Discuss

discuss@lists.surbl.org

1867 discussions

RE: [SURBL-Discuss] important reduce wrise renkles & skin spots ( fwd)
by Chris Santerre 14 Sep '04

14 Sep '04

>-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] >Sent: Friday, September 10, 2004 8:48 PM >To: discuss(a)lists.surbl.org >Subject: [SURBL-Discuss] important reduce wrise renkles & skin spots >(fwd) > > >Hi! > >Our favorite pill spammers also try to get around SURBL now. > >I dont want to end up making SA rulesets for this, any suggestions ? > >ns3.airmaramba.biz >ns3.avk29.biz > >The same crap... But, with less SA hits now, since its not touched by >SURBL. Bah. > >---------- Forwarded message ---------- >Date: Sat, 11 Sep 2004 01:50:29 +0100 >From: kenneth clakley <auroraschorn(a)rfc.every1.net> >To: wilfredo moote <reyes(a)prolocation.net> >Subject: important reduce wrise renkles & skin spots > >suc-oneonta sony-steo lettery > > >>From inside to outside, from w^eig_ht l`o^ss to skin care. From mental >relief to physical relief, from antidepressant to muscle >relaxant. The care >inside out. > >you can copy > >wjq.s.adjuster6370pinn.com/56/ > >to your browser > I wrote this for SARE: >> uri ANUMA /\.[a-z]{4,}\d{4,}[a-z]{4,}\.(?:com|net|biz|info|org)/i >> describe ANUMA Domain with ALPHAs NUMBERs APLHAs >> score ANUMA 1.0 >> >> to catch tons of this: >> stiffed5912tads.com >> unawares6248pinn.com >> snoozed2548rneds.com >> 585paperwork970tads.com >> congener1455rneds.com --Chris

3 2

RE: [SURBL-Discuss] Whitelist Please
by Chris Santerre 14 Sep '04

14 Sep '04

>-----Original Message----- >From: Frank Ellermann [mailto:nobody@xyzzy.claranet.de] >Sent: Thursday, September 09, 2004 10:01 PM >To: discuss(a)lists.surbl.org >Subject: Re: [SURBL-Discuss] Whitelist Please > > >Jeff Chan wrote: > >> Chris and Ryan and Raymond, don't even think about proposing >> a subdomain list. LOL! ;-) > >What's the problem with this idea ? It would be only one level >above the real host, so for say claranet.de you would have to >consider www.claranet.de and xyzzy.claranet.de, but you would >ignore www.xyzzy.claranet.de or more.levels.xyzzy.claranet.de > >Then if I start to spamvertize my site you catch me without >hitting any other user.claranet.de (let alone www.claranet.de) > >Assuming that my ISP doesn't neeed weeks to cancel my account >after I started to spam the xyzzy entry will expire soon. > >> It's about time ICANN cracked down on rogue registrars. > >I'll believe it when I see it. These registrars pay ICANN's >budget, don't they ? > >> There will always be disagreement about that optimization >> point. That is natural. (It's also a PITA.) > >Sometimes your criteria appear to be a bit obscure for me. >Of course some people may love a "joke of the day" mail - >that's okay, if they like it they won't report it as spam. > >But others don't like any unsolicited jokes, and they would >report it as spam. In that case the joke-of-the-day site >_is_ spamming, and it's okay to list them. Even if they >also have some real fans with a "legit" interest in their >joke of the day. In that case you can't avoid a collateral >damage, whatever you do. > Bye, Frank > hmmm.... can't we treat these like we treat com.ar tld? or co.uk? Like Frank said, just checking the subdomain one more level up for these guys. I don't see the harm in that. Or am I missing something again? I think what Jeff meant was another SURBL list entirely ;) No, I think we have enough as well. --Chris

4 6

RE: [SURBL-Discuss] Large ham corpus hits against SURBLs
by Chris Santerre 14 Sep '04

14 Sep '04

>-----Original Message----- >From: Jeff Chan [mailto:jeffc@surbl.org] >Sent: Friday, September 10, 2004 2:40 AM >To: SURBL Discuss >Subject: [SURBL-Discuss] Large ham corpus hits against SURBLs > > >I've extracted the plaintext * URI domains from a 14 GB ham corpus, >taken the top 70th and 85th percentiles of the most frequently >occurring domains and compared them against all SURBL domains, >the master list of which can be found at: > > http://spamcheck.freeapp.net/multi.domains.sort > >At the 70th percentile level, there were only two matches: > > automotivedigest.com > processrequest.com > >At the 85th percentile there were a few more: > > automotivedigest.com > chartshop.com > ct002.com > dakotaairparts.com > hallogram.com > infoaeroplan.ca > investorsinsight.com > processrequest.com > sitepronews.com > topachat.com > >These are arguably false positives. What do we know about them. >Should we whitelist or not whitelist any? > > >* looking at plaintext has advantages and disadvantages: > >1. quick and easy >2. does not "double or triple count" messages which also >have BASE 64 or quoted printable encoded versions of the same URIs >3. misses some such encoded URIs which don't have plaintext >equivalents in a different part of the message > >Nonetheless the data are still probably generally useful. > Nice work. I got none of these marked as spammers. I think sitepronews has caught my eye a few times, but not enough to be marked. Site pro also has: * 1: allbusinessnews.com * 2: exactseek.com * 3: ezinehub.com * 4: goarticles.com * 5: novicenews.com * 6: sitepronews.com * 7: submitexpress.com * 8: zinehub.com Chartshop linked to: * 1: astrology.com * 2: astronet.com * 3: chartshop.com * 4: kweb.com ct002 linked to (raises an eyebrow): * 1: 123banners.com * 2: 123greetings-inc.com * 3: 123greetings.com * 4: 123greetings.info * 5: ct002.com dakotaairports.com linked to: * 1: a250support.com * 2: avsupport.com * 3: dakotaairparts.com * 4: partslogistics.com investorsinsight.com not linked to anyone, but on more then a few peoples lists. However NANAS reports would have me believe they should NOT be listed. (Odd huh?) processrequest.com linked to: * 1: e2communications.com * 2: processrequest.com * 3: prq0.com Check http://tinyurl.com/4ds43 Just going to their website screams to me to watch them closely! If they are legit, they should be using SURBL to watch their own customers. They are a member of the evil empire DMA as well. In my jaded mind, thats an automatic block here at my company. Obviously different for SURBL. This one needs to be contacted and watched, IMHO. topachat.com linked to: * 1: topachat-clust.com * 2: topachat.com They appear clean and possibly Joe Jobbed. Keep in mind, these lists are just good info. They shouldn't be used soely to determine their spammyness on their own. These lists are just to see who they are linkd to, and sometimes those links speak volumes. Like ct002 might need further investigation. HTH someone. --Chris

3 5

FP on WS
by Bill Landry 14 Sep '04

14 Sep '04

Found orchardbank-MUNGED-.com is listed on WS. Probably doesn't need much justification for removal, but the domain was registered on May 30, 1997. Found two old NANAS listing, one from 11/02 and one from 2/03. Bill

2 2

OFF-TOPIC: CBS Forgery Scam
by Rob McEwen 14 Sep '04

14 Sep '04

OFF-TOPIC: CBS Forgery Scam (forgive me Jeff) I've studied this thoroughly. I can say 100% beyond a shadow of a doubt that this is a forgery propagated by CBS. Has anyone been following this? Does anyone doubt what I just said? Rob McEwen

2 2

ns15.surbl.org is down
by Jeff Chan 13 Sep '04

13 Sep '04

Bjorn Jensen let me know that ns15 is down with a hardware failure and probably won't be back up until Monday. I have temporarily substituted ns16's IP address for it and commented it out of the "k" name server round robin. DNS should be operating normally as a result. Jeff C.

1 1

Probable FPs
by Ryan Thompson 13 Sep '04

13 Sep '04

I found the following domains listed in a ~20K ham corpus from the last couple of days: Domain Age in Days Score (#msgs) attac.biz 826 -3.3333 (1) blah.com 3462 -3.3333 (1) chartshop.com 2275 -3.3333 (1) publicaster.com 965 -3.3333 (1) resortvacationstogo.com 1849 -3.3333 (1) send4fun.com 1681 -30.0000 (1) surveymonkey.com 1770 -3.3333 (4) topcities.com 1926 -2.5000 (1) whtirc.com 246 -3.2491 (1) whtradio.com 196 -2.3630 (1) Full GetURI output: http://ry.ca/geturi/runs/20040910-fps.html Quick look: attac.biz Looks real fishy, but appeared in some travel newsletter. Related to eturbonews.com. Maybe de-list, but don't whitelist. blah.com This was in a ProFTPd mailing list message "how do I set up a virtual host for "blah.com". chartshop.com Astrology.com newsletter. People really do sign up for those things. surveymonkey.com AFAICT, mostly legit surveys send4fun.com Jokes, example was person to person links topcities.com Free subdomain host. whtirc.com, whtradio.com Web Hosting Talk newsletter. Yes, it's legit. publicaster.com Used in some legit newsletters/mass media resortvacationstogo.com Looks mostly legit, and they've been around for 1800+ days without any NANAS hits at all. Related to vacationstogo.com. With the exception of attac.biz, I'd say whitelist the lot of these, unless anyone knows some reason why not. :-) The *real* cool part is GetURI (devel version) actually processed all of these messages in one run, producing ~4MB of output. Mozilla, on the other hand, crashed rather unceremoniously. Be thankful I re-ran on only the messages that generated the FPs. :-) Also, if someone wants to go through the *other* domains (i.e., those on a grey (not blue) background), there are probably quite a few other whitelist candidates there. (gc.ca, for instance :-) - Ryan -- Ryan Thompson <ryan(a)sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America

7 11

FP in OB & WS?
by Bill Landry 13 Sep '04

13 Sep '04

The link below was included in an e-mail announcing the Seattle Career Fair by National Career Fairs (http://www.nationalcareerfairs.com/). I found no NANAS listing for this domain. http://www.ncfmail1-MUNGED-.com/lt/t_go.php?i=429&e=aGVhdGhlcnJAdmFsbGV5aW5… This link redirects to a registration page on the National Career Fairs web site. Bill

2 1

No SURBL hits on issip iadb
by Jeff Chan 12 Sep '04

12 Sep '04

I checked all the SURBL blocklist records against iadb and got no hits. http://www.isipp.com/iadb.php (This is with checking domains against iddb, then taking the IP addresses resolved by iddb and checking those against iadb.) http://spamcheck.freeapp.net/iadb-check Against the entire whitelist (but excluding the .us geographic parent domains), I got one hit: > thisistrue.com: 127.0.0.2 > thisistrue.com: 127.0.1.255 > thisistrue.com: 127.3.100.10 > thisistrue.com: 127.0.0.1 Due to the low hit rates iadb may not be useful for us yet in checking for fps. Perhaps when it has more records, it will be. Or perhaps there isn't much overlap between our spammers, our whitelists and iadb, which is also a reasonable answer. Jeff C.

1 0

Software spam with recently registered (fake?) sender domains
by Joe Wein 12 Sep '04

12 Sep '04

In recent days I've seen a lot of pirate software advertised in spam that uses a sender address of the form "Firstname1 Lastname1" Firstname2Lastname2@suspectdomain where suspectdomain is a very recently registered domain (late August-early September). Previously software spammers used all kinds of fake sender domains, but non they had registered themselves and not specifically recently registered ones. Has anyone else noticed this and has any thoughts about it? I wonder if spammers are buying lists of recently registered domain names off registrars in order to poison domain blacklists? Joe -- http://www.joewein.de/sw/jwSpamSpy/

4 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss