Hi everyone
Please forgive me if this question has been answered recently but I have
only joined the list today. My question is
multi.surbl.org no longer resolves to an IP address - is it still the
preferred hostname to use?
The reason I ask is because our mailgateway product uses this as one of
its tests and our support company seem to be getting nowhere finding out
whats wrong or who to ask
I can resolve this name from -
home
work
internetcafe
As I say, please forgive me if this question has been answered before
Many thanks, Adrian
PS I work for a smallish organisation (<500) users, would it be worth my
while rsyncing the DNS zone locally?
>> -----Original Message-----
>> From: Larry Rosenman [mailto:ler@lerctr.org]
>> Sent: Thursday, May 25, 2006 9:53 AM
>> To: 'SURBL Discussion list'
>> Subject: RE: [SURBL-Discuss] Weird TLD/site in Phish
>>
>>
>> Chris Santerre wrote:
>> > I have no idea if this is a legit site hijacked, bad site,
>> or a secret
>> > society of the Illuminati!
>> >
>> > http://www.zorka-opeka.co.yu/-/
>> >
>> > .yu ??????? Yugoslavia?
>> yep.
>>
>> http://www.iana.org/cctld/cctld-whois.htm
>>
>> LER
>
>Thanks, I actually sent this to the wrong list :) But does anyone know how
>to read er... yugoslavian? I don't want to Blacklist without knowing more
>about the site. Could be a free hoster or something.
>
>--Chris
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
It looks like a once legitimate site, now compromised. No need
to read anything but English - It is a fake PayPal/eBay login page (phishing)
all in English. The ".yu" TLD never did register a Whois server, and while
still active *should* not have much left (even less now that Serbia and
Montenegro have just voted to split).
The hosts DNS places it in a very old /29 net-block (with all
.yu contacts), and the DNS is from loopia.se with TTLs varying from
60 seconds to 1 hour.
Anyway, bogus phishing site - Blacklist them until it is fixed (if
ever).
Paul Shupak
track(a)plectere.com
P.S. At least it isn't another NetSol domain registered to Sava Milosevic;
There have been a lot of those in the past year.
> -----Original Message-----
> From: Larry Rosenman [mailto:ler@lerctr.org]
> Sent: Thursday, May 25, 2006 9:53 AM
> To: 'SURBL Discussion list'
> Subject: RE: [SURBL-Discuss] Weird TLD/site in Phish
>
>
> Chris Santerre wrote:
> > I have no idea if this is a legit site hijacked, bad site,
> or a secret
> > society of the Illuminati!
> >
> > http://www.zorka-opeka.co.yu/-/
> >
> > .yu ??????? Yugoslavia?
> yep.
>
> http://www.iana.org/cctld/cctld-whois.htm
>
> LER
Thanks, I actually sent this to the wrong list :) But does anyone know how
to read er... yugoslavian? I don't want to Blacklist without knowing more
about the site. Could be a free hoster or something.
--Chris
Thanks. One of our guys says it is infact a hacked legit site. Albeit for
bricks :) So Like you said, it might be fine to list until it is taken down.
Hell it may be the only way they realise they got hacked! :)
--Chris
> -----Original Message-----
> From: Jeff Chan [mailto:jeffc@surbl.org]
> Sent: Thursday, May 25, 2006 11:07 AM
> To: Chris Santerre
> Cc: 'SURBL Discussion list'
> Subject: Re: [SURBL-Discuss] Weird TLD/site in Phish
>
>
> On Thursday, May 25, 2006, 7:09:26 AM, Chris Santerre wrote:
> > Thanks, I actually sent this to the wrong list :) But does
> anyone know how
> > to read er... yugoslavian? I don't want to Blacklist
> without knowing more
> > about the site. Could be a free hoster or something.
>
> I usually look at whois or DNS, but in this case there's nothing
> too useful:
>
>
> Domain Name: ZORKA-OPEKA.CO.YU
> Namespace: ICANN Country Code Top Level Domain -
> http://www.icann.org
> TLD Info: See IANA Whois - http://www.iana.org/root-whois/yu.htm
> Registry: Registry information not yet configured
> Registrar: Registry information not yet configured
> Whois Server: (none)
> Name Server[from dns, dns ip]: NS3.LOOPIA.SE 194.9.94.245
> Name Server[from dns, dns ip]: NS4.LOOPIA.SE 194.9.95.245
>
> [DNS Information for ZORKA-OPEKA.CO.YU]
> Trying "ZORKA-OPEKA.CO.YU"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58580
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ZORKA-OPEKA.CO.YU. IN ANY
>
> ;; ANSWER SECTION:
> ZORKA-OPEKA.CO.YU. 59 IN NS ns4.loopia.se.
> ZORKA-OPEKA.CO.YU. 59 IN NS ns3.loopia.se.
>
> ;; AUTHORITY SECTION:
> ZORKA-OPEKA.CO.YU. 59 IN NS ns4.loopia.se.
> ZORKA-OPEKA.CO.YU. 59 IN NS ns3.loopia.se.
>
> ;; ADDITIONAL SECTION:
> ns3.loopia.se. 3599 IN A 194.9.94.245
> ns4.loopia.se. 3599 IN A 194.9.95.245
>
> Received 140 bytes from 216.151.192.1#53 in 3 ms
>
>
>
> Non-authoritative answer:
> ZORKA-OPEKA.CO.YU
> origin = ns3.loopia.se
> mail addr = registry.loopia.se
> serial = 1146743921
> refresh = 10800
> retry = 3600
> expire = 25200
> minimum = 86400
>
> Authoritative answers can be found from:
> ZORKA-OPEKA.CO.YU nameserver = ns3.loopia.se.
> ZORKA-OPEKA.CO.YU nameserver = ns4.loopia.se.
> ns3.loopia.se internet address = 194.9.94.245
> ns4.loopia.se internet address = 194.9.95.245
>
>
> Non-authoritative answer:
> Name: ZORKA-OPEKA.CO.YU
> Address: 195.178.52.202
>
>
> Looks like it has about 7 google hits, so it's probably not a
> huge loss if blacklisted, especially if it's un-blacklisted when
> the phishing site goes away.
>
> BTW, while the Soviet Union no longer exists, the .su domain
> still does, though we thought some of the domains on it were
> dubious.
>
> Jeff C.
> --
> Don't harm innocent bystanders.
>
Hi Bill,
I appreciate your quick response. And I'm interested in what others on the mailing list might have to say about this as well.
In answer to your questions:
>If you've assembled a live customer list
>with UBE for a few years, then stop sending UBE, doesn't that mean you get
>the benefits of that UBE even after you stop sending it?
I don't believe so. First, even though we didn't have a 100% closed-loop opt-in list process, most of the email we sent was not UBE. We only emailed names collected from what we believed were legitimate transactions on our partner web sites. The consumer was always presented with a privacy policy and terms of service that told them they would be agreeing to receive future email offers by completing the transaction. So while it wasn't perfect, we were making an effort to be sure the email we sent had the end-user's permission. We ultimately learned that this wasn't sufficient. The fact that we ended up with spam traps and other "bad" addresses in our email lists is proof that our process was flawed. So we decided to exit the email business in December, 2005. Had we continued to email "live customers" after that, then yes I suppose you could say we were still benefiting from past practices. But we didn't do that.
> Secondly, I went back to the mail I've gotten from aptimus
>.net/com for the past few years to look at the "partner" domains (domains
>also linked to in mails that point at aptimus .net/com. A number of them
>continue to send UBE, which makes me wonder if perhaps you've stopped
>using your own domain name in the mails but continue to send UBE (that's
>not an accusation, it literally is a question). Would you be willing to
>help me understand your relationships with the following domains? The
>following are the ones that I've seen in 2006:
>
>Jan 8 03:17 tr1usc .com
>Jan 15 16:22 consumertoday .net
>Jan 15 16:22 aptimus .com
>Jan 15 16:22 alnimglrhyd .cc
>Jan 20 02:45 alnimglrbsh .cc
>Jan 20 02:45 alnclklrbsh .com
>Jan 20 02:45 mediamarketsystem .com
>Jan 21 22:55 collectiblestoday .com
>Jan 27 01:31 removeservice .com
>Feb 4 04:34 thrifthealth .com
>Mar 11 02:29 alnclklrhyd .com
>Mar 11 02:30 eforcemedia .com
>Mar 11 02:32 laih .com
>Mar 12 15:00 emarketmakers .com
>Mar 12 22:44 dentalplans .com
>Mar 12 22:44 intriguelearning .com
>Apr 16 02:09 dnelist .com
>Apr 16 02:09 esideliver .com
Question: are you saying that these domains continue to send UBE that ALSO continue to contain references to Aptimus? If so, that could be bad (and we'd very much like to know about it). Otherwise, of the above listed domains the only one we have a direct relationship with (other than aptimus.com, of course), is consumertoday.net. We own that domain and it was one of the domains we used for email marketing. We stopped using consumertoday.net in December, 2005.
Please let me know if you have any further questions, and I look forward to a (hopefully positive) response on the delisting of our domains.
Regards,
Greg Schuler
Aptimus, Inc.
-----Original Message-----
From: William Stearns [mailto:wstearns@pobox.com]
Sent: Friday, May 19, 2006 1:47 PM
To: Greg Schuler; ml-surbl-discuss
Cc: William Stearns
Subject: Re: Requesting removal from blacklist
Good morning, Greg,
I've CC'd the surbl mailing list with this post because I'd like
to hear the opinions of the other member of the surbl team.
On Thu, 18 May 2006, Greg Schuler wrote:
> Greetings,
>
> As the IT director for Aptimus I have for some time known that our
> domain has been blacklisted. This is because Aptimus was formerly in
> the email marketing business and we did not have a 100% closed-loop
> opt-in process.
During that time I received a relatively steady supply of UBE to a
small number of spamtraps, so I'm hesitant to remove your domain without
some discussion.
> We left the email business last year and for all of 2006 we have sent
> email only to those end users who have "transacted" on our partner web
We appreciate your taking a positive step and contacting us after
that; that's one of the reasons why I'm seriously considering your
request.
> sites. We do not add these email addresses to any mailing lists and we
> never send a user more than one message (e.g. these are confirmation
> messages sent to acknowledge a legitimate web-based transaction such as
> purchasing a product, entering a contest, signing up for a newsletter or
> service or some similar activity). Unfortunately it seems even sending
> a confirmation message is considered "Spam" by some people and we still
> get a few complaints, but never more than a couple per month.
Confirmation messages with no other commercial content are not
considered spam in our project, so you're OK there.
> Based on the above, would it be possible to have aptimus.com and
> aptimus.net removed from your list? If not, could you explain why? If
> there's something else we need to do to get our domains cleaned up I'd
> really like to know.
The last aptimus.net mail I got was from January 15th, so that
tends to support what you said.
I have a few questions. If you've assembled a live customer list
with UBE for a few years, then stop sending UBE, doesn't that mean you get
the benefits of that UBE even after you stop sending it?
Secondly, I went back to the mail I've gotten from aptimus
.net/com for the past few years to look at the "partner" domains (domains
also linked to in mails that point at aptimus .net/com. A number of them
continue to send UBE, which makes me wonder if perhaps you've stopped
using your own domain name in the mails but continue to send UBE (that's
not an accusation, it literally is a question). Would you be willing to
help me understand your relationships with the following domains? The
following are the ones that I've seen in 2006:
Jan 8 03:17 tr1usc .com
Jan 15 16:22 consumertoday .net
Jan 15 16:22 aptimus .com
Jan 15 16:22 alnimglrhyd .cc
Jan 20 02:45 alnimglrbsh .cc
Jan 20 02:45 alnclklrbsh .com
Jan 20 02:45 mediamarketsystem .com
Jan 21 22:55 collectiblestoday .com
Jan 27 01:31 removeservice .com
Feb 4 04:34 thrifthealth .com
Mar 11 02:29 alnclklrhyd .com
Mar 11 02:30 eforcemedia .com
Mar 11 02:32 laih .com
Mar 12 15:00 emarketmakers .com
Mar 12 22:44 dentalplans .com
Mar 12 22:44 intriguelearning .com
Apr 16 02:09 dnelist .com
Apr 16 02:09 esideliver .com
> Thanks and regards,
>
> Greg Schuler
> Director, Technology & Operations
> Aptimus, Inc. (NASDAQ: APTM)
> The Point-of-Action Online
> Advertising Network
>
> 100 Spear Street, Suite 1115
> San Francisco, CA 94105
> Ph: 415-896-2123 x242
> Fax: 208-361-2452
> Mobile: 415-596-6127
> gregs(a)aptimus.com
Cheers,
- Bill
---------------------------------------------------------------------------
"My fellow Americans. I've signed legislation that will outlaw
Russia forever. We begin bombing in five minutes."
- President Reagan, before a scheduled radio broadcast, unaware
that the microphone was already on...
(Courtesy of Brian S. Dellinger <Brian.Dellinger(a)Dartmouth.EDU>)
--------------------------------------------------------------------------
William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
Good morning, Greg,
I've CC'd the surbl mailing list with this post because I'd like
to hear the opinions of the other member of the surbl team.
On Thu, 18 May 2006, Greg Schuler wrote:
> Greetings,
>
> As the IT director for Aptimus I have for some time known that our
> domain has been blacklisted. This is because Aptimus was formerly in
> the email marketing business and we did not have a 100% closed-loop
> opt-in process.
During that time I received a relatively steady supply of UBE to a
small number of spamtraps, so I'm hesitant to remove your domain without
some discussion.
> We left the email business last year and for all of 2006 we have sent
> email only to those end users who have "transacted" on our partner web
We appreciate your taking a positive step and contacting us after
that; that's one of the reasons why I'm seriously considering your
request.
> sites. We do not add these email addresses to any mailing lists and we
> never send a user more than one message (e.g. these are confirmation
> messages sent to acknowledge a legitimate web-based transaction such as
> purchasing a product, entering a contest, signing up for a newsletter or
> service or some similar activity). Unfortunately it seems even sending
> a confirmation message is considered "Spam" by some people and we still
> get a few complaints, but never more than a couple per month.
Confirmation messages with no other commercial content are not
considered spam in our project, so you're OK there.
> Based on the above, would it be possible to have aptimus.com and
> aptimus.net removed from your list? If not, could you explain why? If
> there's something else we need to do to get our domains cleaned up I'd
> really like to know.
The last aptimus.net mail I got was from January 15th, so that
tends to support what you said.
I have a few questions. If you've assembled a live customer list
with UBE for a few years, then stop sending UBE, doesn't that mean you get
the benefits of that UBE even after you stop sending it?
Secondly, I went back to the mail I've gotten from aptimus
.net/com for the past few years to look at the "partner" domains (domains
also linked to in mails that point at aptimus .net/com. A number of them
continue to send UBE, which makes me wonder if perhaps you've stopped
using your own domain name in the mails but continue to send UBE (that's
not an accusation, it literally is a question). Would you be willing to
help me understand your relationships with the following domains? The
following are the ones that I've seen in 2006:
Jan 8 03:17 tr1usc .com
Jan 15 16:22 consumertoday .net
Jan 15 16:22 aptimus .com
Jan 15 16:22 alnimglrhyd .cc
Jan 20 02:45 alnimglrbsh .cc
Jan 20 02:45 alnclklrbsh .com
Jan 20 02:45 mediamarketsystem .com
Jan 21 22:55 collectiblestoday .com
Jan 27 01:31 removeservice .com
Feb 4 04:34 thrifthealth .com
Mar 11 02:29 alnclklrhyd .com
Mar 11 02:30 eforcemedia .com
Mar 11 02:32 laih .com
Mar 12 15:00 emarketmakers .com
Mar 12 22:44 dentalplans .com
Mar 12 22:44 intriguelearning .com
Apr 16 02:09 dnelist .com
Apr 16 02:09 esideliver .com
> Thanks and regards,
>
> Greg Schuler
> Director, Technology & Operations
> Aptimus, Inc. (NASDAQ: APTM)
> The Point-of-Action Online
> Advertising Network
>
> 100 Spear Street, Suite 1115
> San Francisco, CA 94105
> Ph: 415-896-2123 x242
> Fax: 208-361-2452
> Mobile: 415-596-6127
> gregs(a)aptimus.com
Cheers,
- Bill
---------------------------------------------------------------------------
"My fellow Americans. I've signed legislation that will outlaw
Russia forever. We begin bombing in five minutes."
- President Reagan, before a scheduled radio broadcast, unaware
that the microphone was already on...
(Courtesy of Brian S. Dellinger <Brian.Dellinger(a)Dartmouth.EDU>)
--------------------------------------------------------------------------
William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
Hello,
Looking at the multi.surbl.org zone yesterday, I noticed approximately 373
subdomains in the list.
Here are a few examples:
www.fcudwedenagov.comwww.freecat.bizwww.hesvlabean.comwww.hterrani.comms7.pptel.netmsn.41m.commwetillf.iscool.netmx.servebbs.netmx2.dynu.netwww.yelvertonstores.co.uk
Looking at http://www.surbl.org/implementation.html item 2, do these
subdomains belong in the list?
"Extract base (registrar) domains from those URIs. This includes removing any
and all leading host names, subdomains, www., randomized subdomains, etc. In
order to determine the base domain it may be necessary to use a table of
country code TLDs (ccTLDs) such as this partially-complete one SURBL uses.
(Note that this file is only rarely updated. Please don't download it
frequently.) For example, any domain found in the two level ccTLD list should
have a three-level domain name extracted (like foo.co.uk) for matching
against a SURBL. Domains not specifically on the two level ccTLD list (such
as foo.com or foo.fr) should be checked at two levels."
I believe SpamAssassin's URIDNSBL reduces the URIs to the base domain (e.g.
example.com, example.co.uk), so if it encountered "www.freecat.biz," for
example, it would lookup freecat.biz, which is not in the list.
Besides URIDNSBL, are there other URI lookup implementations for which it
makes sense to include subdomains?
Thanks!
Brandon
hey guys,
it seems a year back, there was a request to add blog comment spam uri /
hosts to surbl.org. That thread went to no real conclusion, and I was
just wondering if there is any move to have this uri in surbl or
uribl.com ?
- KB
--
Karanbir Singh : http://www.karan.org/ : 2522219@icq