Discuss May 2006

discuss@lists.surbl.org

15 participants
12 discussions

multi.surbl.org doesnt resolve ??
by surbl-discuss 31 May '06

31 May '06

Hi everyone Please forgive me if this question has been answered recently but I have only joined the list today. My question is multi.surbl.org no longer resolves to an IP address - is it still the preferred hostname to use? The reason I ask is because our mailgateway product uses this as one of its tests and our support company seem to be getting nowhere finding out whats wrong or who to ask I can resolve this name from - home work internetcafe As I say, please forgive me if this question has been answered before Many thanks, Adrian PS I work for a smallish organisation (<500) users, would it be worth my while rsyncing the DNS zone locally?

3 3

RE: [SURBL-Discuss] Weird TLD/site in Phish
by List Mail User 26 May '06

26 May '06

>> -----Original Message----- >> From: Larry Rosenman [mailto:ler@lerctr.org] >> Sent: Thursday, May 25, 2006 9:53 AM >> To: 'SURBL Discussion list' >> Subject: RE: [SURBL-Discuss] Weird TLD/site in Phish >> >> >> Chris Santerre wrote: >> > I have no idea if this is a legit site hijacked, bad site, >> or a secret >> > society of the Illuminati! >> > >> > http://www.zorka-opeka.co.yu/-/ >> > >> > .yu ??????? Yugoslavia? >> yep. >> >> http://www.iana.org/cctld/cctld-whois.htm >> >> LER > >Thanks, I actually sent this to the wrong list :) But does anyone know how >to read er... yugoslavian? I don't want to Blacklist without knowing more >about the site. Could be a free hoster or something. > >--Chris >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > It looks like a once legitimate site, now compromised. No need to read anything but English - It is a fake PayPal/eBay login page (phishing) all in English. The ".yu" TLD never did register a Whois server, and while still active *should* not have much left (even less now that Serbia and Montenegro have just voted to split). The hosts DNS places it in a very old /29 net-block (with all .yu contacts), and the DNS is from loopia.se with TTLs varying from 60 seconds to 1 hour. Anyway, bogus phishing site - Blacklist them until it is fixed (if ever). Paul Shupak track(a)plectere.com P.S. At least it isn't another NetSol domain registered to Sava Milosevic; There have been a lot of those in the past year.

1 0

RE: [SURBL-Discuss] Weird TLD/site in Phish
by Chris Santerre 25 May '06

25 May '06

> -----Original Message----- > From: Larry Rosenman [mailto:ler@lerctr.org] > Sent: Thursday, May 25, 2006 9:53 AM > To: 'SURBL Discussion list' > Subject: RE: [SURBL-Discuss] Weird TLD/site in Phish > > > Chris Santerre wrote: > > I have no idea if this is a legit site hijacked, bad site, > or a secret > > society of the Illuminati! > > > > http://www.zorka-opeka.co.yu/-/ > > > > .yu ??????? Yugoslavia? > yep. > > http://www.iana.org/cctld/cctld-whois.htm > > LER Thanks, I actually sent this to the wrong list :) But does anyone know how to read er... yugoslavian? I don't want to Blacklist without knowing more about the site. Could be a free hoster or something. --Chris

3 2

RE: [SURBL-Discuss] Weird TLD/site in Phish
by Chris Santerre 25 May '06

25 May '06

Thanks. One of our guys says it is infact a hacked legit site. Albeit for bricks :) So Like you said, it might be fine to list until it is taken down. Hell it may be the only way they realise they got hacked! :) --Chris > -----Original Message----- > From: Jeff Chan [mailto:jeffc@surbl.org] > Sent: Thursday, May 25, 2006 11:07 AM > To: Chris Santerre > Cc: 'SURBL Discussion list' > Subject: Re: [SURBL-Discuss] Weird TLD/site in Phish > > > On Thursday, May 25, 2006, 7:09:26 AM, Chris Santerre wrote: > > Thanks, I actually sent this to the wrong list :) But does > anyone know how > > to read er... yugoslavian? I don't want to Blacklist > without knowing more > > about the site. Could be a free hoster or something. > > I usually look at whois or DNS, but in this case there's nothing > too useful: > > > Domain Name: ZORKA-OPEKA.CO.YU > Namespace: ICANN Country Code Top Level Domain - > http://www.icann.org > TLD Info: See IANA Whois - http://www.iana.org/root-whois/yu.htm > Registry: Registry information not yet configured > Registrar: Registry information not yet configured > Whois Server: (none) > Name Server[from dns, dns ip]: NS3.LOOPIA.SE 194.9.94.245 > Name Server[from dns, dns ip]: NS4.LOOPIA.SE 194.9.95.245 > > [DNS Information for ZORKA-OPEKA.CO.YU] > Trying "ZORKA-OPEKA.CO.YU" > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58580 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 > > ;; QUESTION SECTION: > ;ZORKA-OPEKA.CO.YU. IN ANY > > ;; ANSWER SECTION: > ZORKA-OPEKA.CO.YU. 59 IN NS ns4.loopia.se. > ZORKA-OPEKA.CO.YU. 59 IN NS ns3.loopia.se. > > ;; AUTHORITY SECTION: > ZORKA-OPEKA.CO.YU. 59 IN NS ns4.loopia.se. > ZORKA-OPEKA.CO.YU. 59 IN NS ns3.loopia.se. > > ;; ADDITIONAL SECTION: > ns3.loopia.se. 3599 IN A 194.9.94.245 > ns4.loopia.se. 3599 IN A 194.9.95.245 > > Received 140 bytes from 216.151.192.1#53 in 3 ms > > > > Non-authoritative answer: > ZORKA-OPEKA.CO.YU > origin = ns3.loopia.se > mail addr = registry.loopia.se > serial = 1146743921 > refresh = 10800 > retry = 3600 > expire = 25200 > minimum = 86400 > > Authoritative answers can be found from: > ZORKA-OPEKA.CO.YU nameserver = ns3.loopia.se. > ZORKA-OPEKA.CO.YU nameserver = ns4.loopia.se. > ns3.loopia.se internet address = 194.9.94.245 > ns4.loopia.se internet address = 194.9.95.245 > > > Non-authoritative answer: > Name: ZORKA-OPEKA.CO.YU > Address: 195.178.52.202 > > > Looks like it has about 7 google hits, so it's probably not a > huge loss if blacklisted, especially if it's un-blacklisted when > the phishing site goes away. > > BTW, while the Soviet Union no longer exists, the .su domain > still does, though we thought some of the domains on it were > dubious. > > Jeff C. > -- > Don't harm innocent bystanders. >

1 0

Weird TLD/site in Phish
by Chris Santerre 25 May '06

25 May '06

I have no idea if this is a legit site hijacked, bad site, or a secret society of the Illuminati! http://www.zorka-opeka.co.yu/-/ .yu ??????? Yugoslavia? Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com

2 1

RE: Requesting removal from blacklist
by Greg Schuler 20 May '06

20 May '06

Hi Bill, I appreciate your quick response. And I'm interested in what others on the mailing list might have to say about this as well. In answer to your questions: >If you've assembled a live customer list >with UBE for a few years, then stop sending UBE, doesn't that mean you get >the benefits of that UBE even after you stop sending it? I don't believe so. First, even though we didn't have a 100% closed-loop opt-in list process, most of the email we sent was not UBE. We only emailed names collected from what we believed were legitimate transactions on our partner web sites. The consumer was always presented with a privacy policy and terms of service that told them they would be agreeing to receive future email offers by completing the transaction. So while it wasn't perfect, we were making an effort to be sure the email we sent had the end-user's permission. We ultimately learned that this wasn't sufficient. The fact that we ended up with spam traps and other "bad" addresses in our email lists is proof that our process was flawed. So we decided to exit the email business in December, 2005. Had we continued to email "live customers" after that, then yes I suppose you could say we were still benefiting from past practices. But we didn't do that. > Secondly, I went back to the mail I've gotten from aptimus >.net/com for the past few years to look at the "partner" domains (domains >also linked to in mails that point at aptimus .net/com. A number of them >continue to send UBE, which makes me wonder if perhaps you've stopped >using your own domain name in the mails but continue to send UBE (that's >not an accusation, it literally is a question). Would you be willing to >help me understand your relationships with the following domains? The >following are the ones that I've seen in 2006: > >Jan 8 03:17 tr1usc .com >Jan 15 16:22 consumertoday .net >Jan 15 16:22 aptimus .com >Jan 15 16:22 alnimglrhyd .cc >Jan 20 02:45 alnimglrbsh .cc >Jan 20 02:45 alnclklrbsh .com >Jan 20 02:45 mediamarketsystem .com >Jan 21 22:55 collectiblestoday .com >Jan 27 01:31 removeservice .com >Feb 4 04:34 thrifthealth .com >Mar 11 02:29 alnclklrhyd .com >Mar 11 02:30 eforcemedia .com >Mar 11 02:32 laih .com >Mar 12 15:00 emarketmakers .com >Mar 12 22:44 dentalplans .com >Mar 12 22:44 intriguelearning .com >Apr 16 02:09 dnelist .com >Apr 16 02:09 esideliver .com Question: are you saying that these domains continue to send UBE that ALSO continue to contain references to Aptimus? If so, that could be bad (and we'd very much like to know about it). Otherwise, of the above listed domains the only one we have a direct relationship with (other than aptimus.com, of course), is consumertoday.net. We own that domain and it was one of the domains we used for email marketing. We stopped using consumertoday.net in December, 2005. Please let me know if you have any further questions, and I look forward to a (hopefully positive) response on the delisting of our domains. Regards, Greg Schuler Aptimus, Inc. -----Original Message----- From: William Stearns [mailto:wstearns@pobox.com] Sent: Friday, May 19, 2006 1:47 PM To: Greg Schuler; ml-surbl-discuss Cc: William Stearns Subject: Re: Requesting removal from blacklist Good morning, Greg, I've CC'd the surbl mailing list with this post because I'd like to hear the opinions of the other member of the surbl team. On Thu, 18 May 2006, Greg Schuler wrote: > Greetings, > > As the IT director for Aptimus I have for some time known that our > domain has been blacklisted. This is because Aptimus was formerly in > the email marketing business and we did not have a 100% closed-loop > opt-in process. During that time I received a relatively steady supply of UBE to a small number of spamtraps, so I'm hesitant to remove your domain without some discussion. > We left the email business last year and for all of 2006 we have sent > email only to those end users who have "transacted" on our partner web We appreciate your taking a positive step and contacting us after that; that's one of the reasons why I'm seriously considering your request. > sites. We do not add these email addresses to any mailing lists and we > never send a user more than one message (e.g. these are confirmation > messages sent to acknowledge a legitimate web-based transaction such as > purchasing a product, entering a contest, signing up for a newsletter or > service or some similar activity). Unfortunately it seems even sending > a confirmation message is considered "Spam" by some people and we still > get a few complaints, but never more than a couple per month. Confirmation messages with no other commercial content are not considered spam in our project, so you're OK there. > Based on the above, would it be possible to have aptimus.com and > aptimus.net removed from your list? If not, could you explain why? If > there's something else we need to do to get our domains cleaned up I'd > really like to know. The last aptimus.net mail I got was from January 15th, so that tends to support what you said. I have a few questions. If you've assembled a live customer list with UBE for a few years, then stop sending UBE, doesn't that mean you get the benefits of that UBE even after you stop sending it? Secondly, I went back to the mail I've gotten from aptimus .net/com for the past few years to look at the "partner" domains (domains also linked to in mails that point at aptimus .net/com. A number of them continue to send UBE, which makes me wonder if perhaps you've stopped using your own domain name in the mails but continue to send UBE (that's not an accusation, it literally is a question). Would you be willing to help me understand your relationships with the following domains? The following are the ones that I've seen in 2006: Jan 8 03:17 tr1usc .com Jan 15 16:22 consumertoday .net Jan 15 16:22 aptimus .com Jan 15 16:22 alnimglrhyd .cc Jan 20 02:45 alnimglrbsh .cc Jan 20 02:45 alnclklrbsh .com Jan 20 02:45 mediamarketsystem .com Jan 21 22:55 collectiblestoday .com Jan 27 01:31 removeservice .com Feb 4 04:34 thrifthealth .com Mar 11 02:29 alnclklrhyd .com Mar 11 02:30 eforcemedia .com Mar 11 02:32 laih .com Mar 12 15:00 emarketmakers .com Mar 12 22:44 dentalplans .com Mar 12 22:44 intriguelearning .com Apr 16 02:09 dnelist .com Apr 16 02:09 esideliver .com > Thanks and regards, > > Greg Schuler > Director, Technology & Operations > Aptimus, Inc. (NASDAQ: APTM) > The Point-of-Action Online > Advertising Network > > 100 Spear Street, Suite 1115 > San Francisco, CA 94105 > Ph: 415-896-2123 x242 > Fax: 208-361-2452 > Mobile: 415-596-6127 > gregs(a)aptimus.com Cheers, - Bill --------------------------------------------------------------------------- "My fellow Americans. I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes." - President Reagan, before a scheduled radio broadcast, unaware that the microphone was already on... (Courtesy of Brian S. Dellinger <Brian.Dellinger(a)Dartmouth.EDU>) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

2 1

Re: Requesting removal from blacklist
by William Stearns 19 May '06

19 May '06

Good morning, Greg, I've CC'd the surbl mailing list with this post because I'd like to hear the opinions of the other member of the surbl team. On Thu, 18 May 2006, Greg Schuler wrote: > Greetings, > > As the IT director for Aptimus I have for some time known that our > domain has been blacklisted. This is because Aptimus was formerly in > the email marketing business and we did not have a 100% closed-loop > opt-in process. During that time I received a relatively steady supply of UBE to a small number of spamtraps, so I'm hesitant to remove your domain without some discussion. > We left the email business last year and for all of 2006 we have sent > email only to those end users who have "transacted" on our partner web We appreciate your taking a positive step and contacting us after that; that's one of the reasons why I'm seriously considering your request. > sites. We do not add these email addresses to any mailing lists and we > never send a user more than one message (e.g. these are confirmation > messages sent to acknowledge a legitimate web-based transaction such as > purchasing a product, entering a contest, signing up for a newsletter or > service or some similar activity). Unfortunately it seems even sending > a confirmation message is considered "Spam" by some people and we still > get a few complaints, but never more than a couple per month. Confirmation messages with no other commercial content are not considered spam in our project, so you're OK there. > Based on the above, would it be possible to have aptimus.com and > aptimus.net removed from your list? If not, could you explain why? If > there's something else we need to do to get our domains cleaned up I'd > really like to know. The last aptimus.net mail I got was from January 15th, so that tends to support what you said. I have a few questions. If you've assembled a live customer list with UBE for a few years, then stop sending UBE, doesn't that mean you get the benefits of that UBE even after you stop sending it? Secondly, I went back to the mail I've gotten from aptimus .net/com for the past few years to look at the "partner" domains (domains also linked to in mails that point at aptimus .net/com. A number of them continue to send UBE, which makes me wonder if perhaps you've stopped using your own domain name in the mails but continue to send UBE (that's not an accusation, it literally is a question). Would you be willing to help me understand your relationships with the following domains? The following are the ones that I've seen in 2006: Jan 8 03:17 tr1usc .com Jan 15 16:22 consumertoday .net Jan 15 16:22 aptimus .com Jan 15 16:22 alnimglrhyd .cc Jan 20 02:45 alnimglrbsh .cc Jan 20 02:45 alnclklrbsh .com Jan 20 02:45 mediamarketsystem .com Jan 21 22:55 collectiblestoday .com Jan 27 01:31 removeservice .com Feb 4 04:34 thrifthealth .com Mar 11 02:29 alnclklrhyd .com Mar 11 02:30 eforcemedia .com Mar 11 02:32 laih .com Mar 12 15:00 emarketmakers .com Mar 12 22:44 dentalplans .com Mar 12 22:44 intriguelearning .com Apr 16 02:09 dnelist .com Apr 16 02:09 esideliver .com > Thanks and regards, > > Greg Schuler > Director, Technology & Operations > Aptimus, Inc. (NASDAQ: APTM) > The Point-of-Action Online > Advertising Network > > 100 Spear Street, Suite 1115 > San Francisco, CA 94105 > Ph: 415-896-2123 x242 > Fax: 208-361-2452 > Mobile: 415-596-6127 > gregs(a)aptimus.com Cheers, - Bill --------------------------------------------------------------------------- "My fellow Americans. I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes." - President Reagan, before a scheduled radio broadcast, unaware that the microphone was already on... (Courtesy of Brian S. Dellinger <Brian.Dellinger(a)Dartmouth.EDU>) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 0

Subdomains in SURBL
by Brandon Hutchinson 18 May '06

18 May '06

Hello, Looking at the multi.surbl.org zone yesterday, I noticed approximately 373 subdomains in the list. Here are a few examples: www.fcudwedenagov.com www.freecat.biz www.hesvlabean.com www.hterrani.com ms7.pptel.net msn.41m.com mwetillf.iscool.net mx.servebbs.net mx2.dynu.net www.yelvertonstores.co.uk Looking at http://www.surbl.org/implementation.html item 2, do these subdomains belong in the list? "Extract base (registrar) domains from those URIs. This includes removing any and all leading host names, subdomains, www., randomized subdomains, etc. In order to determine the base domain it may be necessary to use a table of country code TLDs (ccTLDs) such as this partially-complete one SURBL uses. (Note that this file is only rarely updated. Please don't download it frequently.) For example, any domain found in the two level ccTLD list should have a three-level domain name extracted (like foo.co.uk) for matching against a SURBL. Domains not specifically on the two level ccTLD list (such as foo.com or foo.fr) should be checked at two levels." I believe SpamAssassin's URIDNSBL reduces the URIs to the base domain (e.g. example.com, example.co.uk), so if it encountered "www.freecat.biz," for example, it would lookup freecat.biz, which is not in the list. Besides URIDNSBL, are there other URI lookup implementations for which it makes sense to include subdomains? Thanks! Brandon

4 9

surbl.org / urilbl.com for blog comment spam tracking
by Karanbir Singh 16 May '06

16 May '06

hey guys, it seems a year back, there was a request to add blog comment spam uri / hosts to surbl.org. That thread went to no real conclusion, and I was just wondering if there is any move to have this uri in surbl or uribl.com ? - KB -- Karanbir Singh : http://www.karan.org/ : 2522219@icq

2 1

Recent SpamAssassin mass check results
by Jeff Chan 12 May '06

12 May '06

FWIW Here are last Saturday's SA mass check results, courtesy of Theo: http://www.surbl.org/news.html MSECS SPAM% HAM% S/O RANK SCORE NAME 0 181939 52229 0.777 0.00 0.00 (all messages) 0.00000 77.6959 22.3041 0.777 0.00 0.00 (all messages as %) 22.377 28.8009 0.0000 1.000 1.00 0.00 URIBL_SC_SURBL 26.604 34.2378 0.0134 1.000 1.00 0.00 URIBL_WS_SURBL 24.854 31.9854 0.0115 1.000 1.00 0.00 URIBL_JP_SURBL 12.423 15.9889 0.0000 1.000 0.98 0.00 URIBL_AB_SURBL 23.278 29.9463 0.0479 0.998 0.96 0.00 URIBL_OB_SURBL 0.236 0.3028 0.0038 0.988 0.67 0.00 URIBL_PH_SURBL 15.377 19.7803 0.0383 0.998 0.95 0.00 URIBL_SBL 29.707 38.1606 0.2585 0.993 0.85 0.00 URIBL_BLACK 0.020 0.0264 0.0000 1.000 0.50 0.00 URIBL_RED 0.515 0.4353 0.7946 0.354 0.45 0.00 URIBL_GREY Of particular relevance are the low false positives of some of the SURBL lists such as SC, AB and PH as shown in the low HAM% numbers. (Note that PH is important to use and score highly in order to detect phishes. It doesn't detect a large percentage of spams, but it likely detects many phishes.) The last three are presumably uribl.com lists. FPs on OB remain too high IMO, but we're continually working to try to improve both the FN and FP rates. Jeff C. -- Don't harm innocent bystanders.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss May 2006