Discuss

discuss@lists.surbl.org

1 participants
1864 discussions

German spam crap
by Raymond Dijkxhoorn 17 May '05

17 May '05

Hi! Its mentioned on the SA list also, but since we got some questions about it from other people who didnt read it there: http://mailscanner.prolocation.net/german.cf Ruleset to stop the Sober crap thats been going around like crazy currently. The political spams written in german language... Hopefully it will help some people to stop this crap. Bye, Raymond.

3 2

Re: MORE (was: Re: [SURBL-Discuss] yet another joe job)
by List Mail User 17 May '05

17 May '05

>> >> >> >-----Original Message----- >> >From: Steven Champeon [mailto:schampeo@hesketh.com] >> >Sent: Monday, May 16, 2005 11:32 AM >> >To: discuss(a)lists.surbl.org >> >Subject: [SURBL-Discuss] yet another joe job >> > >> > >> > >> >Please list the following domains: >> > >> >dnbfbsqs.com SPAMMER >> >ghtnsecn.com SPAMMER >> >rumbumbale.com SPAMMER >> >tnashbsv.com SPAMMER >> >turuntale.com SPAMMER >> >> All but one were already in uribl.com. I added the other ;) >> >> Keep up the good fight Steven! > >Can't really help not ;) > >More domains just came in today: > >aupd.com >bnik.com >c5t.net >d3w.net >da9.net >ei7.net >el9.net >f5s.net >g3r.net >h64.net >l73.net >lzac.com >mq5.net >myyv.com >nf0.net >nlav.com >pi11.com >pq4.net >pqer.com >przc.com >rgry.com >t6i.net >uosb.com >vf9.net >viags.com >wlue.com >xi4.net >yi4.net >ymil.com > >Looks like a completely different spammer. :( > >All DNS provided by: > >nserver: ns1.dnsm.net 218.7.120.70 >nserver: ns2.dnsm.net 218.7.120.70 > >And all domains registered to: > >owner: Roelf Van der Brug >email: admin(a)taiwanmedialtd.com >address: Singel 2 >address: Jordaan >city: Amsterdam >state: -- >postal-code: 1015JT >country: NL >phone: +31 84 220 2586 >admin-c: admin(a)taiwanmedialtd.com#0 >tech-c: admin(a)taiwanmedialtd.com#0 >billing-c: admin(a)taiwanmedialtd.com#0 >nserver: ns1.dnsm.net 218.7.120.70 >nserver: ns2.dnsm.net 218.7.120.70 >created: 2005-04-21 14:11:39 UTC >modified: 2005-05-09 10:20:38 UTC >expires: 2006-04-21 10:11:39 UTC > >-- >hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com >join us! http://hesketh.com/about/careers/account_manager.html join us! >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > All taiwantelco/taiwanmedialtd - also uses addresses in Turkey and telephone numbers in Pakistan. Look at the domain dnst. net for some historic data. Many new domains are registered on a "Bay Drive" in Beverley Hills - zipcodes 90210 and 90211 (no such street exists, except on the TV show, it did) and some in New York and a few other places. There is some relationship, maybe shared customers. Some of their sites are hosted on the same machines as the multitrade group machines (see the spamhaus records on both). BTW. The 2 Singel address is a boat slip with no tenant (also the proper postal code for the boat docks is 1013, not 1015). They just switched registrars after Joker marked almost all of their domains as "invalid address". See 900mg. com, aekb. com, b7x. com, cpko. com, dgko. com, and about a hundred more. Paul Shupak track(a)plectere.com

1 0

yet another joe job
by Steven Champeon 16 May '05

16 May '05

Please list the following domains: dnbfbsqs.com SPAMMER ghtnsecn.com SPAMMER rumbumbale.com SPAMMER tnashbsv.com SPAMMER turuntale.com SPAMMER webstandards.org is being joe'd by the same spammer again: Zhamelgo, Alexandr aazhago(a)yahoo.com Profsoyuznaya 25-1, 31 Moscow, MSK 117418 RU +7.0956995731 Fax:+61.294750668 His nameservers for the domains are: DOG.CCPATONCEJK.BIZ 202.99.172.145 TSURT.CCPATONCEJK.BIZ 200.149.11.62 Thanks, Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!

1 0

RE: [SURBL-Discuss] German spam crap
by Smith, Eric 16 May '05

16 May '05

So I saw the rule, but will any of the links in most of the messages be added to SURBL? It's my understanding this is virus related coming sometimes from internal hosts infected with a new class of virus that will turn the infected PC into a spam host. We do filter internal mail for spam also so I thought I would check if the links in these messages will eventually make it to SURBL. /E. -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Kevin A. McGrail Sent: Sunday, May 15, 2005 1:06 PM To: SURBL Discussion list Subject: Re: [SURBL-Discuss] German spam crap Thanks Raymond. I was wondering about that. It's been hammering a ton of my mailing list subscriptions including sourceforge! > Its mentioned on the SA list also, but since we got some questions about > it from other people who didnt read it there: > > http://mailscanner.prolocation.net/german.cf > > Ruleset to stop the Sober crap thats been going around like crazy > currently. The political spams written in german language... > > Hopefully it will help some people to stop this crap. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

2 1

Re: [SURBL-Discuss] URIBL and PTR records
by List Mail User 13 May '05

13 May '05

>... > >when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to >enter a spamtrap address I just noticed that quite a few of the pages look >extremely similar, DNS lookups show: > >$ host www.signoffcorp.biz >www.signoffcorp.biz has address 217.107.217.8 >$ host www.bestcds.biz >www.bestcds.biz has address 217.107.217.8 >$ host www.wonder-pills.com >www.wonder-pills.com has address 217.107.217.8 >$ host www.multimed.ws >www.multimed.ws has address 217.107.217.8 > >$ host 217.107.217.8 >8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa. >8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. >$ host webrider.ru >webrider.ru has address 217.107.216.26 > >so i wonder if it is possible (or already done) to also list (and save) the >IPs of URIBL listed domains and check newly queried, yet unlisted domains >against those IPs. > >any comments? > >regards, > >wolfgang >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > All multitrade group - look at multitrade-corp. {biz,com}. Also, you can lookup all those domains at rfc-ignorant.org for more comments. BTW. You suggestion is the fundamental difference between IP based BLs and RHS BLs - That is why there is a place in the world for both. Paul Shupak track(a)plectere.com P.S. There are a least a few hundred domains at those IPs - I think there's a partial list on one Spamhaus page (don't have the SBL at hand).

1 0

RE: [SURBL-Discuss] URIBL and PTR records
by Chris Santerre 13 May '05

13 May '05

> -----Original Message----- > From: wolfgang [mailto:mewolf1@gmx.net] > Sent: Thursday, May 12, 2005 4:20 PM > To: SURBL Discuss > Subject: [SURBL-Discuss] URIBL and PTR records > > > when browsing unsubscribe links like > http://www.signoffcorp.biz/uns.htm to > enter a spamtrap address I just noticed that quite a few of > the pages look > extremely similar, DNS lookups show: > > $ host www.signoffcorp.biz > www.signoffcorp.biz has address 217.107.217.8 > $ host www.bestcds.biz > www.bestcds.biz has address 217.107.217.8 > $ host www.wonder-pills.com > www.wonder-pills.com has address 217.107.217.8 > $ host www.multimed.ws > www.multimed.ws has address 217.107.217.8 > > $ host 217.107.217.8 > 8.217.107.217.in-addr.arpa is an alias for > 8.0/27.217.107.217.in-addr.arpa. > 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. > $ host webrider.ru > webrider.ru has address 217.107.216.26 > > so i wonder if it is possible (or already done) to also list > (and save) the > IPs of URIBL listed domains and check newly queried, yet > unlisted domains > against those IPs. > > any comments? 1 ALL-DISKS.COM. 2 ALL-THE-PILLS.COM. 3 ALL-THE-SOFT.COM. 4 ALLSOFT-CDS.COM. 5 ALLSOFT-DISKS.COM. 6 ALLTABLETS.COM. 217.107.216.26 - IP hosts 46 Total Domains ... Showing 1 - 46 out of 46 Domain Name 1 AIZENSHPIS.COM. 2 AJAXRECRUITMENT.COM. 3 AUTOCD.NET. 4 BARDACHOK.COM. 5 CASINODEBALEARES.COM. 6 DIMENSIONWEB.NET. 7 DJEMETE.COM. 8 DUBROVKA.COM. 9 ECITYCLUB.COM. 10 ENERGORUS.COM. 11 ESEMAIL.NET. 12 ESSHOST.COM. 13 FIREBIRDHOTEL.COM. 14 GARDESMASH.COM. 15 HAJYAN.COM. 16 KRONA.INFO. 17 KSSHOST.COM. 18 KZTT.COM. 19 LAZURNAYA.NET. 20 LEDOSPORT.COM. 21 LSSHOST.COM. 22 LZOS.COM. 23 MALAHIT.ORG. 24 MARTENA.NET. 25 MEDSPECTR.COM. 26 MERGELYAN.COM. 27 MYFOREX.BIZ. 28 NIMFA.COM. 29 OVIONT.COM. 30 PLOSHADKA.COM. 31 RADIOTUN.COM. 32 RTPROM.COM. 33 RUSBABE.COM. 34 RUSBIO.BIZ. 35 RUSJAGUAR.COM. 36 RUSSIAN-MINING.COM. 37 SECRETNO.COM. 38 SEOSPECIALS.COM. 39 SMOLSAT.COM. 40 SOVERSHENSTVA.NET. 41 STRELKINA.COM. 42 STUDIAAFGANICA.COM. 43 TECHNOAC.COM. 44 WADADA.NET. 45 WEBGRAD.NET. 46 WESTCOM.INFO. all-the-soft.biz anysoft.biz computersoft.biz deltamed.biz endomed.info finemed.biz infrasoft.biz medgamma.com opendelta.biz platinummed.biz popularsoft.biz popularsoftware.biz protosoft.biz protosoft.org signoffcorp.biz soft-sale.biz soft-sale.org softuniverse.biz triamed.biz triasoft.biz Short answer.....we're on it ;) --chris

1 0

URIBL and PTR records
by wolfgang 13 May '05

13 May '05

when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to enter a spamtrap address I just noticed that quite a few of the pages look extremely similar, DNS lookups show: $ host www.signoffcorp.biz www.signoffcorp.biz has address 217.107.217.8 $ host www.bestcds.biz www.bestcds.biz has address 217.107.217.8 $ host www.wonder-pills.com www.wonder-pills.com has address 217.107.217.8 $ host www.multimed.ws www.multimed.ws has address 217.107.217.8 $ host 217.107.217.8 8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa. 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. $ host webrider.ru webrider.ru has address 217.107.216.26 so i wonder if it is possible (or already done) to also list (and save) the IPs of URIBL listed domains and check newly queried, yet unlisted domains against those IPs. any comments? regards, wolfgang

2 1

Feedback on adprofile.net wanted
by Jeff Chan 12 May '05

12 May '05

adprofile.net reportedly appeared in a flowers.com ham as: <td align="middle"><a href="http://tx.adprofile.net/tx/r?CID=12&M=3&sid=800ABC123"><IMG height=90 src="http://a1234.g.akamai.net/f/1233/1234/1a/www.1800flowers.com/800f_assets/im… me too120X90.gif" width="120" NOSEND="1" border="0"></a></td> Yet it's listed on WS by Bill Stearns. This may be a false positive. Does anyone have any more information about it? Catherine Hampton says it's not on her spam radar and others have said that they may be web spammers on guestbooks, wikis, etc. but not email spammers. They seem to have some minor NANAS. Feedback wanted. :-) Jeff C. -- Don't harm innocent bystanders.

4 4

Re: [SURBL-Discuss] Feedback on adprofile.net wanted
by Robert Menschel 11 May '05

11 May '05

> Date: Mon, 9 May 2005 22:34:13 -0700 > From: Jeff Chan <jeffc(a)surbl.org> > Subject: [SURBL-Discuss] Feedback on adprofile.net wanted > To: SURBL Discuss <discuss(a)lists.surbl.org> > Message-ID: <357174725.20050509223413(a)surbl.org> > Content-Type: text/plain; charset=us-ascii > adprofile.net reportedly appeared in a flowers.com ham as: ... > Yet it's listed on WS by Bill Stearns. This may be a false > positive. Does anyone have any more information about it? I find adprofile.net within my corpus in 1) what appears to be a valid ham, angry (not quite hate) email to Mike Malloy, liberal radio talk show host, from a radical conservative listener. Email includes a copy of the 760thezone.com home page (the radio station that carries the talk show). Home page apparently contained the paid ad link: <A class=3Dportalbar=20 href=3D"http://wvw.clearchannel.com/spacer.gif?event=3D104~radio~20~~124~= Low Mortgage =Rates!~125~/hosts/index.html~121~kkzn-am~98~http://tx.adprofile.net/tx/r?= CID=3D60584&M=3D0&sid=3Dlmr"=20 target=3D_blank>Low Mortgage=20 target=3D_blank>Rates!</A> In addition to that one ham, I have 12 spam. Bob Menschel

1 0

Re: [SURBL-Discuss] Feedback on adprofile.net wanted
by List Mail User 11 May '05

11 May '05

>... > >on Mon, May 09, 2005 at 10:34:13PM -0700, Jeff Chan wrote: >> adprofile.net reportedly appeared in a flowers.com ham as: >> >> <td align="middle"><a href="http://tx.adprofile.net/tx/r?CID=12&M=3&sid=800ABC123"><IMG height=90 >> src="http://a1234.g.akamai.net/f/1233/1234/1a/www.1800flowers.com/800f_assets/im… me >> too120X90.gif" width="120" NOSEND="1" border="0"></a></td> >> >> Yet it's listed on WS by Bill Stearns. This may be a false >> positive. Does anyone have any more information about it? > >Seen here tonight in spam for idiotclimber.com et al.: > ><center> If you wish to stop future >messages from Christianfamilyloans, please <a >href="http://tx.adprofile.net/tx/r?CID=46505&ADTBID=EMAIL604"> follow this link ></a> or contact us at: Christianfamilyloans, P.O. Box 78361, San >Francisco, CA 94107-8361. > > >Note that the other CAN-SPAM mention is commented out at the top of >the HTML message, so who knows? > >This email is a commercial advertisement sent in compliance with the >CANSPAM Act of 2003. We have no desire to send you information that is >not wanted, therefore, if you wish to be excluded from future mailings, >please use the link at the bottom of the page. > >This is an email promotion being sent to you by idiotclimber.com. To >stop all future mailings, follow the link below or send your email >address to: > > Member Services > 242 W. 36th St,12th floor New York, NY 10018 > (866) 872-6022 > >http://www.idiotclimber.com/cgi-bin/unsubscr.cgi?email=445273&cid=34&pid= > >Other domains: > >ibidclause.com >idiotclimber.com >idoiclamp.com >iflager.com >indigocraze.com >instepluck.com >interchairs.com >intercheeze.com >interestlone.com >iratelamp.com >iratelounge.com >ironcleets.com >ironiclever.com >ironlaser.com >itchinglover.com > >-- >hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com >join us! http://hesketh.com/about/careers/account_manager.html join us! >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Very interesting, "legal" spam; Especially since the domain christianfamilyloans. com (may be totally unrelated - hard to tell with "private" registration) is an unrepentant, hard-core spammer (very "christian" of them)! Paul Shupak track(a)plectere.com

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss