <sivjxu_onzvh_dzdohvo> But thts applicable to class1 of the spams and in class 2 which are just images containing oneliners has some variations. In some cases the content id is smartly tampered but again there is a loophole and here is an example of tht Message-ID: <525F074E3524$72BF31B3$02605c3b(a)comcast.net> Content-ID: <e102605c3b(a)comcast.net> the message id and the content id both contain the domain name of the sending server. And a valid mail that had embedded image in it but was sent from outlook had details something like this From Outlook Message-ID: <002101c55c2f$b3f540a0$bdc809c0@cg> Content-ID: <image001.jpg(a)01C55C5D.CB204210> Frankly I haven't seen how content id appears when images are embedded using other valid email clients like netscape or thunderbird. But if we compare the above set of patterns, what appears is tht if a image is embedded using a client like outlook then "@" appears in the content id of the attachment but the latter part of @ is not the domain name, but has the name of the attachment itself and the messageid is different from the content id, whereas incase of the spammers content ids that appear are either exactly same to tht of the message id, or doesnt have a @ or has the domain name of the server as a latter part of the @ in content id. So my question is can we have rulesets in spamassassin that can compare the sending host domain with the latter part of @ of content id or look for @ in the content id. Any suggestions ? comments ? -- Regards, Rakesh B. Pal Project Leader Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. ======================================================== Success is how high you reach after you hit the bottom. ======================================================== ---------------------------------------------------------- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html ----------------------------------------------------------

2 1

Re: [SURBL-Discuss] Job Recruiter SPAMmers
by List Mail User 25 May '05

25 May '05

>... >Give this a try: > >> http://openrbl.org/ > > >It worked for me this morning. > >Dan Zachary > > >>(BTW my favorite rbl checker openrbl.org seems gone. :-( ) >>... Worked last night, but not now. The domain is in good standing, as is the "feeder" domain orbl.net. But the DNS records show a change as of yesterday (serial number date encoding method vs. the seconds since epoch that SURBL uses), and the 'A' record is gone. Most of the listed name servers seem down also. They alway had a problem with timeouts, but I used them a lot too. Current DNS appended (note the use of an unlisted name server to get anything). Paul Shupak track(a)plectere.com -------------------------------------------------------------------------------- % dig openrbl.org any @y.orbl.net ; <<>> DiG 9.3.0 <<>> openrbl.org any @y.orbl.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60077 ;; flags: qr aa rd; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;openrbl.org. IN ANY ;; ANSWER SECTION: openrbl.org. 43200 IN NS a.orbl.net. openrbl.org. 43200 IN NS b.orbl.net. openrbl.org. 43200 IN NS c.orbl.net. openrbl.org. 43200 IN NS d.orbl.net. openrbl.org. 43200 IN NS e.orbl.net. openrbl.org. 43200 IN NS f.orbl.net. openrbl.org. 43200 IN NS g.orbl.net. openrbl.org. 43200 IN NS h.orbl.net. openrbl.org. 43200 IN NS i.orbl.net. openrbl.org. 43200 IN NS j.orbl.net. openrbl.org. 2700 IN MX 999 relay.serv.ch. openrbl.org. 3600 IN SOA g.orbl.net. openrbl.org. 2005052422 2400 600 2419200 300 ;; Query time: 190 msec ;; SERVER: 80.190.246.92#53(y.orbl.net) ;; WHEN: Wed May 25 13:41:00 2005 ;; MSG SIZE rcvd: 262

2 1

Job Recruiter SPAMmers
by Kevin A. McGrail 25 May '05

25 May '05

As a job recruiter, I am intimately familiar with posting a job and then getting hammered with SPAM from companies and recruiting firms. In the past 5 minutes, I've gotten two. One from BobAJobs-munged.com and one from http://ad1.geowebsv48a-munged.com/recruiting_service.html. How would these type of spam's be viewed for addition to SURBL? Regards, KAM

4 5

RE: [SURBL-Discuss] Job Recruiter SPAMmers
by Chris Santerre 24 May '05

24 May '05

> -----Original Message----- > From: Kevin A. McGrail [mailto:kmcgrail@pccc.com] > Sent: Tuesday, May 24, 2005 2:55 PM > To: discuss(a)lists.surbl.org > Cc: daniel.swartz(a)thoughtworthy.com > Subject: [SURBL-Discuss] Job Recruiter SPAMmers > > > As a job recruiter, I am intimately familiar with posting a > job and then > getting hammered with SPAM from companies and recruiting firms. > > In the past 5 minutes, I've gotten two. One from > BobAJobs-munged.com and > one from http://ad1.geowebsv48a-munged.com/recruiting_service.html. > > How would these type of spam's be viewed for addition to SURBL? > > Regards, > KAM I add them to black.uribl.com I can't stand these guys. The whole ihirexxxxxxxxx.com have already been added. --Chris

1 0

Subject: Re[2]: [SURBL-Discuss] whitelist: accuradio.com
by Robert Menschel 24 May '05

24 May '05

> Message: 4 > Date: Mon, 23 May 2005 05:17:31 +0200 (CEST) > From: Raymond Dijkxhoorn <raymond(a)surbl.org> > Subject: Re[2]: [SURBL-Discuss] whitelist: accuradio.com > To: SURBL Discussion list <discuss(a)lists.surbl.org> > Hi bob, >>>> Reviewing this week's emails looking for candidates for my SA >>>> whitelist.cf, I saw that an email from accuradio.com, with a URI to >>>> www.accuradio.com, had hit URIBL_OB_SURBL. ... >> >>>> Submitting the whitelist now. >> > Care to share? Perhaps more listed that that we should look into ? > Bye, > Raymond. Sure: # Domains I personally guarantee do not send spam: menschel.net robert.menschel.name choctaw-crafts.org xeper.org xeper.net templeofset.org setian.org balanone.info contractorswarehouse.com cwbo.com cwikship.com # Trusted domains jeld-wen.com pythagoras.org trapezoid.org # domain that looks like it might be spammy, but a user has intentionally flagged email as NOT being spam. freelanceworkexchange.com # Added May 22 2005 AccuRadio.com Bob Menschel

2 1

whitelist: accuradio.com
by sare＠menschel.net 24 May '05

24 May '05

Just a quick note: Reviewing this week's emails looking for candidates for my SA whitelist.cf, I saw that an email from accuradio.com, with a URI to www.accuradio.com, had hit URIBL_OB_SURBL. I just did a SURBL check, and it's not there now, so I'm guessing it was a temporary fluke. However, since in three years I've received emails from accuradio only to the specific email address I supplied them, not to any other, and have not receiving any emails from anyone else to that address, I believe this domain worth whitelisting to avoid future similar events. Submitting the whitelist now. Bob Menschel

4 7

Re: name-services.com (was: Re: [SURBL-Discuss] whitelist: accuradio.com)
by List Mail User 24 May '05

24 May '05

>... > >What about the WDRP spam apparently from them? Is that possibly >legitimate looking? > >From: "WDRP Compliance" <wdrp(a)name-services.com> >To: Domains(a)Menschel.net > >thetrueslf.com May 25, 2004 > View Contact Data: <http://wdrp.name-services.com/whois.asp?key=FC4464C8F2A> > >etc. > >Jeff C. > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > I thought I had made clear my beliefs about the "competence" of eNom's procedures and personnel:-) Anyway, this is clearly not spam, but a misdirected - yet valid communication for domain registration data checking. Clearly sent to the wrong person, but it isn't selling anything - it doesn't even link to any other page except ICANN's rules about data verification. It is downright well behaved - no links to their own services, no pleas to extend the registration period - one of the best I've seen of all that I've gotten from any registrar I've used. Just in typical fashion, they sent it to the wrong place:-) Do note that it is also typical eNom in that it functions by a "negative" option - do nothing and they say they will assume all the data is good; I suspect that this is *not* acceptable to ICANN (since if the contact data were false, the notice would likely be ignored and hence no checking actually performed) - but it fits perfectly the eNom model of let the customer be responsible for reporting and fixing all errors. Most people I've played golf with "cheat" - some knowingly, some accidentally - I long ago got used to people telling me that I should be adding penalties to my own score for "mistakes". This is sort of like the French justice system in reverse (instead of the police having to prove a defendant is innocent - let the defendant be responsible to show that he is guilty). Anyway, just go to the link - No "spam" - innocent, but incompetent. Paul Shupak track(a)plectere.com P.S. Now somebody should check if the data is actually valid for that domain; It appears that at least there i a technical violation in that the listed fax line goes unanswered during business hours! I'd even guess that Donovan Rittenbach doesn't even live there or have that telephone number anymore. He has at least two other domains at the same address and telephone number. The telephone number is unlisted (not normal for a business).

2 1

Re: Discuss Digest, Vol 14, Issue 23
by Robert Menschel 24 May '05

24 May '05

> Message: 2 > Date: Mon, 23 May 2005 09:01:36 -0700 (PDT) > From: List Mail User <track(a)Plectere.com> > Subject: name-services.com (was: Re: [SURBL-Discuss] whitelist: accuradio.com) > To: discuss(a)lists.surbl.org > Cc: jeffc(a)surbl.com, track(a)Plectere.com > Message-ID: <200505231601.j4NG1aYt025267(a)Plectere.com> > I've been watching this discussion without speaking up for > a couple of days now. the domain name-services is very popular with > spammers (they seem to be lax in throwing them off), but it has *at > least* 20x as many legitimate customers as "bad guys"; That said, I > do always double-check when I see it turn up in a domain I'm already > looking at - It is a good sign if you already have another reason for > checking a domain, but they themselves are mostly extremely clean. The > big problem is the domain is operated by eNom for others, and we all > probably are aware of the standard eNom procedure for complaints (i.e. > forward it to the spammer and ask him to "fix" it) - this makes them > look disproportionately bad. > The domain name-services.com itself doesn't belong on any SURBLs > (though it does exist within lots of Spamhaus and SPEWS records) or even > on URIBL's greylist (though maybe SPEWS should L2 them and eNom itself). > They have far, far too many legitimate customers. > Just my opinion/experience. But convincing to me. I've uploaded an update to my blacklist file, with this domain removed. Jeff -- by the same reasoning, it should be whitelisted? Bob Menschel

1 0

name-services.com (was: Re: [SURBL-Discuss] whitelist: accuradio.com)
by List Mail User 23 May '05

23 May '05

>... > >Hello Jeff, > >(sent one copy without attachment, and from not-listed address; that >copy can be deleted without forwarding to list. sorry) > >Monday, May 23, 2005, 3:00:09 AM, you wrote: > >JC> Message: 7 >JC> Date: Mon, 23 May 2005 00:57:48 -0700 >JC> From: Jeff Chan <jeffc(a)surbl.org> >JC> Subject: Re: [SURBL-Discuss] whitelist: accuradio.com >JC> To: Joseph Burford <josephb(a)gmail.com> >JC> Cc: SURBL Discussion list <discuss(a)lists.surbl.org> >JC> Message-ID: <127069243.20050523005748(a)surbl.org> >JC> Content-Type: text/plain; charset=us-ascii > >JC> On Sunday, May 22, 2005, 11:39:05 PM, Joseph Burford wrote: >>>> Since you say they're whitehats, I'll go ahead and whitelist them in >>>> SURBLs. Of minor interest one of their nameservers is on SORBS: >>>> >>>> 212.118.243.118 dns5.name-services.com >>>> >>>> http://www.sorbs.net/lookup.shtml?212.118.243.118 > >>> name-services.com is used by Register.com / Namebargain.com for their >>> customer DNS services. > >>> Regards, Hi, I've been watching this discussion without speaking up for a couple of days now. the domain name-services is very popular with spammers (they seem to be lax in throwing them off), but it has *at least* 20x as many legitimate customers as "bad guys"; That said, I do always double-check when I see it turn up in a domain I'm already looking at - It is a good sign if you already have another reason for checking a domain, but they themselves are mostly extremely clean. The big problem is the domain is operated by eNom for others, and we all probably are aware of the standard eNom procedure for complaints (i.e. forward it to the spammer and ask him to "fix" it) - this makes them look disproportionately bad. The domain name-services.com itself doesn't belong on any SURBLs (though it does exist within lots of Spamhaus and SPEWS records) or even on URIBL's greylist (though maybe SPEWS should L2 them and eNom itself). They have far, far too many legitimate customers. Just my opinion/experience. Paul Shupak track(a)plectere.com

2 1

Re: [SURBL-Discuss] whitelist: accuradio.com
by Robert Menschel 23 May '05

23 May '05

Hello Jeff, (sent one copy without attachment, and from not-listed address; that copy can be deleted without forwarding to list. sorry) Monday, May 23, 2005, 3:00:09 AM, you wrote: JC> Message: 7 JC> Date: Mon, 23 May 2005 00:57:48 -0700 JC> From: Jeff Chan <jeffc(a)surbl.org> JC> Subject: Re: [SURBL-Discuss] whitelist: accuradio.com JC> To: Joseph Burford <josephb(a)gmail.com> JC> Cc: SURBL Discussion list <discuss(a)lists.surbl.org> JC> Message-ID: <127069243.20050523005748(a)surbl.org> JC> Content-Type: text/plain; charset=us-ascii JC> On Sunday, May 22, 2005, 11:39:05 PM, Joseph Burford wrote: >>> Since you say they're whitehats, I'll go ahead and whitelist them in >>> SURBLs. Of minor interest one of their nameservers is on SORBS: >>> >>> 212.118.243.118 dns5.name-services.com >>> >>> http://www.sorbs.net/lookup.shtml?212.118.243.118 >> name-services.com is used by Register.com / Namebargain.com for their >> customer DNS services. >> Regards, >> Joseph JC> Hmm, then it probably should not be blacklisted: JC> black-rmenschel-200504:name-services.com JC> Bob Menschel, JC> Can you comment further on this listing of yours on sa-blacklist/ JC> ws.surbl.org? Spam is attached. I agree that as DNS, name-services.com shouldn't be blocked, nor as received, since other viable emails come through them. The only emails I've ever received /from/ name-services.com, and the only emails I've ever received with URI links to name-services.com, are like the attached. As far as I know, this is a scam. I've never done any business with name-services.com, and never looked at obtaining any of their services. I don't remember the exact steps I used April 27 to review this, but searching for their domain I found plenty of evidence of spam/scam, and no evidence that these people also sent out ham. If they themselves are a registry, and do send ham to domain registrants that they haven't already scammed, then yes, I should remove them from my blacklist file. If they are primarily DNS services and do not send emails other than spam/scam, then they should remain. Bob Menschel

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss May 2005