From ler@lerctr.org Wed Aug 18 01:33:38 2004
From: Larry Rosenman <ler@lerctr.org>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] FP from WS
Date: Tue, 17 Aug 2004 18:33:21 -0500
Message-ID: <E1BxDSJ-00067F-VI@lerami.lerctr.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9055331203048280843=="

--===============9055331203048280843==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

The following 2 URIs (and possibly a third) are FP's:

i-say-MUNGED.com
Surveynetworks-MUNGED.com

And possibly
Itracks-MUNGED.com

i-say-MUNGED is the IPSOS survey site, and seems legit, and
surveynetworks-MUNGED
Is a collection of them.

I'm not 100% certain of itracks-MUNGED, but please check. 

These are all on WS.



-- 
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 972-414-9812                 E-Mail: ler(a)lerctr.org
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749


--===============9055331203048280843==--


From jeffc@surbl.org Wed Aug 18 03:19:58 2004
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] Re: FP from WS
Date: Tue, 17 Aug 2004 18:19:28 -0700
Message-ID: <199236764.20040817181928@supranet.net>
In-Reply-To: <E1BxDSJ-00067F-VI@lerami.lerctr.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8670975950463525919=="

--===============8670975950463525919==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Tuesday, August 17, 2004, 4:33:21 PM, Larry Rosenman wrote:
> The following 2 URIs (and possibly a third) are FP's:

> i-say-MUNGED.com
> Surveynetworks-MUNGED.com

> And possibly
> Itracks-MUNGED.com

> i-say-MUNGED is the IPSOS survey site, and seems legit, and
> surveynetworks-MUNGED
> Is a collection of them.

> I'm not 100% certain of itracks-MUNGED, but please check. 

> These are all on WS.

Thanks Larry,
I checked them a little and they all look at least
quasi-legitimate, so I whitelisted them all, plus some
related domains:

itracks.com
ipsos-reid.com
i-say.com
venteinc.com
surveynetworks.com

We need to ask the ws folks how these are getting in
and how we can stop them from doing so.

Jeff C.

--===============8670975950463525919==--


From joewein@pobox.com Wed Aug 18 06:27:27 2004
From: Joe Wein <joewein@pobox.com>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 13:27:15 +0900
Message-ID: <036f01c484db$a52bec80$c801a8c0@sumiyoshidai.org>
In-Reply-To: <E1BxDSJ-00067F-VI@lerami.lerctr.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3990428766097298417=="

--===============3990428766097298417==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

> The following 2 URIs (and possibly a third) are FP's:
>
> i-say-MUNGED.com
> Surveynetworks-MUNGED.com
>
> And possibly
> Itracks-MUNGED.com
>
> i-say-MUNGED is the IPSOS survey site, and seems legit, and
> surveynetworks-MUNGED
> Is a collection of them.

On March 7, 2004 I received spam from hardcore spammer DQ Media (email
address  OnlineSweepstakes(a)MUNGEDdq09.net) which advertised
MUNGEDsurveynetworks.com as the only company mentioned in the spam other
than DQ Media itself:

      <td class="style4"><div align="center"><font size="-2" face="Verdana,
Arial, Helvetica, sans-serif">To remove yourself from future Survey
Network's mailings please click <a
href="http://www.MUNGEDsurveynetworks.com/s.cfm?poo=1&ref=8602">here</a>
</font></div></td>

That's how they got listed by me.

Joe

--===============3990428766097298417==--


From joewein@pobox.com Wed Aug 18 07:17:39 2004
From: Joe Wein <joewein@pobox.com>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Re: FP from WS
Date: Wed, 18 Aug 2004 14:17:23 +0900
Message-ID: <037401c484e2$a6426160$c801a8c0@sumiyoshidai.org>
In-Reply-To: <199236764.20040817181928@supranet.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3916032066894419556=="

--===============3916032066894419556==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

"Jeff Chan" <jeffc(a)surbl.org>
> > i-say-MUNGED.com
> > Surveynetworks-MUNGED.com
...
> Thanks Larry,
> I checked them a little and they all look at least
> quasi-legitimate, so I whitelisted them all, plus some
> related domains:
...
> We need to ask the ws folks how these are getting in
> and how we can stop them from doing so.

I'd like to add to my previous posting the fact that ns1.MUNGEDventeinc.com,
the name server for MUNGEDsurveynetworks.com is 207.218.64.10.

As it turns out, 207.218.64.0/22 is listed on SBL, otherwise I wouldn't have
listed a domain registered in 2002:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13341
"Apparently the entire /22 is controlled by E-Tracks and "winfreestuff;" the
only rDns throughout are to their domains"

Also read the entry about Vente, Inc. / MUNGED-WinFreeStuff.com at
http://www.cluelessmailers.org/listings/companyblacklist.html

It sure looks like a spamhaus to me.

Joe

--===============3916032066894419556==--


From wstearns@pobox.com Wed Aug 18 07:34:36 2004
From: William Stearns <wstearns@pobox.com>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 01:31:08 -0400
Message-ID: <Pine.LNX.4.58.0408180130450.12845@sparrow>
In-Reply-To: <036f01c484db$a52bec80$c801a8c0@sumiyoshidai.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0488463852042645223=="

--===============0488463852042645223==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Wed, 18 Aug 2004, Joe Wein wrote:

> > The following 2 URIs (and possibly a third) are FP's:
> >
> > i-say-MUNGED.com
> > Surveynetworks-MUNGED.com
> >
> > And possibly
> > Itracks-MUNGED.com
> >
> > i-say-MUNGED is the IPSOS survey site, and seems legit, and
> > surveynetworks-MUNGED
> > Is a collection of them.
> 
> On March 7, 2004 I received spam from hardcore spammer DQ Media (email
> address  OnlineSweepstakes(a)MUNGEDdq09.net) which advertised
> MUNGEDsurveynetworks.com as the only company mentioned in the spam other
> than DQ Media itself:
> 
>       <td class="style4"><div align="center"><font size="-2" face="Verdana,
> Arial, Helvetica, sans-serif">To remove yourself from future Survey
> Network's mailings please click <a
> href="http://www.MUNGEDsurveynetworks.com/s.cfm?poo=1&ref=8602">here</a>
> </font></div></td>
> 
> That's how they got listed by me.

	Me too.
	Cheers,
	- Bill

---------------------------------------------------------------------------
	"Microsoft has done more for the fault tolerance industry than any
other company.  They have made end-users very tolerant of faults". 
(Courtesy of "Deliduka, Bennet" <bennet.deliduka(a)state.vt.us>)
--------------------------------------------------------------------------
William Stearns (wstearns(a)pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------

--===============0488463852042645223==--


From jeffc@surbl.org Wed Aug 18 08:24:15 2004
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Tue, 17 Aug 2004 23:23:57 -0700
Message-ID: <1826229301.20040817232357@supranet.net>
In-Reply-To: <Pine.LNX.4.58.0408180130450.12845@sparrow>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9070420865234582410=="

--===============9070420865234582410==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Tuesday, August 17, 2004, 10:31:08 PM, William Stearns wrote:
> On Wed, 18 Aug 2004, Joe Wein wrote:

>> > The following 2 URIs (and possibly a third) are FP's:
>> >
>> > i-say-MUNGED.com
>> > Surveynetworks-MUNGED.com
>> >
>> > And possibly
>> > Itracks-MUNGED.com
>> >
>> > i-say-MUNGED is the IPSOS survey site, and seems legit, and
>> > surveynetworks-MUNGED
>> > Is a collection of them.
>> 
>> On March 7, 2004 I received spam from hardcore spammer DQ Media (email
>> address  OnlineSweepstakes(a)MUNGEDdq09.net) which advertised
>> MUNGEDsurveynetworks.com as the only company mentioned in the spam other
>> than DQ Media itself:
>> 
>>       <td class="style4"><div align="center"><font size="-2" face="Verdana,
>> Arial, Helvetica, sans-serif">To remove yourself from future Survey
>> Network's mailings please click <a
>> href="http://www.MUNGEDsurveynetworks.com/s.cfm?poo=1&ref=8602">here</a>
>> </font></div></td>
>> 
>> That's how they got listed by me.

>         Me too.

First, I don't dispute that you received these spams.
But, the question is: does this domain have any legitimate
use?  If so then we probably should not list them since
we want to avoid false positives.

I've taken venteinc off the whitelist, but am leaving
surveynetworks on it because: 

1.  clueless mailers are not the same degree of badness
as the hard core criminal spammer.

2.  They probably are not stealing zombied services
and should therefore be easily blocked by conventional sender
RBLs.  Since their name server is already in SBL, uridnsbl
and other name server resolving URL scanners would block
them based on that.

3.  They are probably not doing the same volume
of mail as the hard core spammers.

4.  They are probably subject to ISP AUPs since
they're hosted in North America.

etc.

However if it can be proven that they ONLY EVER do spam,
i.e. never do any legitimate mail, then I'm willing to let them
be blocked.

Larry,
Can you forward some headers for the surveynetworks
message?  I'd like to see if their sending servers are already
listed in RBLs.

Jeff C.

--===============9070420865234582410==--


From raymond@prolocation.net Wed Aug 18 09:24:03 2004
From: Raymond Dijkxhoorn <raymond@prolocation.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 09:24:02 +0200
Message-ID: <Pine.LNX.4.58.0408180922550.28648@mailbox.prolocation.net>
In-Reply-To: <Pine.LNX.4.58.0408180130450.12845@sparrow>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9161600456954840523=="

--===============9161600456954840523==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi!

> > On March 7, 2004 I received spam from hardcore spammer DQ Media (email
> > address  OnlineSweepstakes(a)MUNGEDdq09.net) which advertised
> > MUNGEDsurveynetworks.com as the only company mentioned in the spam other
> > than DQ Media itself:
> >=20
> >       <td class=3D"style4"><div align=3D"center"><font size=3D"-2" face=
=3D"Verdana,
> > Arial, Helvetica, sans-serif">To remove yourself from future Survey
> > Network's mailings please click <a
> > href=3D"http://www.MUNGEDsurveynetworks.com/s.cfm?poo=3D1&ref=3D8602">her=
e</a>
> > </font></div></td>

> > That's how they got listed by me.

Should we relist them again? It surely looks like a 'legit' entry to=20
appear in WS.=20

I also had them in my spamtrap.

Bye,
Raymond.

--===============9161600456954840523==--


From jeffc@surbl.org Wed Aug 18 09:44:43 2004
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 00:44:25 -0700
Message-ID: <14110405333.20040818004425@supranet.net>
In-Reply-To: <Pine.LNX.4.58.0408180922550.28648@mailbox.prolocation.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7906698865427917096=="

--===============7906698865427917096==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wednesday, August 18, 2004, 12:24:02 AM, Raymond Dijkxhoorn wrote:
>> > On March 7, 2004 I received spam from hardcore spammer DQ Media (email
>> > address  OnlineSweepstakes(a)MUNGEDdq09.net) which advertised
>> > MUNGEDsurveynetworks.com as the only company mentioned in the spam other
>> > than DQ Media itself:
>> >=20
>> >       <td class=3D"style4"><div align=3D"center"><font size=3D"-2" face=
=3D"Verdana,
>> > Arial, Helvetica, sans-serif">To remove yourself from future Survey
>> > Network's mailings please click <a
>> > href=3D"http://www.MUNGEDsurveynetworks.com/s.cfm?poo=3D1&ref=3D8602">he=
re</a>
>> > </font></div></td>

>> > That's how they got listed by me.

> Should we relist them again? It surely looks like a 'legit' entry to=20
> appear in WS.=20

> I also had them in my spamtrap.

I'd like to know if they have any legitimate uses and
whether their mail servers are already in RBLs.

Jeff C.

--===============7906698865427917096==--


From raymond@prolocation.net Wed Aug 18 09:47:48 2004
From: Raymond Dijkxhoorn <raymond@prolocation.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 09:47:47 +0200
Message-ID: <Pine.LNX.4.58.0408180946150.31247@mailbox.prolocation.net>
In-Reply-To: <14110405333.20040818004425@supranet.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0820433638721394510=="

--===============0820433638721394510==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi!

> > Should we relist them again? It surely looks like a 'legit' entry to 
> > appear in WS. 

> > I also had them in my spamtrap.

> I'd like to know if they have any legitimate uses and
> whether their mail servers are already in RBLs.

They are inside spamhaus... 

But, another thing, i can understand the policy. Any legit use, then its 
not inside SURBL. But cant we, since this will give trouble in the future 
anyway, make a 'bitch.surbl.org' or something alike, where we CAN list 
those domains? They CAN spam, and we CAN list :)

Bye,
Raymond.

--===============0820433638721394510==--


From jeffc@surbl.org Wed Aug 18 10:04:42 2004
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 01:04:27 -0700
Message-ID: <1774764823.20040818010427@supranet.net>
In-Reply-To: <Pine.LNX.4.58.0408180946150.31247@mailbox.prolocation.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5238472365476670538=="

--===============5238472365476670538==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Wednesday, August 18, 2004, 12:47:47 AM, Raymond Dijkxhoorn wrote:
> But, another thing, i can understand the policy. Any legit use, then its
> not inside SURBL. But cant we, since this will give trouble in the future 
> anyway, make a 'bitch.surbl.org' or something alike, where we CAN list 
> those domains? They CAN spam, and we CAN list :)

We could, but I'm not to concerned about the borderline cases.
Yes they're annoying, but they're probably not creating nearly
as much spam traffic as the guys who use zombies, etc.

Jeff C.

--===============5238472365476670538==--


From raymond@prolocation.net Wed Aug 18 10:11:38 2004
From: Raymond Dijkxhoorn <raymond@prolocation.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] FP from WS
Date: Wed, 18 Aug 2004 10:11:38 +0200
Message-ID: <Pine.LNX.4.58.0408181011070.4277@mailbox.prolocation.net>
In-Reply-To: <1774764823.20040818010427@supranet.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0603499408072072182=="

--===============0603499408072072182==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi!

> > But, another thing, i can understand the policy. Any legit use, then its
> > not inside SURBL. But cant we, since this will give trouble in the future 
> > anyway, make a 'bitch.surbl.org' or something alike, where we CAN list 
> > those domains? They CAN spam, and we CAN list :)

> We could, but I'm not to concerned about the borderline cases.
> Yes they're annoying, but they're probably not creating nearly
> as much spam traffic as the guys who use zombies, etc.

But on the other hand, for things like zombies, open proxy's we have lists 
like DSBL. But sure, get the picture.

Bye,
Raymond

--===============0603499408072072182==--