Discuss

discuss@lists.surbl.org

1870 discussions

RE: [SURBL-Discuss] FP?: ultimatebizsource.biz
by Chris Santerre 15 Oct '04

15 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 1:01 AM >To: Joe Wein >Cc: SURBL Discussion list >Subject: Re: [SURBL-Discuss] FP?: ultimatebizsource.biz > > >On Thursday, October 14, 2004, 8:43:40 PM, Joe Wein wrote: >> ultimatebizsource.biz claims to be an opt-in list with >55,000 subscribers. >> It's currently listed on [WS] and [JP] but not my personal list. > >> I know, the name alone sounds like your typical spammer >domain, but is it? >> Today the owner of getyoursiteongoogle.info mailed me, since I had >> blacklisted their domain. > >> Turns out the evidence was a mailing from >ultimatebizsource.biz which was >> listed on WS and JP. Since the recipient was a third party from the >> Prolocation feed, I could not easily verify if it was indeed >unsolicited, >> but I checked what I could check quickly. > >> To my surprize the outgoing mailserver's IP is not listed on >any of the RBLs >> and neither are the name servers or the resolved name. > >> There is only 1 NANAS sighting for this almost one year old >domain. That >> posting is an automated one, and probably related to an >ahbl.org listing >> mentioned in the SA-tags added to the evidence mail. I can >find no listing >> for them at ahbl.org now. > >> A web search for the domain name returns a single hit: >> http://www.google.com/search?q=ultimatebizsource.biz+spam > >> That looks too little for 55,000 mails per day for one year. > >> Joe > >Perhaps the question should be: do they have legitimate uses? >Obviously their name, etc. sound very spammy, but is their >subscriber list truly opt-in or is is harvested or scraped, >etc.? If it's truly opt-in then they may have legitimate >uses. Their site claims to be opt in, but of course that's >impossible to confirm directly except perhaps by asking >everyone on it. > >However if it were not opt in, it would seem there should be >many complaints. Also 55-58k is pretty small for a scraped >or harvested list, which usually have more like millions. >So perhaps there's a chance it actually is opt in. > >The domain registration is from October 31, 2003. The >domain registration for a related domain: Cashfromhome.com >is quite a bit older: Creation Date: 08-jun-1998. These >also lead me to believe they may have legitimate uses or >at least that 1-8 years should have been enough time for >SBL, NANAS, etc. to find them as true spammers. > >(Note that there are 34 NANAS hits for the older domain, >but all are from 1998 through 2000. None are newer, so >perhaps they spammed somewhat several years ago but >cleaned up their act in recent years. Most of the NANAS >reports are apparently from the same person.) > >Both domains are listed in WS: > >/home/gorilla/black-gorilla-7_04.txt:cashfromhome.com >/home/prolocation/black-prolocation-master:ultimatebizsource.biz > >Chris, what evidence do you have? Same question for Raymond. > eh? Read their site! They don't particularly care who I am as long as I have money. They 'say' they have an opt in list. But if I give them money, they send my ad to their list. How could their members possibly have opt'd in to recieve my ads when they don't even know me yet? cashfromhome? Hell they even list MLM right on their menu! If you're going to remove these guys, then please let Ryan know to add to UC. IN THEIR DEFENSE: their domain reg is from 1998 with no NANAS hits. HOWEVER, whose to say they send out their ad capmaigns using with links to that domain at all? Could be used as a front and they use other domains in their campaigns. --Chris

2 1

RE: [SURBL-Discuss] Child porn URLs
by Chris Santerre 15 Oct '04

15 Oct '04

>I must agree. The only content criteria we have for SURBLs is >inclusion in spam and exclusion in ham. Aside from the phishing >list (which also happens to be very spammy), all the SURBL lists >contain spam domains. Spam versus ham should remain our only >criteria for inclusion or now. > Well, I think this info should be told to everyone who is an admin. You all know I'm interested in this because I send the info direct to the FBI SA contact I have. The official place to report such sites is www.missingkids.com Also the site mentioned simply redirects to http://218.189.199.18:2180/portal/portal/pbf/ If you have any more info on this site, let me know OFFLIST, and I will submit to the Special Agent. Thanks --Chris

1 0

RE: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Chris Santerre 15 Oct '04

15 Oct '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, October 15, 2004 7:58 AM >To: Tony Bea via RT >Cc: SURBL Discuss >Subject: Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ? > > >On Friday, October 15, 2004, 4:26:09 AM, Tony RT wrote: >> Thank you for your suggestions. I will look to implement, >at least a few of >> them, in the near future in hopes of stopping some of the FPs. > >Execellent! I hope they can help. (Referring to >http://www.surbl.org/policy.html ) > >> In the meantime, feel free to let the mailing list know that >> postmaster(a)outblaze.com works and gets reasonably fast >response if they notice >> anything that looks like an FP. > >> Cheers, >> TonyB > >Done. :-) > Without a doubt, those Outblaze guys are aces in my book! Keep up the great work guys! --Chris (I am the queen of spades.)

1 0

FP: vmobile.us
by Joe Wein 15 Oct '04

15 Oct '04

Got email from vmobile.us today. It's listed on [WS] and [JP]. I checked the evidence and it's kind of flakey. The mail in question was mailing by wirelessdealernetwork.com. WDN has 2 NANAS sightings to it, both dated 2004-09-19 and posted by the same guy. Registered on 2004-06-08, NS blacklisted, listed on SURBL [WS], [OB], [JP]. Whether the recipient opted-in or not is not quite clear, but he's telecom-related. It may be spam, it may be not. In any case, vmobile.us was registered on 2004-05-12 and blacklisted by me on 2004-09-14. I shouldn't have blacklisted at that age without further evidence / checks. The NS is not blacklisted, no Google hits for spam other than my own listing. Oops! The domain of the owning company, usa-telecom.net, is two years old. So I think [WS] should probably also unlist vmobile.us, as I will do. My lesson: Just because the mailing list may be spammy and the TLD notorious doesn't mean a domain mentioned deserves listing on SURBL. Joe

2 3

Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Jeff Chan 15 Oct '04

15 Oct '04

On Friday, October 15, 2004, 4:26:09 AM, Tony RT wrote: > Thank you for your suggestions. I will look to implement, at least a few of > them, in the near future in hopes of stopping some of the FPs. Execellent! I hope they can help. (Referring to http://www.surbl.org/policy.html ) > In the meantime, feel free to let the mailing list know that > postmaster(a)outblaze.com works and gets reasonably fast response if they notice > anything that looks like an FP. > Cheers, > TonyB Done. :-) Jeff C. -- "If it appears in hams, then don't list it."

1 0

Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Jeff Chan 15 Oct '04

15 Oct '04

[forwarding my reply to Tony at Outblaze with his permission] On Thursday, October 14, 2004, 8:34:41 PM, Tony RT wrote: > [jeffc(a)surbl.org - Thu Oct 14 14:00:25 2004]: >> Thanks Tony. >> >> May I suggest that you consider checking a domain before >> listing it? Just because a few customers consider it spam >> doesn't necessarily mean other customers might not want to >> get it. I ask because there seem to be some legitimate >> sites getting onto your lists which some customers may >> legitimately want to get. For example none of the recent >> FPs have had to do with pills, mortgages, warez, etc. >> >> Another recent example is browsehappy.com run by the Web >> Standards Project: >> >> http://webstandards.org/act/campaign/happy/ >> >> which seem pretty unlikely to be professional or even >> casual spammers, no matter what users may report. Users >> are sometimes wrong, so data should be checked, IMO. >> >> Jeff C. > Jeff, browsehappy.com problem was reported back to us by schampeon and > immediately removed. > The approach we take (if its new and appears in reported spam) does have FPs, I > agree - but we havent been able to find a good way to "check". > We do look (cursory) at all the blocked domains per day and if anything obvious > shows up we do remove them. The problem is that detailed looking by a human is > not really practical given the volume of domains we block by day. > As you know/see, we are very responsive and remove very quickly. > If you have any suggestions on how to improve the process, I'm all ears and > will implement your suggestions as long as it doesnt consume too much human > time (checking 100s of domains 1 by 1 is just not practical). > Cheers, > TB Hi Tony, Thanks indeed for your responsiveness in removing FPs, and addressing the concerns of us and your users. Regarding some checks that can be done on the incoming data, many of the suggestions in our draft policy for manual lists can be automated: http://www.surbl.org/policy.html and some of those may perhaps be useful for your checking of incoming suspected spam domains. What I'd suggest is perhaps using these to score new domains and to flag ones that rise above a certain score. For example, any domain in SBL probably can be blacklisted immediately. Any domain not in SBL probably begins to add to a ham score, though not 100%. If you have access to the headers, and the senders are in xbl.spamuahs.org, then the domain should probably be listed. Any sender IP not in XBL probably should get ham points. Any domain with few or zero NANAS hits may be hammy, Domains in DMOZ, Wikipedia, etc should perhaps get ham points since it's unlikely the human editors of those would add or allow spam domains, etc. Obviously most of the spam domains we get are fully spammy. Perhaps some of these metrics can help flag ones that are less spammy and worthy of a little further checking? Your feedback, comments, questions, etc would be welcomed since we intend to use a policy like this for our own manual list, ws.surbl.org. We may adopt other parts of this for our automated lists also. Cheers, Jeff C. P.S. Do you mind if I publish this response on our SURBL discussion list? -- "If it appears in hams, then don't list it."

1 0

Child porn URLs
by Mariano Absatz 15 Oct '04

15 Oct '04

Hi, I just reported this mail with its 3 URLs to spamcop and ws.surbl... I urge other list mantainers to add them since it contains disgusting child pornography... For what I can understand in http://www.sg.st, although sg.st is not an 'official' 2LD of st, it seems that this is a bulk registry for the domains HK.ST - CN.ST - TW.ST - SG.ST. The official NIC for st (São Tomé & Principe) seems to be http://www.nic.st. As I undertand it, the SG.ST domain should be whitelisted... Regards. Received: from c-24-12-31-157.client.comcast.net (HELO smtp.hotpop.com) (24.12.31.157) by mail.example.com with SMTP; 13 Oct 2004 20:17:24 -0000 Date: Fri, 15 Oct 2004 22:56:09 +0000 From: mangled <mangled(a)example.com> Subject: Hi. To: FILE <mangled(a)example.com> References: <mangled(a)example.com> In-Reply-To: <mangled(a)example.com> Message-ID: <mangled(a)example.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Hey, I've found true BL Hits! Over 12000 users here. http://pbfiles.sg.st and http://ggboys.sg.st Giant Lo collection here: http://ptz-portal.sg.st Best, Michael Berkly. p.s. looking for your quickest reply. -- Mariano Absatz - El Baby el (dot) baby (AT) gmail (dot) com el (punto) baby (ARROBA:@) gmail (punto) com

5 11

WS FP
by Daniel Kleinsinger 15 Oct '04

15 Oct '04

freepichosting . com In a craigslist email. Thanks, Daniel

2 2

FP?: ultimatebizsource.biz
by Joe Wein 15 Oct '04

15 Oct '04

ultimatebizsource.biz claims to be an opt-in list with 55,000 subscribers. It's currently listed on [WS] and [JP] but not my personal list. I know, the name alone sounds like your typical spammer domain, but is it? Today the owner of getyoursiteongoogle.info mailed me, since I had blacklisted their domain. Turns out the evidence was a mailing from ultimatebizsource.biz which was listed on WS and JP. Since the recipient was a third party from the Prolocation feed, I could not easily verify if it was indeed unsolicited, but I checked what I could check quickly. To my surprize the outgoing mailserver's IP is not listed on any of the RBLs and neither are the name servers or the resolved name. There is only 1 NANAS sighting for this almost one year old domain. That posting is an automated one, and probably related to an ahbl.org listing mentioned in the SA-tags added to the evidence mail. I can find no listing for them at ahbl.org now. A web search for the domain name returns a single hit: http://www.google.com/search?q=ultimatebizsource.biz+spam That looks too little for 55,000 mails per day for one year. Joe

2 1

Re: [ST #592239]:postmaster: Re: [SURBL-Discuss] FP in OB ?
by Jeff Chan 14 Oct '04

14 Oct '04

On Thursday, October 14, 2004, 5:20:56 AM, Tony RT wrote: > [jeffc(a)surbl.org - Thu Oct 14 12:10:09 2004]: >> > In this months Microsoft Security update mailout there is a domain >> > mentioned in the credits, persiax.com. Web version includes the same >> > domain... >> Outblaze Postmaster, >> Can you tell us why persiax.com is listed? > Jeff, > If our spamtraps or our users report spam, we scan the body. > If we find domains that are "new" in the body, the domain gets blocked. > persiax.com is now removed. > TonyB Thanks Tony. May I suggest that you consider checking a domain before listing it? Just because a few customers consider it spam doesn't necessarily mean other customers might not want to get it. I ask because there seem to be some legitimate sites getting onto your lists which some customers may legitimately want to get. For example none of the recent FPs have had to do with pills, mortgages, warez, etc. Another recent example is browsehappy.com run by the Web Standards Project: http://webstandards.org/act/campaign/happy/ which seem pretty unlikely to be professional or even casual spammers, no matter what users may report. Users are sometimes wrong, so data should be checked, IMO. Jeff C. -- "If it appears in hams, then don't list it."

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss