- Discuss - Mailman 3

RE: [SURBL-Discuss] WS & DS FP?
by Chris Santerre 24 Aug '04

24 Aug '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Tuesday, August 24, 2004 3:51 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] WS & DS FP? > > >On Tuesday, August 24, 2004, 12:27:22 AM, David Funk wrote: >> On Mon, 23 Aug 2004, Jeff Chan wrote: > >>> > <! click the link below or copy it into a web browser.> >>> > <! >>> > >https://secure.clickaction.MUNGEDnet/ClickAction?func=S_TurnOff >Html&partname=itworld&uid=MUNGED >>> > ========== >>> >>> > It was tagged by both WS and DS. Should this domain be >whitelisted and/or >>> > removed from these SURBLs? >>> >>> I'm going to assume that itworld.com would not put spammer >>> domains in their newsletter. Whitelisting: >>> >>> accelacommunications.com >>> itwpub1.com >>> itworld.com >>> clickaction.net >>> >>> If anyone knows anything about any of them, please speak >>> up. > >> FWIW, I've got "clickaction.net" spam in my archive and there's >> a couple hundred NANAS listings for them too. > >> It may be that that "secure.clickaction.net" is the clean side >> of their house but I have spam sent from the clickaction.net >> mail servers containing "www.clickaction.net" URLs. > >I took a look at some of the NANAS hits on clickaction.net and >most of them seem to be for legitimate businesses and >organizations. That leads me to think we should keep them off >the lists, though they do seem somewhat spammy. > >Anyone else know anything about them? > Good lord the deeper the rabbit hole goes, the spammier they look! They are yesmail, and yesmail is a spammer in my book! They are using itworld as a "Legitimizer" How does this quote of theirs sound to you? "Join Yesmail, Latham & Watkins, and Accela Communications to learn more about how you can mitigate risk to your company and continue to leverage the power of email communications in your marketing programs." With a quote like that, I would keep them listed in a heartbeat. And the more I look the more I say let them stay. You legit companies in NANAS still look like spam. The vermont teddy stuff looks like a run on a purchased mail list. I keep looking, and I keep seeing spammer! Someone show me a legit ham, that was optin, or asked for! --Chris

1 0

Improved name server status page
by Jeff Chan 24 Aug '04

24 Aug '04

I've set up a better SURBL name server status page at: http://www.surbl.org/nameservers-output.html which is also linked from the main page. It shows some latency in zone file propagation, and it also shows one of the name servers down. (Bjorn is that coming back eventually?) We may want to ask all the public name servers to rsync every 10 minutes.... Would that be OK Raymond? Currently I have the DNS timeout set to 10 seconds with two retries. What kind of values are more typical or standard for resolvers? I will use the scripts that generate the page to send notifications (probably to myself at first) once things stabilize. Since events don't happen very often, it's probably not necessary to show a history on the page. Comments? Jeff C.

2 3

Add Vanuatu (.vu) to countries?
by John Lundin 24 Aug '04

24 Aug '04

Using SpamCopURI, ws.surbl.org FP'ed some mail from Fedora-List. http://dirk-wendland.deMUNGED.vu/ (a personal webpage in a sig). WS contains deMUNGED.vu. But they're a registrar. (.vu is Vanuatu.) So perhaps SURBL should whitelist de.vu and check at third level? -- lundin(a)fini.net "Not only did we get you an apple with a mouse like you asked, we also got you a banana with a lizard."

4 5

WS & DS FP?
by Bill Landry 24 Aug '04

24 Aug '04

Included in an "IT World" newsletter (www.itworld.com) is the content below that included clickaction.MUNGEDnet: ========== <! ATTENTION!> <! You are reading this message because your mail reader cannot display HTML.> <! If you would prefer to receive text messages from now on,> <! click the link below or copy it into a web browser.> <! https://secure.clickaction.MUNGEDnet/ClickAction?func=S_TurnOffHtml&partnam… ========== It was tagged by both WS and DS. Should this domain be whitelisted and/or removed from these SURBLs? Bill

3 3

[SURBL-Discuss] Geturi 1.4 released! (The SURBL URI classification helper)
by Ryan Thompson 24 Aug '04

24 Aug '04

Finally. I've been taunting you poor folks for weeks, now. :-) Here it is: http://ry.ca/geturi/ -- geturi v1.4 >From the DESCRIPTION: geturi is designed to process a directory containing a list of RFC822 messages (one message per file). It analyses each message, attempts to strip out as many unclickable URIs as possible, and then compiles the list of found URIs, putting HTML output on STDOUT. What I'd *like* to see are a bunch of people using this, and some suggestions for improvement (I already have quite a few, some of which are in the TODO section of the documentation). I'd call this alpha code at the moment, for want of testers, but I don't know of any huge bugs. Feedback more than welcome! - Ryan -- Ryan Thompson <ryan(a)sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America

2 2

whitelist rm04.net and rm02.net?
by Jeff Chan 24 Aug '04

24 Aug '04

We've had a request to whitelist rm04.net and rm02.net. Does anyone know anything about them? They seem to belong to: > SilverPOP Systems > (DOM-151479) > 200 Galleria Parkway > Suite 750 Atlanta > GA > 30339 US And reportedly appeared in a newsletter belonging to: Altiris http://www.altiris.com Comments? Jeff C.

1 1

Phish via "previewmysite.com"
by David B Funk 24 Aug '04

24 Aug '04

Found a citibank phish that used a redirect thru go.msn.com to 'zach.com.previewmysite.com' (see attached message). Is previewmysite.com guilty or an innocent open site that is being exploited? -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

1 0

Gee Whiz to support SURBL
by Chris Santerre 24 Aug '04

24 Aug '04

I kind of keep tabs on these guys from time to time. Since they had started using SARE rules in their commercial product. Looks like their new version will support SURBL. Jeff you might want to drop them a "Hey there!" email. http://www.omni-ts.com/Forum/ShowPost.aspx?PostID=2913 Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin

2 1

Fwd: fps
by Jeff Chan 24 Aug '04

24 Aug '04

Got some more FPs from someone who wanted to be anonymous. These are on WS: Date: Saturday, August 21, 2004, 12:37:45 PM Subject: fps bridgetrack.com (used by nytimes.com) elabs.com (EASTERN LABORATORIES INC.) mfcreative.com (ancestry.com/myfamily.com/rootsweb.com, Genealogy ad) secureserver.net (in message containing godaddy.com) dnews.com (Moscow-Pullman Daily News) spinpalace.com (appeared in xe.com currency update mailing list) I'd like some help deciding on these, though they look legtimate to me. We may need to develop a more formal procedure for handling FP reports.... Any suggestions or implementations would be welcomed. Maybe something like a trouble ticket system would be useful. Jeff C. -- Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/

4 6

FP help please
by Jeff Chan 24 Aug '04

24 Aug '04

Can I get some research help in deciding which of the following FPs to whitelist? > Date: Sat, 21 Aug 2004 10:06:57 -0400 > From: John Lundin <lundin(a)cavtel.net> > To: SURBL Discussion list <discuss(a)lists.surbl.org> > Subject: [SURBL-Discuss] more possible FPs (2 OB, 4 WS and 2 DS) > Eight possible FPs. These were taken from items reported as non-spam. > The "nanas" number is raw matches on the domain from google groups. > Use your own judgement... > > OB: www.mercenariesthegameMUNGED.com (nanas 0) > mentioned in a lucasarts review > > OB: www.jmiequityMUNGED.com (nanas 0) > mentioned in a Dow Jones newsletter > The original wasn't caught by OB, but it shows up now. > > WS: Wireless.VentureReporterMUNGED.net (nanas 9) A stock newsletter. > I checked back: it really had been subscribed to. > > WS: nmailerMUNGED.com (nanas 36) Design center newsletter. > http://ellington.nmailerMUNGED.com/mailman/listinfo/dtgnews > > WS: www.imakenewsMUNGED.com (nanas 42) organization newsletter. > http://www.imakenewsMUNGED.com/cabf/ (+ cleaned user tracking) > imakenews makes me nervous... intrusive html. > > WS: ntcrMUNGED.us (nanas 43, some similar) Jupitermedia Web Events. > (origin of mailing list -- appearance in unsubscribe disclaimer) > (Site won't display for me, insufficiently motivated to find out why > it said "Your Web browser must have cookies enabled" regardless.) (DS hits ignored) > Date: Saturday, August 21, 2004, 12:37:45 PM > Subject: fps > > bridgetrack.com (used by nytimes.com) > elabs.com (EASTERN LABORATORIES INC.) > mfcreative.com (ancestry.com/myfamily.com/rootsweb.com, Genealogy ad) > secureserver.net (in message containing godaddy.com) > dnews.com (Moscow-Pullman Daily News) > > spinpalace.com (appeared in xe.com currency update mailing list) Jeff C.

2 3

FP on WS?
by Bill Landry 23 Aug '04

23 Aug '04

Several of our customers subscribe to a newsletter from www.golfonline.com. This last one contained a link to www.bullysports.com, which is listed on WS. Seems like a legit site, so I just wanted to pass it by all of you to see if it should be whitelisted and/or removed from WS. Bill

2 1

RE: [SURBL-Discuss] FP help please
by Chris Santerre 23 Aug '04

23 Aug '04

I would REMOVE spinpalace only. Do not whitelist. Place on watch list. I agree with your other whitelists. >-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Monday, August 23, 2004 4:53 AM >To: SURBL Discuss >Cc: postmaster(a)outblaze.com >Subject: Re: [SURBL-Discuss] FP help please > > >On Sunday, August 22, 2004, 10:18:03 PM, Jeff Chan wrote: >> Can I get some research help in deciding which of the >> following FPs to whitelist? > >OK I did some of my own research and whitelisted most of >these: > >>> Date: Sat, 21 Aug 2004 10:06:57 -0400 >>> From: John Lundin <lundin(a)cavtel.net> >>> To: SURBL Discussion list <discuss(a)lists.surbl.org> >>> Subject: [SURBL-Discuss] more possible FPs (2 OB, 4 WS and 2 DS) > >>> Eight possible FPs. These were taken from items reported as >non-spam. >>> The "nanas" number is raw matches on the domain from google groups. >>> Use your own judgement... >>> >>> OB: www.mercenariesthegameMUNGED.com (nanas 0) >>> mentioned in a lucasarts review > >Apparently a LucasArts game. Lucas are probably not >spammers. Whitelisting: > >thx.com >lucasfilm.com >lucasarts.com >mercenariesthegame.com > >>> OB: www.jmiequityMUNGED.com (nanas 0) >>> mentioned in a Dow Jones newsletter >>> The original wasn't caught by OB, but it shows up now. > >A stock fund of an investment company whose original domain >was registered in 1995. Probably not spammers. Whitelisting: > >jmi-inc.com >jmiequity.com > >>> WS: Wireless.VentureReporterMUNGED.net (nanas 9) A stock newsletter. >>> I checked back: it really had been subscribed to. > >Belongs to Dow Jones. Unlikely to be spammers. Whitelisting: > >dowjones.com >siliconalleydaily.com >venturereporter.net > >>> WS: nmailerMUNGED.com (nanas 36) Design center newsletter. >>> http://ellington.nmailerMUNGED.com/mailman/listinfo/dtgnews > >Belongs to graphics design folks with a 1995 domain registration. >Whitelisting: > >graphic-design.com >graphic-design.net >nmailer.com > >>> WS: www.imakenewsMUNGED.com (nanas 42) organization newsletter. >>> http://www.imakenewsMUNGED.com/cabf/ (+ cleaned user tracking) >>> imakenews makes me nervous... intrusive html. > >Whitelisting; 1999 registration: > >imakenews.com > >>> WS: ntcrMUNGED.us (nanas 43, some similar) Jupitermedia Web Events. >>> (origin of mailing list -- appearance in unsubscribe disclaimer) >>> (Site won't display for me, insufficiently motivated to >find out why >>> it said "Your Web browser must have cookies enabled" regardless.) > >Belongs to netcreations.com. Are they a spamhaus? > > >> DS: surveyhelp.harrispollonlineMUNGED.com (nanas 19) >> http://www.harrispollonlineMUNGED.com/sweeps.asp >> (sigh) yes, they subscribed to it. > >Legitimate pollsters. Whitelisting: > >harrisinteractive.com >harrispollonline.com > >> DS: www.winxpnewsMUNGED.com (nanas 42) >> http://www.winxpnewsMUNGED.com/issues.cfm >> Single reference in a tech newsletter... > >Looks like a legitimate tech newsletter. Whitelisting: > >winxpnews.com > > > >The next domains were in WS: > >>> Date: Saturday, August 21, 2004, 12:37:45 PM >>> Subject: fps >>> >>> bridgetrack.com (used by nytimes.com) > >Looks like a legitimate web tracking operation. Whitelisting: > >planninggroup.com >bridgetrack.com > >Some of their tracking image URIs may have appeared in spams >but it's probably from citi phishers copying them from real >messages. > >Comments? > >>> elabs.com (EASTERN LABORATORIES INC.) > >1995 registration, whitelisting: > >elabs.com > >>> mfcreative.com (ancestry.com/myfamily.com/rootsweb.com, >Genealogy ad) > >Looks legit. Whitelisting: > >myfamily.net >myfamilyinc.com >mfcreative.com > >>> secureserver.net (in message containing godaddy.com) > >Used by legitimate registrars like dotster and godaddy. >Whitelisting: > >secureserver.net >securepaynet.net > >>> dnews.com (Moscow-Pullman Daily News) > >Small local newspaper in Idaho. Probably not a major spammer. >Whitelisting: > >dnews.com > >>> spinpalace.com (appeared in xe.com currency update mailing list) > >Online casino. Appears in marginally spammy places. Does anyone >have any info about them? > > >It would be nice to distribute some of the work of checking >FPs in future. > > >WS and OB folks may want to remove some of these ones from their >respective lists, and/or share their research with us. > >Jeff C. > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

2 1

Re: SURBL and whitelist
by William Stearns 23 Aug '04

23 Aug '04

Good afternoon, Paul, On Mon, 23 Aug 2004, Paul Diaguila wrote: > Speaking of SURBL..... Haven't had any complaints about spam since it's > been installed.... thank you...thank you...thank you.... We're sincerely glad to hear that it helps. Cheers, - Bill --------------------------------------------------------------------------- "Not only is UNIX dead, it's starting to smell bad." -- Rob Pike (?) (Courtesy of Mike Castle <dalgoda(a)ix.netcom.com>) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 0

Auto adding detected "static 'front page' sites".
by Christiaan den Besten 23 Aug '04

23 Aug '04

After working through today's spam I was amused we (almost) only received spam for 3 site's: The following (some old) url's to these sites are still alive: - : sublunary1132nx.com - : ourpillsdirect.com - : naturalwellnessessence.com Naturally all domains were added to the prolocation rbl and the (low)spam decreased within the hour :). But I was wondering .. a small test with a simple 'diff' script showed me that comparing output from url's found in 'fresh' spam with known spam-sites is doable. These guys seem to be changing domains every 8 hours or so... Would it be bad to have some of these (stupid) 'static webpage hosting' spammers automaticly being added to the WS list by comparing the output of their home page advertised in the url? It's fairly easy to create a script to do this ... that's not the issue.... what could go wrong ?.. any input would be appreciated :) Secondly, while doing these tests I noticed that a lot of the sites listed in (our) WS-list are not longer 'alive'. Is there any clean-up procedure defined yet ?... or will the list just keep on growing ;) bye, Chris

5 12

RE: [SURBL-Discuss] Auto adding detected "static 'front page' sites".
by Ryan Thompson 23 Aug '04

23 Aug '04

Christiaan den Besten wrote to 'Ryan Thompson': >> Mail::SpamAssassin::PerMsgStatus::get_uri_list($status), but there >> were a few other incantations that I did to get the list of URIs >> down. I have been meaning to publish the script, but things keep >> getting in the way. I will do that tomorrow (today). Stay tuned! > > Check, I see its 03:xx over there ;) Just woke up here :) It's released. http://ry.ca/geturi/ > I have just looked at Justin's hints for a SA plugin, that seems very doable > as well. I was just wondering if I could re-use the SA surbl-plugin while I > am at it. For I am only interested in uri's not yet in WS. > > For my idea, what you do now: > - strip uri's from messages Yes. I also attempt to eliminate those with empty anchors. > - for each (new) uri generate a NASAS query NANAS query URLs (to Google Groups) are pre-built, but not automatically queried, because that would violate Google TOS. (See the TODO section in the documentation). > - build a 'matrix' between uri's and messages they are referenced in. More or less, a two-way hash. > - score uri's for spamability :) Yep. Technically, they're just scored for relevance in the message. It's up to the person building the corpus to decide whether they're spammy or not. :-) - Ryan -- Ryan Thompson <ryan(a)sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America

1 0

RE: [SURBL-Discuss] openrbl.org domain gone?
by Chris Santerre 23 Aug '04

23 Aug '04

Back up now. I believe they changed domain registrars. >-----Original Message----- >From: Mailing List [mailto:ml@netgroupes.ca] >Sent: Sunday, August 22, 2004 10:55 AM >To: surbl(a)alexb.ch; SURBL Discussion list >Subject: RE: [SURBL-Discuss] openrbl.org domain gone? > > >>Can any of you reach http://openrbl.org ????? >Also dead from Canada > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss >

1 0

RE: [SURBL-Discuss] Fwd: fps
by Chris Santerre 23 Aug '04

23 Aug '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Sunday, August 22, 2004 3:13 AM >To: SURBL Discuss >Subject: Re: [SURBL-Discuss] Fwd: fps > > >On Saturday, August 21, 2004, 11:08:06 PM, Doc Schneider wrote: >>> On Saturday, August 21, 2004, 9:59:06 PM, Doc Schneider wrote: > >>>>I have run RT (Request Tracker) in fact still have it >installed on one >>>>of my servers. > >>>>Where would we like it to run at? I could re-set it up >(need to upgrade >>>>it here) and add you all to it. > >> I'm upgrading my old version as I type. Will let you all >know where to >> get to it. Maybe we could add a pointer to something like >> something.surbl.org and point it to my rt site? I'll leave >it to you all >> to figure out the something.surbl.org 8*)) > >> Once I have this upgraded I'll add Jeff and Bill to it for >now. Then add >> whoever else needs admin access. > >Sounds good. Whatever name folks think would be good is fine; >maybe something short like track.surbl.org? > >Jeff C. > Track sounds good. But how will we be notified if something is added? --Chris

1 0

FPs in WS
by Joseph Burford 23 Aug '04

23 Aug '04

Two more FPs in WS. ientryMUNGEDmail.com The domain is used for mailing list management by the ientry network, we have several confirmed legit subscribers to their WebProNews, newsletter. siteproMUNGEDnews.com Once again several confirmed subscribers, mainly web designers or people who have used their submission services. Bayes training fixes any problems at my end, or I could locally whitelist, however they shouldn't be listed in WS :-) Both have valid unsubscribe options. Interesting reading comments about FPs over the last week. I think because of the global ramifications of these lists we need to make sure that spam is definately spam and borderline is excluded from listings. Otherwise the lists just become personal preferences of what we want to see in our mailboxes!! Regards, Joseph

5 10

RE: [SURBL-Discuss] openrbl.org domain gone?
by Mailing List 22 Aug '04

22 Aug '04

>Can any of you reach http://openrbl.org ????? Also dead from Canada

1 0

openrbl.org domain gone?
by Alex Broens 21 Aug '04

21 Aug '04

Guys, Can any of you reach http://openrbl.org ????? >From my side of the pond: domain doesn't exist... Thanks Alex

1 0

more possible FPs (2 OB, 4 WS and 2 DS)
by John Lundin 21 Aug '04

21 Aug '04

Eight possible FPs. These were taken from items reported as non-spam. The "nanas" number is raw matches on the domain from google groups. Use your own judgement... OB: www.mercenariesthegameMUNGED.com (nanas 0) mentioned in a lucasarts review OB: www.jmiequityMUNGED.com (nanas 0) mentioned in a Dow Jones newsletter The original wasn't caught by OB, but it shows up now. WS: Wireless.VentureReporterMUNGED.net (nanas 9) A stock newsletter. I checked back: it really had been subscribed to. WS: nmailerMUNGED.com (nanas 36) Design center newsletter. http://ellington.nmailerMUNGED.com/mailman/listinfo/dtgnews WS: www.imakenewsMUNGED.com (nanas 42) organization newsletter. http://www.imakenewsMUNGED.com/cabf/ (+ cleaned user tracking) imakenews makes me nervous... intrusive html. WS: ntcrMUNGED.us (nanas 43, some similar) Jupitermedia Web Events. (origin of mailing list -- appearance in unsubscribe disclaimer) (Site won't display for me, insufficiently motivated to find out why it said "Your Web browser must have cookies enabled" regardless.) And if anyone cares: DS: surveyhelp.harrispollonlineMUNGED.com (nanas 19) http://www.harrispollonlineMUNGED.com/sweeps.asp (sigh) yes, they subscribed to it. DS: www.winxpnewsMUNGED.com (nanas 42) http://www.winxpnewsMUNGED.com/issues.cfm Single reference in a tech newsletter... (I test for DS with a nominal score, so it doesn't bother me.) -- lundin(a)cavtel.net "By the time they had diminished from 50 to 8, the other dwarves began to suspect 'Hungry' ..."

1 0

RE: [SURBL-Discuss] {Spam?} FW: ***SPAM*** (6.0/5.0) ** [lcngroup ](Job) Civil ProjectEngineer - Pleasanton, N. CA
by Chris Santerre 20 Aug '04

20 Aug '04

>-----Original Message----- >From: jm(a)jmason.org [mailto:jm@jmason.org] >Sent: Friday, August 20, 2004 5:00 PM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] {Spam?} FW: ***SPAM*** (6.0/5.0) ** >[lcngroup](Job) Civil ProjectEngineer - Pleasanton, N. CA > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >Larry Rosenman writes: >> >>>> Why is cgt-consult.com on WS? >... >> I talked to the admin, and they had been hacked, and used as >a spam source. >> They've cleaned up the mess, and have secured the machine. > >?? hacked? I wouldn't be so sure. > >Based on the spam I got, it looks a lot more like they >scraped, or bought >a dirty list of scraped addresses. > >Here's one of my spamples, in full -- I've munged the address, >but believe >me, it's 100% spamtrap, appears only on web pages, and has >never opted in >for anything ever. ;) > >- --j. > *snip* Which is an exact copy of the ones reported on NANAS. Again I ask, hacked? A hacker broke in and sent spams promoting the site he just hacked? How nice of him. --Chris

2 1

RE: [SURBL-Discuss] {Spam?} FW: ***SPAM*** (6.0/5.0) ** [lcngroup ](Job) Civil ProjectEngineer - Pleasanton, N. CA
by Chris Santerre 20 Aug '04

20 Aug '04

>-----Original Message----- >From: Larry Rosenman [mailto:ler@lerctr.org] >Sent: Friday, August 20, 2004 4:47 PM >To: 'SURBL Discussion list' >Subject: RE: [SURBL-Discuss] {Spam?} FW: ***SPAM*** (6.0/5.0) ** >[lcngroup](Job) Civil ProjectEngineer - Pleasanton, N. CA > > >Larry Rosenman wrote: >> Justin Mason wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> Chris Santerre writes: >>>>> Why is cgt-consult.com on WS? >>>>> They are legit, and this is from a job posting list that is >>>>> MODERATED. >> >>> >>> A confirmed DSBL listing is a *big* deal BTW. I can also confirm >>> that I've received several spams from them. >> >> >> I've reported the post to the moderator, as well as the origin, to >> let them know. >> >> I generally trust this list, but with your input, I'll shut up now. >> >> LER > >I talked to the admin, and they had been hacked, and used as a >spam source. > >They've cleaned up the mess, and have secured the machine. > >Please consider white-listing them. They've submitted a >de-list request to >dsbl. > >LER Some blacklists show they have been an open relay since 2002. I'll go thru my traps, but the one I got was not that recent. This has been a problem from that IP for a long time. Stats on spamcop show report for 360+ days. They are just now finding out they were sending this. Hacked? I'm confused by that. Hacked would use the system to promote some other product. Hackers don't normaly send out spam to promote the website they hacked! "Oh we are sorry. A hacker got in and was sending spam promoting our company. We stopped him." Is that how the conversation went? I say no. Make that a NO! I think you got handed a bucketfull of listwash. --Chris

1 0

RE: [SURBL-Discuss] {Spam?} FW: ***SPAM*** (6.0/5.0) ** [lcngroup ] (Job) Civil ProjectEngineer - Pleasanton, N. CA
by Chris Santerre 20 Aug '04

20 Aug '04

> >Why is cgt-consult.com on WS? > >They are legit, and this is from a job posting list that is MODERATED. > OK serious now Larry, I'm starting to doubt what you call legit! Did you even try looking at this? Spamcop has their IP listed. There are posts all over NANAS about these guys! Hell I think I even got one of these spams directly to me! A few of your reports of False Positves have raised my eyebrows, but this one sent me over! NJABL: Not Just Another Bogus List 187.10.200.63.dnsbl.njabl.org -> 127.0.0.4 spam source -- 1019963653 NETHER-RELAYS: nether.net Confirmed Open Relays 187.10.200.63.relays.nether.net -> 127.0.0.2 SPAMCOP: SpamCop Blocking List 187.10.200.63.bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?63.200.10.187 DSBL: Distributed Server Boycott List 187.10.200.63.list.dsbl.org -> 127.0.0.2 http://dsbl.org/listing?ip=63.200.10.187 DSBL-UNCONFIRMED: Distributed Server Boycott List 187.10.200.63.unconfirmed.dsbl.org -> 127.0.0.2 http://dsbl.org/listing?ip=63.200.10.187 Please tell me the steps you take to determine something is "legit" and worth reporting to us? --Chris

4 6

[SURBL-Discuss] {Spam?} FW: ***SPAM*** (6.0/5.0) ** [lcngroup] (Job) Civil Project Engineer - Pleasanton, N. CA
by Larry Rosenman 20 Aug '04

20 Aug '04

Naren wrote: > Spam detection software, running on the system "lerami.lerctr.org", > has identified this incoming email as possible spam. The original > message has been attached to this so you can view it (if it isn't > spam) or label similar future email. If you have any questions, see > ler(a)lerctr.org for details. > > Content preview: This is my direct client opening - Civil Project > Engineer - Pleasanton, N. CA Full time Permanent FTE position. My > client has immediate openings for 2 senior civil engineers with > strong technical abilities, experienced in land development > projects. We are looking for individuals who may not have the > experience of a Project Manager, but can independently evaluate, > select, and apply standard engineering techniques, procedures, and > criteria using judgment in making adaptations and modifications. > Ability to perform assignments designed to develop professional > work knowledge and abilities. Plan, schedule, conduct, or > coordinate detailed phases of technical work in portions of a major > project or in a total project of moderate scope. Provide assistance > to the Project Managers in preparing current status information for > internal reporting and for keeping client informed on progress. > Supervise or coordinate the work of drafters, technicians, and > others who assist in specific assignments. The assignments may > include one or more of the following: project design and > development for grading and utility systems from master planning > through construction, test of materials, preparation of > specifications, research investigations, report preparation, and > other activities requiring knowledge of principles and techniques > commonly employed in the specific area of assignments. Prepare > project specifications and cost estimates. [...] > > Content analysis details: (6.0 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for > HELO > 0.1 TW_CN BODY: Odd Letter Triples with CN > -1.1 BAYES_40 BODY: Bayesian spam probability is 20 to > 40% [score: 0.2312] > 1.7 RCVD_IN_RFC_IPWHOIS RBL: Sent via a relay in > ipwhois.rfc-ignorant.org [63.200.10.187 > has inaccurate or missing WHOIS] [data at > the RIR] > 3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org > > [<http://dsbl.org/listing?ip=63.200.10.187>] > 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in > bl.spamcop.net [Blocked - see > <http://www.spamcop.net/bl.shtml?63.200.10.187>] > 0.3 DNS_FROM_AHBL_RHSBL RBL: From: sender listed in dnsbl.ahbl.org > 1.8 RCVD_IN_NJABL_SPAM RBL: NJABL: sender is confirmed spam > source [63.200.10.187 listed in > combined.njabl.org] > 3.0 URIBL_WS_SURBL Contains a URL listed in the WS SURBL > blocklist [URIs: cgt-consult.com] Why is cgt-consult.com on WS? They are legit, and this is from a job posting list that is MODERATED. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler(a)lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss