- Discuss - Mailman 3

Re: [SURBL-Discuss] LInk to add to SURBL
by List Mail User 20 May '05

20 May '05

>... >> 220 max.madplus.com ESMTP Merak 7.4.5; Wed, 18 May 2005 12:11:27 -0400 >> quit > >> Same registrant also owns gmbdream. com and uses the company name >> of "GMB Direct". > >Thanks Paul. Does any of this help inform us about how spammy >this critter is? > >Jeff C. >-- >Don't harm innocent bystanders. > >... There is the quick results from a Goggle search which shows that "GMB Direct" runs a group of "email marketeering" companies/domains/sites which vary in published policies. A short list (just from the first few Google hits) include: **** First a few "general" hits **** Email Results: Permission Email Marketing Resources for Advertisers www.emailresults.com/directory_ category.asp?CategoryID=4027 GMBDirect - Contact us www.gmbdirect.com/en/contacts/ GMBDirect - About opt-in marketing www.gmbdirect.com/en/marketing/ **** The first "really suspicious one" **** ... Bulk direct e-mail marketing services available through our partners GMB Direct. ... +Direct E-mail Marketing with our partners at GMB Direct. ... www.flashcap.com/Main%20Site/ Services/Params/menu/100/default.aspx **** Some "clear" slime **** Sweeps-US.com - About Us ... COM is one of the family of Web sites owned and operated by GMB DIRECT. Founded in 1998, GMB DIRECT is a leader within the online marketing industry. ... sweeps-us.com/aboutus/ **** Uh-Oh - an "affiliate" program **** Welcome to GMBDirect Affiliate Network ... 1-877-GMB-DIRECT. 1-877-462-3473. info(a)gmbtrack.com. Member Log In. Username :. Password :. Publisher, Advertiser ... gmbtrack.com/ **** Now more slime **** Sweeps-US.com - About Us ... COM is one of the family of Web sites owned and operated by GMB DIRECT. Founded in 1998, GMB DIRECT is a leader within the online marketing industry. ... sweeps-us.com/aboutus/ **** Buy "opt-in" mailing lists **** Optin Email Directory Directory - Business directory, Business to ... ... Email Marketing - National, Click to visit! GMB Direct. www.gmbdirect.com. New York, New York. 877 GMB Direct. Click to visit! Targetware. www.targetware.com. ... www.optinemaildirectory.com/s.asp?d=1478 **** Finally the "give-away" - true "slime" - the privacy page from a Russian site they run (read the find print) **** E-Get - Privacy policy Privacy policy Last Updated: March 12, 2004. GMB Direct ("GMB Direct," "we," "us," "our") has created this site (the "Site") in order to advise you of GMB ... www.vme.net.ru/Privacy/ Against them; Their contract specifically states they are not responsible for the "correctness" of the lists. They will "rent" or "sell" email address lists. They will willingly transfer data gathered from one client to any other paying client (read the "privacy" statement). They have an extremely large number of domains, many hidden with private registrations. In their defense; They are very expensive compared to many spammers. They claim some large companies as customers. --- Thats it. They make it seem like they are legit, but they offer to use any customer provided list to email to (with no mention about "checking"). So clearly they are in the "spam support" business but may have some legitimate customers; Also, many of there domains are "hidden" with private registrations and their seem to fall into three categories - the ones that say they are GMB and are trying to sell services, the ones that say they are GMB but are for gathering personal information using questionable "sweepstakes" (e.g. Win a {TV, Gift Certificate, Sony VAIO, etc}) and other tatics, and finally the ones which do not identify themselves at all. The mere existence if the third group makes them slime (as does the second) and probably make them spammers for themselves as well as for customers (this wouldn't stand up in court, but probably would for a Grand Jury - You can decide where the decision should fall). So the question of "how spammy" is still open, but "are they spammers" is answered (i.e. you may want to list some domains, but not others). Paul Shupak track(a)plectere.com

1 0

Re: [SURBL-Discuss] Reporting phishing-spams?
by Joe Zitnik 19 May '05

19 May '05

Usually to the organization that is being misrepresented is a good place to start. I know there are addresses set up just for this with some companies, spoof(a)paypal.com and spoof(a)ebay.com come to mind. They might not actually do anything, but they are there. :-( >>> martin.lyberg(a)idkommunikation.com 5/19/2005 4:03 AM >>> Where is the best place to report phishing-spam? Thanks / Martin _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

Re: [SURBL-Discuss] LInk to add to SURBL
by List Mail User 19 May '05

19 May '05

... > >spam link. > >http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564 > >Dan Zachary > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Despite hiding behind a "private registration": % nslookup -type=any fresh-deals.net ns1.fresh-deals.net Server: ns1.fresh-deals.net Address: 206.131.233.2#53 fresh-deals.net origin = ns1.fresh-deals.net mail addr = hostmaster.fresh-deals.net serial = 2005050501 refresh = 86400 retry = 3600 expire = 777600 minimum = 3600 fresh-deals.net nameserver = ns1.fresh-deals.net. Name: fresh-deals.net Address: 206.131.233.2 fresh-deals.net mail exchanger = 10 max.fresh-deals.net. % nslookup -type=any max.fresh-deals.net ns1.fresh-deals.net Server: ns1.fresh-deals.net Address: 206.131.233.2#53 Name: max.fresh-deals.net Address: 206.131.233.2 % nslookup -type=any 206.131.233.2 ns1.madplus.com Server: ns1.madplus.com Address: 206.131.233.2#53 2.233.131.206.in-addr.arpa name = max.madplus.com. % telnet max.fresh-deals.net 25 Trying 206.131.233.2... Connected to max.fresh-deals.net. Escape character is '^]'. 220 max.madplus.com ESMTP Merak 7.4.5; Wed, 18 May 2005 12:11:27 -0400 quit Same registrant also owns gmbdream. com and uses the company name of "GMB Direct". Paul Shupak track(a)plectere.com

2 1

Re: [SURBL-Discuss] LInk to add to SURBL
by List Mail User 18 May '05

18 May '05

>... > >On Wednesday, May 18, 2005, 6:44:05 AM, Spam Admin wrote: >> spam link. > >> http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564 > >> Dan Zachary > >Hi Dan, >This is a recently registered domain (a couple weeks ago) >but it doesn't seem to resolve into spaces that are known >to be spammy. That may just mean spammers have moved into >a new network space, etc. > >However there are a number of odd things about this domain >from the registration, to the host's registration, etc. >And it doesn't seem to resolve currently. > >Is anyone else seeing this in spams? > >Jeff C. >-- >Don't harm innocent bystanders. > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > The actual registrant is below - have to do better to hide behind a "private registration". % jwhois madplus.com [Querying whois.internic.net] [Redirected to whois.enom.com] [Querying whois.enom.com] [whois.enom.com] Registration Service Provided By: Contact: abuse-ns(a)gmbdream.com Visit: Domain name: madplus.com Administrative Contact: Paul Davis (abuse-ns(a)gmbdream.com) +1.6465363193 Fax: +1.- 60 E 42 Street Suite 449 NewYork, NY 10165 US Billing Contact: Paul Davis (abuse-ns(a)gmbdream.com) +1.6465363193 Fax: +1.- 60 E 42 Street Suite 449 NewYork, NY 10165 US Technical Contact: Paul Davis (abuse-ns(a)gmbdream.com) +1.6465363193 Fax: +1.- 60 E 42 Street Suite 449 NewYork, NY 10165 US Registrant Contact: Paul Davis (abuse-ns(a)gmbdream.com) +1.6465363193 Fax: +1.- 60 E 42 Street Suite 449 NewYork, NY 10165 US Status: Active Name Servers: ns1.madplus.com ns2.madplus.com Creation date: 15 Mar 2005 07:56:39 Expiration date: 15 Mar 2006 07:56:39 The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The registrar of record is eNom. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 Paul Shupak track(a)plectere.com

1 0

Re: [SURBL-Discuss] LInk to add to SURBL
by List Mail User 18 May '05

18 May '05

>From discuss-bounces(a)lists.surbl.org Wed May 18 06:57:18 2005 X-Scanned-By: RAE MPP/Clamd http://raeinternet.com/mpp Date: Wed, 18 May 2005 09:44:05 -0400 From: Spam Admin <spam_admin(a)sil.org> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: SURBL Discussion list <discuss(a)lists.surbl.org> References: <00ad01c55ba8$75db8040$cc0a0a0a(a)thoughtworthy.internal> <428B41AB.7060701(a)sil.org> In-Reply-To: <428B41AB.7060701(a)sil.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Prolocation-MailScanner-Information: Please contact helpdesk(a)prolocation.net for more information X-Prolocation-MailScanner: Found to be clean X-Prolocation-MailScanner-SpamCheck: X-Prolocation-MailScanner-From: spam_admin(a)sil.org Subject: [SURBL-Discuss] LInk to add to SURBL X-BeenThere: discuss(a)lists.surbl.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SURBL Discussion list <discuss(a)lists.surbl.org> List-Id: SURBL Discussion list <discuss.lists.surbl.org> List-Unsubscribe: <http://lists.surbl.org/mailman/listinfo/discuss>, <mailto:discuss-request@lists.surbl.org?subject=unsubscribe> List-Archive: <http://lists.surbl.org/pipermail/discuss> List-Post: <mailto:discuss@lists.surbl.org> List-Help: <mailto:discuss-request@lists.surbl.org?subject=help> List-Subscribe: <http://lists.surbl.org/mailman/listinfo/discuss>, <mailto:discuss-request@lists.surbl.org?subject=subscribe> Sender: discuss-bounces(a)lists.surbl.org Errors-To: discuss-bounces(a)lists.surbl.org X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on nepal.plectere.com X-Spam-Status: No, score=-102.3 required=5.0 tests=AWL,BAYES_00,URIBL_L2SPEWS, USER_IN_WHITELIST autolearn=no version=3.0.1 X-Spam-Level-Plectere: spam link. http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564 Dan Zachary _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

Re: [SPAM-TAG] [SURBL-Discuss] Would SURBL block Yahoo, redirect? (Jeff Chan)
by J. Fowler 17 May '05

17 May '05

> So it checks yahoo.com and thelumbercartel.com . I'm certainly not suggesting thelubercartel.com was spamming. Just wanted to make that clear. The actual spam seen came from: http://google.com.s1gns.net/mortgage.asp And thanks. My concern was for the applications such as SA catching long urls. Jay

1 0

Would SURBL block Yahoo redirect?
by J. Fowler 17 May '05

17 May '05

Hello, Is this something Yahoo should be concerned with? Would SURBL lists flag spam if the leading url was yahoo? http://rds.yahoo.com/*-http://www.thelumbercartel.com/ I caught a few spams using yahoo to disguise their URL. saw somthing like this: http://rds.yahoo.com/S=1/K=r/v=3/e=0/t=0/i=1/r=1/*-http://google.com.s1gns.… Just curious what you guys thought.

3 3

Re: MORE (was: Re: [SURBL-Discuss] yet another joe job)
by List Mail User 17 May '05

17 May '05

>... >> All DNS provided by: >> >> nserver: ns1.dnsm.net 218.7.120.70 >> nserver: ns2.dnsm.net 218.7.120.70 >> >> And all domains registered to: >> >> owner: Roelf Van der Brug >> email: admin(a)taiwanmedialtd.com >> address: Singel 2 >> address: Jordaan >> city: Amsterdam >> state: -- >> postal-code: 1015JT >> country: NL >> phone: +31 84 220 2586 > >We have seen fake registrations before, and this also fits there. >Amsterdam is 020. not 084. The PO code fits Amsterdam however. > >domain: taiwanmedialtd.com >status: lock >owner: Mohammad Khan >email: admin(a)taiwanmedialtd.com >address: Kizilelma Caddesi No >address: Findikzade >city: Istanbul > >Funny, we have seen that also before. > >Bye, >Raymond. >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > The postal code would be correct, if it was on land, but for the on the docks (and this is a boat slip), the proper postal code is 1013JT. Also, there are two variants of the Istanbul address, one has just "No" at the end, the other is "No. 62" - It is actually a rug shop in the bazaar. The "really" old registrations used taiwantelco. com as the email domain and dnst. net for name service. (I have found over a hundred, before I started using other people's data - from Joe Wein's, Bill Stearns' and a few other peoples collected and published lists I've found a few hundred more.) My favorite's are still the ones which use the address from the Beverley Hills 90210 TV show (mostly a couple of months ago). The most recent Turkish address, Pakistani telephone number, and email they are using is (Note: there is a bazaar at Oguzhan Caddesi No. 1 that fills the entire block - this address does not exist, but the telephone is a valid mobile phone registered in Pakistan and the email is functional): Gulhan Ozgur Oguzhan Caddesi No:2 Kat: 2 Denizli TR-20100 TR +9.2582411726 magicgoodman(a)yahoo.com Paul Shupak track(a)plectere.com

2 1

RE: [SURBL-Discuss] yet another joe job
by Chris Santerre 17 May '05

17 May '05

>-----Original Message----- >From: Steven Champeon [mailto:schampeo@hesketh.com] >Sent: Monday, May 16, 2005 11:32 AM >To: discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] yet another joe job > > > >Please list the following domains: > >dnbfbsqs.com SPAMMER >ghtnsecn.com SPAMMER >rumbumbale.com SPAMMER >tnashbsv.com SPAMMER >turuntale.com SPAMMER All but one were already in uribl.com. I added the other ;) Keep up the good fight Steven! --Chris

4 7

RE: [SURBL-Discuss] German spam crap
by Smith, Eric 17 May '05

17 May '05

Excellent thank you. I wasn't sure if the actual sites they were linking were involved. /E. -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Raymond Dijkxhoorn Sent: Monday, May 16, 2005 11:25 AM To: SURBL Discussion list Subject: RE: [SURBL-Discuss] German spam crap Hi! > So I saw the rule, but will any of the links in most of the messages be > added to SURBL? It's my understanding this is virus related coming > sometimes from internal hosts infected with a new class of virus that will > turn the infected PC into a spam host. We do filter internal mail for spam > also so I thought I would check if the links in these messages will > eventually make it to SURBL. No, since the sites itself didnt do the spamrums, but were just abused also. And no, thats not SURBL material... >> http://mailscanner.prolocation.net/german.cf >> >> Ruleset to stop the Sober crap thats been going around like crazy >> currently. The political spams written in german language... >> >> Hopefully it will help some people to stop this crap. So get the ruleset if you wanna filter those. Bye, Raymond. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

2 1

German spam crap
by Raymond Dijkxhoorn 17 May '05

17 May '05

Hi! Its mentioned on the SA list also, but since we got some questions about it from other people who didnt read it there: http://mailscanner.prolocation.net/german.cf Ruleset to stop the Sober crap thats been going around like crazy currently. The political spams written in german language... Hopefully it will help some people to stop this crap. Bye, Raymond.

3 2

Re: MORE (was: Re: [SURBL-Discuss] yet another joe job)
by List Mail User 17 May '05

17 May '05

>> >> >> >-----Original Message----- >> >From: Steven Champeon [mailto:schampeo@hesketh.com] >> >Sent: Monday, May 16, 2005 11:32 AM >> >To: discuss(a)lists.surbl.org >> >Subject: [SURBL-Discuss] yet another joe job >> > >> > >> > >> >Please list the following domains: >> > >> >dnbfbsqs.com SPAMMER >> >ghtnsecn.com SPAMMER >> >rumbumbale.com SPAMMER >> >tnashbsv.com SPAMMER >> >turuntale.com SPAMMER >> >> All but one were already in uribl.com. I added the other ;) >> >> Keep up the good fight Steven! > >Can't really help not ;) > >More domains just came in today: > >aupd.com >bnik.com >c5t.net >d3w.net >da9.net >ei7.net >el9.net >f5s.net >g3r.net >h64.net >l73.net >lzac.com >mq5.net >myyv.com >nf0.net >nlav.com >pi11.com >pq4.net >pqer.com >przc.com >rgry.com >t6i.net >uosb.com >vf9.net >viags.com >wlue.com >xi4.net >yi4.net >ymil.com > >Looks like a completely different spammer. :( > >All DNS provided by: > >nserver: ns1.dnsm.net 218.7.120.70 >nserver: ns2.dnsm.net 218.7.120.70 > >And all domains registered to: > >owner: Roelf Van der Brug >email: admin(a)taiwanmedialtd.com >address: Singel 2 >address: Jordaan >city: Amsterdam >state: -- >postal-code: 1015JT >country: NL >phone: +31 84 220 2586 >admin-c: admin(a)taiwanmedialtd.com#0 >tech-c: admin(a)taiwanmedialtd.com#0 >billing-c: admin(a)taiwanmedialtd.com#0 >nserver: ns1.dnsm.net 218.7.120.70 >nserver: ns2.dnsm.net 218.7.120.70 >created: 2005-04-21 14:11:39 UTC >modified: 2005-05-09 10:20:38 UTC >expires: 2006-04-21 10:11:39 UTC > >-- >hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com >join us! http://hesketh.com/about/careers/account_manager.html join us! >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > All taiwantelco/taiwanmedialtd - also uses addresses in Turkey and telephone numbers in Pakistan. Look at the domain dnst. net for some historic data. Many new domains are registered on a "Bay Drive" in Beverley Hills - zipcodes 90210 and 90211 (no such street exists, except on the TV show, it did) and some in New York and a few other places. There is some relationship, maybe shared customers. Some of their sites are hosted on the same machines as the multitrade group machines (see the spamhaus records on both). BTW. The 2 Singel address is a boat slip with no tenant (also the proper postal code for the boat docks is 1013, not 1015). They just switched registrars after Joker marked almost all of their domains as "invalid address". See 900mg. com, aekb. com, b7x. com, cpko. com, dgko. com, and about a hundred more. Paul Shupak track(a)plectere.com

1 0

yet another joe job
by Steven Champeon 16 May '05

16 May '05

Please list the following domains: dnbfbsqs.com SPAMMER ghtnsecn.com SPAMMER rumbumbale.com SPAMMER tnashbsv.com SPAMMER turuntale.com SPAMMER webstandards.org is being joe'd by the same spammer again: Zhamelgo, Alexandr aazhago(a)yahoo.com Profsoyuznaya 25-1, 31 Moscow, MSK 117418 RU +7.0956995731 Fax:+61.294750668 His nameservers for the domains are: DOG.CCPATONCEJK.BIZ 202.99.172.145 TSURT.CCPATONCEJK.BIZ 200.149.11.62 Thanks, Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!

1 0

RE: [SURBL-Discuss] German spam crap
by Smith, Eric 16 May '05

16 May '05

So I saw the rule, but will any of the links in most of the messages be added to SURBL? It's my understanding this is virus related coming sometimes from internal hosts infected with a new class of virus that will turn the infected PC into a spam host. We do filter internal mail for spam also so I thought I would check if the links in these messages will eventually make it to SURBL. /E. -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Kevin A. McGrail Sent: Sunday, May 15, 2005 1:06 PM To: SURBL Discussion list Subject: Re: [SURBL-Discuss] German spam crap Thanks Raymond. I was wondering about that. It's been hammering a ton of my mailing list subscriptions including sourceforge! > Its mentioned on the SA list also, but since we got some questions about > it from other people who didnt read it there: > > http://mailscanner.prolocation.net/german.cf > > Ruleset to stop the Sober crap thats been going around like crazy > currently. The political spams written in german language... > > Hopefully it will help some people to stop this crap. _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

2 1

Re: [SURBL-Discuss] URIBL and PTR records
by List Mail User 13 May '05

13 May '05

>... > >when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to >enter a spamtrap address I just noticed that quite a few of the pages look >extremely similar, DNS lookups show: > >$ host www.signoffcorp.biz >www.signoffcorp.biz has address 217.107.217.8 >$ host www.bestcds.biz >www.bestcds.biz has address 217.107.217.8 >$ host www.wonder-pills.com >www.wonder-pills.com has address 217.107.217.8 >$ host www.multimed.ws >www.multimed.ws has address 217.107.217.8 > >$ host 217.107.217.8 >8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa. >8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. >$ host webrider.ru >webrider.ru has address 217.107.216.26 > >so i wonder if it is possible (or already done) to also list (and save) the >IPs of URIBL listed domains and check newly queried, yet unlisted domains >against those IPs. > >any comments? > >regards, > >wolfgang >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > All multitrade group - look at multitrade-corp. {biz,com}. Also, you can lookup all those domains at rfc-ignorant.org for more comments. BTW. You suggestion is the fundamental difference between IP based BLs and RHS BLs - That is why there is a place in the world for both. Paul Shupak track(a)plectere.com P.S. There are a least a few hundred domains at those IPs - I think there's a partial list on one Spamhaus page (don't have the SBL at hand).

1 0

RE: [SURBL-Discuss] URIBL and PTR records
by Chris Santerre 13 May '05

13 May '05

> -----Original Message----- > From: wolfgang [mailto:mewolf1@gmx.net] > Sent: Thursday, May 12, 2005 4:20 PM > To: SURBL Discuss > Subject: [SURBL-Discuss] URIBL and PTR records > > > when browsing unsubscribe links like > http://www.signoffcorp.biz/uns.htm to > enter a spamtrap address I just noticed that quite a few of > the pages look > extremely similar, DNS lookups show: > > $ host www.signoffcorp.biz > www.signoffcorp.biz has address 217.107.217.8 > $ host www.bestcds.biz > www.bestcds.biz has address 217.107.217.8 > $ host www.wonder-pills.com > www.wonder-pills.com has address 217.107.217.8 > $ host www.multimed.ws > www.multimed.ws has address 217.107.217.8 > > $ host 217.107.217.8 > 8.217.107.217.in-addr.arpa is an alias for > 8.0/27.217.107.217.in-addr.arpa. > 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. > $ host webrider.ru > webrider.ru has address 217.107.216.26 > > so i wonder if it is possible (or already done) to also list > (and save) the > IPs of URIBL listed domains and check newly queried, yet > unlisted domains > against those IPs. > > any comments? 1 ALL-DISKS.COM. 2 ALL-THE-PILLS.COM. 3 ALL-THE-SOFT.COM. 4 ALLSOFT-CDS.COM. 5 ALLSOFT-DISKS.COM. 6 ALLTABLETS.COM. 217.107.216.26 - IP hosts 46 Total Domains ... Showing 1 - 46 out of 46 Domain Name 1 AIZENSHPIS.COM. 2 AJAXRECRUITMENT.COM. 3 AUTOCD.NET. 4 BARDACHOK.COM. 5 CASINODEBALEARES.COM. 6 DIMENSIONWEB.NET. 7 DJEMETE.COM. 8 DUBROVKA.COM. 9 ECITYCLUB.COM. 10 ENERGORUS.COM. 11 ESEMAIL.NET. 12 ESSHOST.COM. 13 FIREBIRDHOTEL.COM. 14 GARDESMASH.COM. 15 HAJYAN.COM. 16 KRONA.INFO. 17 KSSHOST.COM. 18 KZTT.COM. 19 LAZURNAYA.NET. 20 LEDOSPORT.COM. 21 LSSHOST.COM. 22 LZOS.COM. 23 MALAHIT.ORG. 24 MARTENA.NET. 25 MEDSPECTR.COM. 26 MERGELYAN.COM. 27 MYFOREX.BIZ. 28 NIMFA.COM. 29 OVIONT.COM. 30 PLOSHADKA.COM. 31 RADIOTUN.COM. 32 RTPROM.COM. 33 RUSBABE.COM. 34 RUSBIO.BIZ. 35 RUSJAGUAR.COM. 36 RUSSIAN-MINING.COM. 37 SECRETNO.COM. 38 SEOSPECIALS.COM. 39 SMOLSAT.COM. 40 SOVERSHENSTVA.NET. 41 STRELKINA.COM. 42 STUDIAAFGANICA.COM. 43 TECHNOAC.COM. 44 WADADA.NET. 45 WEBGRAD.NET. 46 WESTCOM.INFO. all-the-soft.biz anysoft.biz computersoft.biz deltamed.biz endomed.info finemed.biz infrasoft.biz medgamma.com opendelta.biz platinummed.biz popularsoft.biz popularsoftware.biz protosoft.biz protosoft.org signoffcorp.biz soft-sale.biz soft-sale.org softuniverse.biz triamed.biz triasoft.biz Short answer.....we're on it ;) --chris

1 0

URIBL and PTR records
by wolfgang 13 May '05

13 May '05

when browsing unsubscribe links like http://www.signoffcorp.biz/uns.htm to enter a spamtrap address I just noticed that quite a few of the pages look extremely similar, DNS lookups show: $ host www.signoffcorp.biz www.signoffcorp.biz has address 217.107.217.8 $ host www.bestcds.biz www.bestcds.biz has address 217.107.217.8 $ host www.wonder-pills.com www.wonder-pills.com has address 217.107.217.8 $ host www.multimed.ws www.multimed.ws has address 217.107.217.8 $ host 217.107.217.8 8.217.107.217.in-addr.arpa is an alias for 8.0/27.217.107.217.in-addr.arpa. 8.0/27.217.107.217.in-addr.arpa domain name pointer webrider.ru. $ host webrider.ru webrider.ru has address 217.107.216.26 so i wonder if it is possible (or already done) to also list (and save) the IPs of URIBL listed domains and check newly queried, yet unlisted domains against those IPs. any comments? regards, wolfgang

2 1

Feedback on adprofile.net wanted
by Jeff Chan 12 May '05

12 May '05

adprofile.net reportedly appeared in a flowers.com ham as: <td align="middle"><a href="http://tx.adprofile.net/tx/r?CID=12&M=3&sid=800ABC123"><IMG height=90 src="http://a1234.g.akamai.net/f/1233/1234/1a/www.1800flowers.com/800f_assets/im… me too120X90.gif" width="120" NOSEND="1" border="0"></a></td> Yet it's listed on WS by Bill Stearns. This may be a false positive. Does anyone have any more information about it? Catherine Hampton says it's not on her spam radar and others have said that they may be web spammers on guestbooks, wikis, etc. but not email spammers. They seem to have some minor NANAS. Feedback wanted. :-) Jeff C. -- Don't harm innocent bystanders.

4 4

Re: [SURBL-Discuss] Feedback on adprofile.net wanted
by Robert Menschel 11 May '05

11 May '05

> Date: Mon, 9 May 2005 22:34:13 -0700 > From: Jeff Chan <jeffc(a)surbl.org> > Subject: [SURBL-Discuss] Feedback on adprofile.net wanted > To: SURBL Discuss <discuss(a)lists.surbl.org> > Message-ID: <357174725.20050509223413(a)surbl.org> > Content-Type: text/plain; charset=us-ascii > adprofile.net reportedly appeared in a flowers.com ham as: ... > Yet it's listed on WS by Bill Stearns. This may be a false > positive. Does anyone have any more information about it? I find adprofile.net within my corpus in 1) what appears to be a valid ham, angry (not quite hate) email to Mike Malloy, liberal radio talk show host, from a radical conservative listener. Email includes a copy of the 760thezone.com home page (the radio station that carries the talk show). Home page apparently contained the paid ad link: <A class=3Dportalbar=20 href=3D"http://wvw.clearchannel.com/spacer.gif?event=3D104~radio~20~~124~= Low Mortgage =Rates!~125~/hosts/index.html~121~kkzn-am~98~http://tx.adprofile.net/tx/r?= CID=3D60584&M=3D0&sid=3Dlmr"=20 target=3D_blank>Low Mortgage=20 target=3D_blank>Rates!</A> In addition to that one ham, I have 12 spam. Bob Menschel

1 0

Re: [SURBL-Discuss] Feedback on adprofile.net wanted
by List Mail User 11 May '05

11 May '05

>... > >on Mon, May 09, 2005 at 10:34:13PM -0700, Jeff Chan wrote: >> adprofile.net reportedly appeared in a flowers.com ham as: >> >> <td align="middle"><a href="http://tx.adprofile.net/tx/r?CID=12&M=3&sid=800ABC123"><IMG height=90 >> src="http://a1234.g.akamai.net/f/1233/1234/1a/www.1800flowers.com/800f_assets/im… me >> too120X90.gif" width="120" NOSEND="1" border="0"></a></td> >> >> Yet it's listed on WS by Bill Stearns. This may be a false >> positive. Does anyone have any more information about it? > >Seen here tonight in spam for idiotclimber.com et al.: > ><center> If you wish to stop future >messages from Christianfamilyloans, please <a >href="http://tx.adprofile.net/tx/r?CID=46505&ADTBID=EMAIL604"> follow this link ></a> or contact us at: Christianfamilyloans, P.O. Box 78361, San >Francisco, CA 94107-8361. > > >Note that the other CAN-SPAM mention is commented out at the top of >the HTML message, so who knows? > >This email is a commercial advertisement sent in compliance with the >CANSPAM Act of 2003. We have no desire to send you information that is >not wanted, therefore, if you wish to be excluded from future mailings, >please use the link at the bottom of the page. > >This is an email promotion being sent to you by idiotclimber.com. To >stop all future mailings, follow the link below or send your email >address to: > > Member Services > 242 W. 36th St,12th floor New York, NY 10018 > (866) 872-6022 > >http://www.idiotclimber.com/cgi-bin/unsubscr.cgi?email=445273&cid=34&pid= > >Other domains: > >ibidclause.com >idiotclimber.com >idoiclamp.com >iflager.com >indigocraze.com >instepluck.com >interchairs.com >intercheeze.com >interestlone.com >iratelamp.com >iratelounge.com >ironcleets.com >ironiclever.com >ironlaser.com >itchinglover.com > >-- >hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com >join us! http://hesketh.com/about/careers/account_manager.html join us! >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Very interesting, "legal" spam; Especially since the domain christianfamilyloans. com (may be totally unrelated - hard to tell with "private" registration) is an unrepentant, hard-core spammer (very "christian" of them)! Paul Shupak track(a)plectere.com

1 0

Re: [SURBL-Discuss] Feedback on adprofile.net wanted
by List Mail User 11 May '05

11 May '05

>... > >adprofile.net reportedly appeared in a flowers.com ham as: > ><td align="middle"><a href="http://tx.adprofile.net/tx/r?CID=12&M=3&sid=800ABC123"><IMG height=90 >src="http://a1234.g.akamai.net/f/1233/1234/1a/www.1800flowers.com/800f_assets/im… me >too120X90.gif" width="120" NOSEND="1" border="0"></a></td> > >Yet it's listed on WS by Bill Stearns. This may be a false >positive. Does anyone have any more information about it? > >Catherine Hampton says it's not on her spam radar and others >have said that they may be web spammers on guestbooks, wikis, >etc. but not email spammers. They seem to have some minor >NANAS. > >Feedback wanted. :-) > >Jeff C. >-- >Don't harm innocent bystanders. > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Slime, but not an email spammer to my knowledge - They do redirect you (always) through portland.co. uk, who is slime also (and worse, but still not an email spammer as far as I know). BTW, they both will gladly sell your name, email address and IP (and probably whatever else they can collect). Chris, if your reading this, you should now have two more "grey" entries for URIBL; But these both seem like FPs for SURBL. Paul Shupak track(a)plectere.com P.S. This is probaly the wrond list, but for those using URIBL, what scores are you using (mine are pretty low)? Reply on the URIBL list if it seems more appropriate (likely it is).

1 0

Spam dispersed across multiple messages
by Matthew Wilson 11 May '05

11 May '05

Has anyone seen any spams that use two (or more) messages to catch the recipient's eye? E.g.: The first message has cutesy CSS-obfuscated text and maybe a graphic or two, and informs/commands the user to watch for the follow-up email from the same person and with a certain given catchphrase in the subject line The second followup message that arrives a minute or two later is perhaps marked with an identical From: name (but not an identical from address), and perhaps the prophesied catchphrase in the subject line. The payload (a URL or phone number or whatever), would be in the body or even subject line of the email message. Comments?

2 1

Re: [SURBL-Discuss] multi.surbl.org.rbldnsd Update Times
by Jeff Chan 10 May '05

10 May '05

[off list reply published with Eric's permission] On Monday, May 9, 2005, 9:33:12 AM, Eric Smith wrote: > Found out this morning it was an error in the way we were reporting file > times. Everything is good now. We were piping modified times out to an > HTML page every hour then we check if the page had changed at all in the > last 12 hours. > /E. Cool. BTW if you want to know the actual timestamp of the data, the best way is to look at the zone file serial number. Those are generated from the number of epoch seconds at UTC when the file is created. For example: % dig multi.surbl.org soa [...] multi.surbl.org. 15M IN SOA a.surbl.org. zone.surbl.org. ( 1115680902 ; serial 10M ; refresh 5M ; retry 1W ; expiry 15M ) ; minimum % % date -u -r 1115680902 Mon May 9 23:21:42 UTC 2005 Jeff C. -- Don't harm innocent bystanders.

1 0

RE: [SURBL-Discuss] newly registered domains
by Chris Santerre 10 May '05

10 May '05

Because they don't take to kindly to anyone doing tons of whois looksups an hour. Trust me ;) --Chris >-----Original Message----- >From: Matthew Wilson [mailto:matthew@boomer.com] >Sent: Monday, May 09, 2005 9:44 AM >To: SURBL Discussion list >Subject: RE: [SURBL-Discuss] newly registered domains > > >Why not integrate a whois date lookup directly into SURBL or URIBL? >Design an encoding system whereby >suspectedspammydomain.spammertld.dr.surbl.org (or uribl.com) would >return the date somehow regex encoded in the IP address. Then write a >nice SA rule that decodes it, also using regex. Are there any regex >geniuses out there that could encode a date in an IP address? > >-Matthew > > >> Well this has been brought up before. It is a very good idea, >> however difficult to implement. Unfortunetly the date >> returned by a whois querey comes in a wide variety of >> flavors. We (SARE) thought we had all of the returned date >> codes figured out. Nope. New ones still keep coming. >> >> uribl.com has some ideas on how to attack this very issue, >> but not sure it is worth it yet. >> >> In short, it would be wonderful to start doing whois lookups >> for every domain in an email. Lots of things could be flagged >> off of it. Think of a sort of baysien whois DB. But the >> traffic would be pretty dam big. >> >> --Chris >> _______________________________________________ >> Discuss mailing list >> Discuss(a)lists.surbl.org >> http://lists.surbl.org/mailman/listinfo/discuss >> >> >> > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

3 2

RE: [SURBL-Discuss] newly registered domains
by Chris Santerre 09 May '05

09 May '05

Exactly, and do you have any idea how many of the lookups would be needed per day? I do! Enough to get the uribl dns ip doing the lookups, blocked from the whois servers. People running the whois servers don't really play nice with others. You need to approach them very carefully. APNIC is not going to be to helpful ;) --Chris >-----Original Message----- >From: Matthew Wilson [mailto:matthew@boomer.com] >Sent: Monday, May 09, 2005 1:29 PM >To: SURBL Discussion list >Subject: RE: [SURBL-Discuss] newly registered domains > > >I wasn't talking about doing huge numbers of whois lookups; I >was saying >cache the whois lookups in the a uribl dns zone, encoded using regex. > >> -----Original Message----- >> From: discuss-bounces(a)lists.surbl.org >> [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Chris Santerre >> Sent: Monday, May 09, 2005 9:20 AM >> To: 'SURBL Discussion list' >> Subject: RE: [SURBL-Discuss] newly registered domains >> >> Because they don't take to kindly to anyone doing tons of >> whois looksups an hour. Trust me ;) >> >> --Chris >> >> >-----Original Message----- >> >From: Matthew Wilson [mailto:matthew@boomer.com] >> >Sent: Monday, May 09, 2005 9:44 AM >> >To: SURBL Discussion list >> >Subject: RE: [SURBL-Discuss] newly registered domains >> > >> > >> >Why not integrate a whois date lookup directly into SURBL or URIBL? >> >Design an encoding system whereby >> >suspectedspammydomain.spammertld.dr.surbl.org (or uribl.com) would >> >return the date somehow regex encoded in the IP address. >> Then write a >> >nice SA rule that decodes it, also using regex. Are there >any regex >> >geniuses out there that could encode a date in an IP address? >> > >> >-Matthew > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss