Discuss

discuss@lists.surbl.org

1867 discussions

Re: [SURBL-Discuss] Joe Wein has a new friend?
by List Mail User 25 Jul '05

25 Jul '05

>> FWIW Joe's getting jobbed: > >Hi Jeff, > >I had three joe jobs against me between December 2003 and February 2004. >Since then it had been quiet, but I must say I wasn't entirely surprized >that it continued, especially after a PayPal joe job less than two months >ago. > >> Return-Path: <bouteille(a)kinki-kids.com> >> Received: from dbzmail.com ([61.85.57.209]) >> by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id >j6P3ZTlx009677 >> for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) >> Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com >[64.62.181.92]) >> by dbzmail.com (Postfix) with ESMTP id E5A841602F >> for <x>; Sun, 24 Jul 2005 00:39:14 -0500 >> From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com> > >This seems to be a bulkmailer that inserts fake Outblaze references into the >headers to obscure the broadband hosts that are the real sources (or >proxies). I've seen other examples with other bogus Outblaze maildomains for >the fake sender. According to one admin who monitored the Joe job sources >from their site the hosts are running something called "DMS Revolution proxy >spam engine". > >Joe > >>... DMS is Alexey Panov's bulk mailer product. That and porn sites are his main stock in trade see the Spamhaus listings (currently #6, down for #5 since Kuvayev made #3). More info on Panov available is you ask. So now we know who you pissed off - and why it "looks" like a porn site. Paul Shupak track(a)plectere.com

1 0

Joe Wein has a new friend?
by Jeff Chan 25 Jul '05

25 Jul '05

FWIW Joe's getting jobbed: __ Return-Path: <bouteille(a)kinki-kids.com> Received: from dbzmail.com ([61.85.57.209]) by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677 for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92]) by dbzmail.com (Postfix) with ESMTP id E5A841602F for <x>; Sun, 24 Jul 2005 00:39:14 -0500 From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com> To: Info <x> Subject: Hi dear Date: Sun, 24 Jul 2005 00:39:14 -0500 Message-ID: <100101c59012$879febec$06412c2e(a)kinki-kids.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-GMX-Antivirus: 0 (no virus found) X-UIDL: K,H!!c%?"!Fde!!XT9"! Hi Try jwSpamSpy, our spam filter for POP3 mailboxes. We use it to track spammers and scammers. Free full featured 30 day evaluation version available! http://www.joewein.de/ -- Don't harm innocent bystanders.

5 6

Re: [SURBL-Discuss] Joe Wein has a new friend?
by List Mail User 25 Jul '05

25 Jul '05

>... > >FWIW Joe's getting jobbed: >__ > >Return-Path: <bouteille(a)kinki-kids.com> >Received: from dbzmail.com ([61.85.57.209]) > by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677 > for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) >Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92]) > by dbzmail.com (Postfix) with ESMTP id E5A841602F > for <x>; Sun, 24 Jul 2005 00:39:14 -0500 >From: "Ambulance U. Descant" <bouteille(a)kinki-kids.com> >To: Info <x> >Subject: Hi dear >Date: Sun, 24 Jul 2005 00:39:14 -0500 >Message-ID: <100101c59012$879febec$06412c2e(a)kinki-kids.com> >MIME-Version: 1.0 >Content-Type: text/plain >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook, Build 10.0.2605 >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 >X-GMX-Antivirus: 0 (no virus found) >X-UIDL: K,H!!c%?"!Fde!!XT9"! > >Hi >Try jwSpamSpy, our spam filter for POP3 mailboxes. >We use it to track spammers and scammers. >Free full featured 30 day evaluation version available! > >http://www.joewein.de/ > >... kinki-kids.com is actually a quite legitimate Outblaze customer. Every forgery or it I have seen is for CP or at least "std." pornography. So maybe Joe can guess at who he pissed off. The sender's IP 61.85.57.209 seems to be a comprimised Windows box on DSL at Kornet - Dynamic address too. The IP is only listed at five-ten, SORBS, NOMOREFUNN, and NJABL; In other words, not really listed or listable (except as dynamic or for full Korean blockage). If it is still the same machine connected at that IP, the entrance was probably the wide open UPnP port or the IIS running. Backdoor installed on port 123 (ntp) UDP - machine is "0wn3d". Also, the routing takes an "interesting" side trip by way fo Kornet -> TONEK (China) the back -> Kornet. Maybe a very good hack at the router level (AS4766 to AS17431 back to AS4766) - Not many people capable of that. I doubt many people running any BLs would list Joe. Paul Shupak track(a)plectere.com

1 0

GoDaddy's take on Google patent (fwd)
by Justin Mason 24 Jul '05

24 Jul '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 not sure how useful this may be, but fyi... - --j. - ------- Forwarded Message > Date: Fri, 22 Jul 2005 22:11:13 -0600 > From: Marcia Blake > > This comes to us fresh from the July GoDaddy.com newsletter (naturally, > in a bit trying to sell longer domain registration terms on > GuessWhere): > > Google recently filed United States Patent Application 20050071741. As > part of that application, Google made apparent its efforts to wipe out > search engine spam, stating: > > "Valuable (legitimate) domains are often paid for several years in > advance, while doorway (illegitimate) domains rarely are used for more > than a year. Therefore, the date when a domain expires in the future > can be used as a factor in predicting the legitimacy of a domain and, > thus, the documents associated therewith." > > Domains registered for longer periods give the indication, true or > not, that their owner is legitimate. Google uses a domain's length of > registration when indexing and ranking a Web site for inclusion in > their organic search results. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFC4pFrMJF5cimLx9ARAt0CAJ0Rjjd7Owx/ba4AhZzZc1NdmQI6xACeI0L9 FVY5zV+kY5cQuVH/VpEEYrQ= =w9zn -----END PGP SIGNATURE-----

3 3

Help checking domains
by Jeff Chan 20 Jul '05

20 Jul '05

Some of these were blacklisted recently, but perhaps shouldn't be. Do you have any information about these domains? tim.com.br 7 year old domain, but I can't read Portugese. What do they do? Is it possibly legitimate? callin.net Korean tech site of some kind. 5.5 years old. ivyro.net Korean, 2.5 years old. drugstorebestbuys.com Sells prescription drugs. Obviously very high spam potential, but has been around for about 4 years. bgreetings.com Greeting cards. Also potentially spammy, but more than 4 years old. Jeff C. -- Don't harm innocent bystanders.

2 1

[off-topic] Help with AOL Postmaster Problem
by Kevin A. McGrail 17 Jul '05

17 Jul '05

Hi All: Apologies in advance for off-topic post but it is for a good cause and if anyone will know an answer, it's most likely to come from the Anti-SPAM community. My company is pro bono handling the website and donating all the time to handle mailing list, web design, paypal coordination, and more for Susan Torres, a pregnant woman who collapsed from an aneurysm and is brain dead from a cancer. However, with her wishes and her families support they are trying to save her unborn child. The site is http://www.susantorresfund.org/ if you want to know more. However, on the more technical side, we have thousands and thousands of subscribers to the mailing list but AOL started rate limiting us on Thursday. We are vigilant anti-spammers and run a tight ship so we are not blacklisted or BUT we aren't whitelisted either. This is causing heavy queuing and complaints from customers all around. I have spoken at length to AOL's Postmaster Help Desk but they are telling me 5 days to 3 weeks to process the whitelist request which we placed on Friday. In the meantime, our customers are getting mad about their email, our servers are filling up on deferred emails and there is also major news expected on Monday the 18th which will make the issue much worse. The AOL Postmaster Case # is 155527142. The Ticket is 995445. The IP that needs whitelisting is 209.225.49.10. Anyone who has any contacts that can help escalate and resolve this issue as soon as possible (and hopefully before the 18th) would be greatly appreciated. Thanks in advance, Kevin A. McGrail aka KAM Chairman Peregrine Computer Consultants Corporation 3927 Old Lee Hwy, Suite 102-C Fairfax City, VA 22030-2422 http://www.pccc.com/ 800-823-8402 - 703-359-8451 Fax kmcgrail(a)pccc.com

2 2

Testing new versions of SC and XS
by Jeff Chan 14 Jul '05

14 Jul '05

The new SURBL data engine is ready enough to start testing. The external lists such as WS, JP, OB, AB, PH have essentially the same content as before, but the SC and XS lists are significantly updated. The new XS list is twice as large at about 1000 records and the inclusion is a lot more selective to get more spammers and far fewer FPs. The new SC list has about the same 500 or so records based on report counts, but adds nearly 4000 domains based on their IP resolutions into the most spammy networks. That's in addition to my manual blacklist which is also several thousand records now, but the manual blacklist applies to both old and new lists, so it's the bad IP domains that are the main change. By design, they're very spammy; they're pretty much the most spammy of those reported to SpamCop. I'd like us to start testing these now. We can simply change XS over to the new data at some point, but for SC, we should set up a temporary new domain like sc2.surbl.org so it can be tested independently of sc. The new lists should be significant improvements over the old lists, but naturally we should test the new SC list before putting it into production since sc is currently live. Would anyone with a public nameserver like to carry sc2 for testing? It is a temporary zone and will go away after testing. Please reply off list if you can serve it up. Perhaps we'll cut over XS when we have SC2 set up so the changes are more or less simultaneous. Might make testing/stats simpler to keep track of that way. Note: please don't start testing sc2 in a major way until we have several name servers set up. Even then the name servers probably won't handle large production loads, so it should be tested on smaller mail servers, test corpora, etc. We'll mention here when it's ok to start testing. Comments? Jeff C. -- Don't harm innocent bystanders.

1 0

Re: Discuss Digest, Vol 16, Issue 5
by J. Fowler 09 Jul '05

09 Jul '05

>On Friday, July 8, 2005, 4:55:18 PM, Jeff Chan wrote: > > >>On Thursday, July 7, 2005, 5:23:53 PM, Jeff Chan wrote: >> >> >>>On Thursday, July 7, 2005, 3:15:18 PM, Frank Ellermann wrote: >>> >>> >>>>Jeff Chan wrote in >>>><http://mid.gmane.org/41160649.20050707074952@surbl.org> >>>> >>>> > > > >>>>>Does anyone know of a new application doing queries against >>>>>multi.surbl.org by using dnsstuff's web site, as in: >>>>> >>>>> > >>FWIW Scott has traced the lookups to a very poorly implemented >>web site checker (probably looking for phishing sites) for Firefox. >>I'm asking him for more details. >> >> > >Here is the borkenware: > > https://addons.mozilla.org/extensions/moreinfo.php?application=firefox&id=9… > >Due to Scott's actions it is no longer functional as written. >I am leaving a comment on the board there: > > > I saw that addon and came across this: http://forums.mozillazine.org/viewtopic.php?t=283545 I'm not sure how an auto-update feature would work, perhaps if the ISP did it for their subscribers, but could this concept be a benifical extension to mozilla?

1 0

New application querying dnsstuff?
by Jeff Chan 09 Jul '05

09 Jul '05

Does anyone know of a new application doing queries against multi.surbl.org by using dnsstuff's web site, as in: http://www.DNSstuff.com/tools/lookup.ch?domain=example.com.multi.surbl.org If so, would you please let them know this is not the right way to query our SURBL lists. It's possibly malware, but more likely some new misbehaving application being run on end user client machines (dsl lines, etc.). Jeff C. -- Don't harm innocent bystanders.

3 6

RE: [SURBL-Discuss] FP report: theaimsgroup.com
by Chris Santerre 09 Jul '05

09 Jul '05

I show it whitelisted. --Chris >-----Original Message----- >From: jm(a)jmason.org [mailto:jm@jmason.org] >Sent: Friday, July 08, 2005 3:08 PM >To: discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] FP report: theaimsgroup.com > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >in SC, JP? > >- --j. > >- ------- Forwarded Message >> Date: Fri, 08 Jul 2005 00:37:03 -0500 >> From: Antonio Gallardo <antonio(a)apache.org> >> To: Justin Mason <jm(a)jmason.org> >> Subject: The aimsgroup is a spam source? >> >> Hi Justin: >> >> I am sorry to bother you. I am not subscribed to any SA >list. This is >> why I sent this to you directly. The problem is that >theaimsgroup.com is >> started to be in SURBL. I wonder why. This is one of the >most consulted >> archives in the ASF. I think they are not spamming at all, >but you are >> more expert than me in this area. ;-) >> >> The mail contains some links to theaimsgroup.com. >> >> X-Spam-Level: ***** >> X-Spam-Status: Yes, score=5.4 required=5.0 tests=URIBL_JP_SURBL, >> URIBL_SC_SURBL autolearn=no version=3.0.4 >> X-Spam-Report: >> * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP >SURBL blocklist >> * [URIs: theaimsgroup.com] >> * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC >SURBL blocklist >> * [URIs: theaimsgroup.com] >> >> I hope you can send this to the right direction. ;-) >> >> Best Regards, >> >> Antonio Gallardo. >> >> ****************** FULL MAIL HEADER ************************* >> >> Return-Path: ><pmc-return-476-apmail-antonio=apache.org(a)forrest.apache.org> >> Received: from minotaur.apache.org (minotaur.apache.org >[209.237.227.194]) >> by ags01.agsoftware.dnsalias.com (8.13.1/8.13.1) with >SMTP id j685Mucc0 >> 19822 >> for <agallardo(a)agssa.net>; Fri, 8 Jul 2005 00:23:02 -0500 >> Received: (qmail 13192 invoked by uid 1746); 8 Jul 2005 >05:22:54 -0000 >> Delivered-To: antonio(a)locus.apache.org >> Received: (qmail 13149 invoked from network); 8 Jul 2005 >05:22:54 -0000 >> Received: from hermes.apache.org (HELO mail.apache.org) >(209.237.227.199) >> by minotaur.apache.org with SMTP; 8 Jul 2005 05:22:54 -0000 >> Received: (qmail 50553 invoked by uid 500); 8 Jul 2005 05:22:53 -0000 >> Delivered-To: apmail-antonio(a)apache.org >> Received: (qmail 50520 invoked by uid 500); 8 Jul 2005 05:22:53 -0000 >> Mailing-List: contact pmc-help(a)forrest.apache.org; run by ezmlm >> Precedence: bulk >> list-help: <mailto:pmc-help@forrest.apache.org> >> list-unsubscribe: <mailto:pmc-unsubscribe@forrest.apache.org> >> List-Post: <mailto:pmc@forrest.apache.org> >> Reply-To: "Forrest PMC List" <pmc(a)forrest.apache.org> >> List-Id: <pmc.forrest.apache.org> >> Delivered-To: mailing list pmc(a)forrest.apache.org >> Received: (qmail 50506 invoked by uid 99); 8 Jul 2005 05:22:52 -0000 >> Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) >> by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Jul >2005 22:22:52 -0700 >> X-ASF-Spam-Status: No, hits=0.0 required.0 >> testsReceived-SPF: pass (asf.osuosl.org: local policy) >> Received: from [165.98.153.184] (HELO >ags01.agsoftware.dnsalias.com) (165.98.15 >> 3.184) >> by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Jul >2005 22:22:51 -0700 >> Received: from [10.0.0.7] (apoyo.agsoftware.dnsalias.com [10.0.0.7]) >> by ags01.agsoftware.dnsalias.com (8.13.1/8.13.1) with >ESMTP id j685MdPi >> 019819 >> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=NO) >> for <pmc(a)forrest.apache.org>; Fri, 8 Jul 2005 00:22:44 -0500 >> Message-ID: <42CE0D9F.9020505(a)agssa.net> >> Date: Fri, 08 Jul 2005 00:22:39 -0500 >> From: Antonio Gallardo <agallardo(a)agssa.net> >> Organization: AG Software, S. A. >> User-Agent: Mozilla Thunderbird 1.0.2-6 (X11/20050513) >> X-Accept-Language: en-us, en >> MIME-Version: 1.0 >> To: Forrest PMC List <pmc(a)forrest.apache.org> >> Subject: [SPAM] Re: Preferred list for Commiter Votes >> References: <20050529160659.57878.qmail(a)minotaur.apache.org> ><42C6FCAF.4000205@ >> Golux.Com> <200507030943.18618.niclas(a)hedhman.org> ><8b3ce379050706034241a46d74@ >> mail.gmail.com> <8ee0eeb0ed7be5045a3c8f836f6aec60(a)gbiv.com> ><42CD5C5B.1030908@G >> olux.Com> <20050708034055.GA23390(a)igg.indexgeo.com.au> >> In-Reply-To: <20050708034055.GA23390(a)igg.indexgeo.com.au> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> Content-Transfer-Encoding: 7bit >> X-Virus-Checked: Checked by ClamAV on apache.org >> X-Spam-Prev-Subject: Re: Preferred list for Commiter Votes >> X-Spam-Flag: YES >> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on >> ags01.agsoftware.dnsalias.com >> X-Spam-Level: ***** >> X-Spam-Status: Yes, score=5.4 required=5.0 tests=URIBL_JP_SURBL, >> URIBL_SC_SURBL autolearn=no version=3.0.4 >> X-Spam-Report: >> * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP >SURBL blocklist >> * [URIs: theaimsgroup.com] >> * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC >SURBL blocklist >> * [URIs: theaimsgroup.com] >> Content-Length: 573 >> Status: O >> X-UID: 328 >> X-Keywords: >> >> >*************************************************************** >************ >> >> ------- End of Forwarded Message >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.5 (GNU/Linux) >Comment: Exmh CVS > >iD8DBQFCzs8sMJF5cimLx9ARAhibAJ42U4cNgE7bHixmzIJ5KmbZHlV+4gCgiiN9 >LsxJk98jU9N0TyWd0b+QUa4= >=xrGM >-----END PGP SIGNATURE----- > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss