Discuss

discuss@lists.surbl.org

1867 discussions

Weird TLD/site in Phish
by Chris Santerre 25 May '06

25 May '06

I have no idea if this is a legit site hijacked, bad site, or a secret society of the Illuminati! http://www.zorka-opeka.co.yu/-/ .yu ??????? Yugoslavia? Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com

2 1

RE: Requesting removal from blacklist
by Greg Schuler 20 May '06

20 May '06

Hi Bill, I appreciate your quick response. And I'm interested in what others on the mailing list might have to say about this as well. In answer to your questions: >If you've assembled a live customer list >with UBE for a few years, then stop sending UBE, doesn't that mean you get >the benefits of that UBE even after you stop sending it? I don't believe so. First, even though we didn't have a 100% closed-loop opt-in list process, most of the email we sent was not UBE. We only emailed names collected from what we believed were legitimate transactions on our partner web sites. The consumer was always presented with a privacy policy and terms of service that told them they would be agreeing to receive future email offers by completing the transaction. So while it wasn't perfect, we were making an effort to be sure the email we sent had the end-user's permission. We ultimately learned that this wasn't sufficient. The fact that we ended up with spam traps and other "bad" addresses in our email lists is proof that our process was flawed. So we decided to exit the email business in December, 2005. Had we continued to email "live customers" after that, then yes I suppose you could say we were still benefiting from past practices. But we didn't do that. > Secondly, I went back to the mail I've gotten from aptimus >.net/com for the past few years to look at the "partner" domains (domains >also linked to in mails that point at aptimus .net/com. A number of them >continue to send UBE, which makes me wonder if perhaps you've stopped >using your own domain name in the mails but continue to send UBE (that's >not an accusation, it literally is a question). Would you be willing to >help me understand your relationships with the following domains? The >following are the ones that I've seen in 2006: > >Jan 8 03:17 tr1usc .com >Jan 15 16:22 consumertoday .net >Jan 15 16:22 aptimus .com >Jan 15 16:22 alnimglrhyd .cc >Jan 20 02:45 alnimglrbsh .cc >Jan 20 02:45 alnclklrbsh .com >Jan 20 02:45 mediamarketsystem .com >Jan 21 22:55 collectiblestoday .com >Jan 27 01:31 removeservice .com >Feb 4 04:34 thrifthealth .com >Mar 11 02:29 alnclklrhyd .com >Mar 11 02:30 eforcemedia .com >Mar 11 02:32 laih .com >Mar 12 15:00 emarketmakers .com >Mar 12 22:44 dentalplans .com >Mar 12 22:44 intriguelearning .com >Apr 16 02:09 dnelist .com >Apr 16 02:09 esideliver .com Question: are you saying that these domains continue to send UBE that ALSO continue to contain references to Aptimus? If so, that could be bad (and we'd very much like to know about it). Otherwise, of the above listed domains the only one we have a direct relationship with (other than aptimus.com, of course), is consumertoday.net. We own that domain and it was one of the domains we used for email marketing. We stopped using consumertoday.net in December, 2005. Please let me know if you have any further questions, and I look forward to a (hopefully positive) response on the delisting of our domains. Regards, Greg Schuler Aptimus, Inc. -----Original Message----- From: William Stearns [mailto:wstearns@pobox.com] Sent: Friday, May 19, 2006 1:47 PM To: Greg Schuler; ml-surbl-discuss Cc: William Stearns Subject: Re: Requesting removal from blacklist Good morning, Greg, I've CC'd the surbl mailing list with this post because I'd like to hear the opinions of the other member of the surbl team. On Thu, 18 May 2006, Greg Schuler wrote: > Greetings, > > As the IT director for Aptimus I have for some time known that our > domain has been blacklisted. This is because Aptimus was formerly in > the email marketing business and we did not have a 100% closed-loop > opt-in process. During that time I received a relatively steady supply of UBE to a small number of spamtraps, so I'm hesitant to remove your domain without some discussion. > We left the email business last year and for all of 2006 we have sent > email only to those end users who have "transacted" on our partner web We appreciate your taking a positive step and contacting us after that; that's one of the reasons why I'm seriously considering your request. > sites. We do not add these email addresses to any mailing lists and we > never send a user more than one message (e.g. these are confirmation > messages sent to acknowledge a legitimate web-based transaction such as > purchasing a product, entering a contest, signing up for a newsletter or > service or some similar activity). Unfortunately it seems even sending > a confirmation message is considered "Spam" by some people and we still > get a few complaints, but never more than a couple per month. Confirmation messages with no other commercial content are not considered spam in our project, so you're OK there. > Based on the above, would it be possible to have aptimus.com and > aptimus.net removed from your list? If not, could you explain why? If > there's something else we need to do to get our domains cleaned up I'd > really like to know. The last aptimus.net mail I got was from January 15th, so that tends to support what you said. I have a few questions. If you've assembled a live customer list with UBE for a few years, then stop sending UBE, doesn't that mean you get the benefits of that UBE even after you stop sending it? Secondly, I went back to the mail I've gotten from aptimus .net/com for the past few years to look at the "partner" domains (domains also linked to in mails that point at aptimus .net/com. A number of them continue to send UBE, which makes me wonder if perhaps you've stopped using your own domain name in the mails but continue to send UBE (that's not an accusation, it literally is a question). Would you be willing to help me understand your relationships with the following domains? The following are the ones that I've seen in 2006: Jan 8 03:17 tr1usc .com Jan 15 16:22 consumertoday .net Jan 15 16:22 aptimus .com Jan 15 16:22 alnimglrhyd .cc Jan 20 02:45 alnimglrbsh .cc Jan 20 02:45 alnclklrbsh .com Jan 20 02:45 mediamarketsystem .com Jan 21 22:55 collectiblestoday .com Jan 27 01:31 removeservice .com Feb 4 04:34 thrifthealth .com Mar 11 02:29 alnclklrhyd .com Mar 11 02:30 eforcemedia .com Mar 11 02:32 laih .com Mar 12 15:00 emarketmakers .com Mar 12 22:44 dentalplans .com Mar 12 22:44 intriguelearning .com Apr 16 02:09 dnelist .com Apr 16 02:09 esideliver .com > Thanks and regards, > > Greg Schuler > Director, Technology & Operations > Aptimus, Inc. (NASDAQ: APTM) > The Point-of-Action Online > Advertising Network > > 100 Spear Street, Suite 1115 > San Francisco, CA 94105 > Ph: 415-896-2123 x242 > Fax: 208-361-2452 > Mobile: 415-596-6127 > gregs(a)aptimus.com Cheers, - Bill --------------------------------------------------------------------------- "My fellow Americans. I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes." - President Reagan, before a scheduled radio broadcast, unaware that the microphone was already on... (Courtesy of Brian S. Dellinger <Brian.Dellinger(a)Dartmouth.EDU>) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

2 1

Re: Requesting removal from blacklist
by William Stearns 19 May '06

19 May '06

Good morning, Greg, I've CC'd the surbl mailing list with this post because I'd like to hear the opinions of the other member of the surbl team. On Thu, 18 May 2006, Greg Schuler wrote: > Greetings, > > As the IT director for Aptimus I have for some time known that our > domain has been blacklisted. This is because Aptimus was formerly in > the email marketing business and we did not have a 100% closed-loop > opt-in process. During that time I received a relatively steady supply of UBE to a small number of spamtraps, so I'm hesitant to remove your domain without some discussion. > We left the email business last year and for all of 2006 we have sent > email only to those end users who have "transacted" on our partner web We appreciate your taking a positive step and contacting us after that; that's one of the reasons why I'm seriously considering your request. > sites. We do not add these email addresses to any mailing lists and we > never send a user more than one message (e.g. these are confirmation > messages sent to acknowledge a legitimate web-based transaction such as > purchasing a product, entering a contest, signing up for a newsletter or > service or some similar activity). Unfortunately it seems even sending > a confirmation message is considered "Spam" by some people and we still > get a few complaints, but never more than a couple per month. Confirmation messages with no other commercial content are not considered spam in our project, so you're OK there. > Based on the above, would it be possible to have aptimus.com and > aptimus.net removed from your list? If not, could you explain why? If > there's something else we need to do to get our domains cleaned up I'd > really like to know. The last aptimus.net mail I got was from January 15th, so that tends to support what you said. I have a few questions. If you've assembled a live customer list with UBE for a few years, then stop sending UBE, doesn't that mean you get the benefits of that UBE even after you stop sending it? Secondly, I went back to the mail I've gotten from aptimus .net/com for the past few years to look at the "partner" domains (domains also linked to in mails that point at aptimus .net/com. A number of them continue to send UBE, which makes me wonder if perhaps you've stopped using your own domain name in the mails but continue to send UBE (that's not an accusation, it literally is a question). Would you be willing to help me understand your relationships with the following domains? The following are the ones that I've seen in 2006: Jan 8 03:17 tr1usc .com Jan 15 16:22 consumertoday .net Jan 15 16:22 aptimus .com Jan 15 16:22 alnimglrhyd .cc Jan 20 02:45 alnimglrbsh .cc Jan 20 02:45 alnclklrbsh .com Jan 20 02:45 mediamarketsystem .com Jan 21 22:55 collectiblestoday .com Jan 27 01:31 removeservice .com Feb 4 04:34 thrifthealth .com Mar 11 02:29 alnclklrhyd .com Mar 11 02:30 eforcemedia .com Mar 11 02:32 laih .com Mar 12 15:00 emarketmakers .com Mar 12 22:44 dentalplans .com Mar 12 22:44 intriguelearning .com Apr 16 02:09 dnelist .com Apr 16 02:09 esideliver .com > Thanks and regards, > > Greg Schuler > Director, Technology & Operations > Aptimus, Inc. (NASDAQ: APTM) > The Point-of-Action Online > Advertising Network > > 100 Spear Street, Suite 1115 > San Francisco, CA 94105 > Ph: 415-896-2123 x242 > Fax: 208-361-2452 > Mobile: 415-596-6127 > gregs(a)aptimus.com Cheers, - Bill --------------------------------------------------------------------------- "My fellow Americans. I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes." - President Reagan, before a scheduled radio broadcast, unaware that the microphone was already on... (Courtesy of Brian S. Dellinger <Brian.Dellinger(a)Dartmouth.EDU>) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 0

Subdomains in SURBL
by Brandon Hutchinson 18 May '06

18 May '06

Hello, Looking at the multi.surbl.org zone yesterday, I noticed approximately 373 subdomains in the list. Here are a few examples: www.fcudwedenagov.com www.freecat.biz www.hesvlabean.com www.hterrani.com ms7.pptel.net msn.41m.com mwetillf.iscool.net mx.servebbs.net mx2.dynu.net www.yelvertonstores.co.uk Looking at http://www.surbl.org/implementation.html item 2, do these subdomains belong in the list? "Extract base (registrar) domains from those URIs. This includes removing any and all leading host names, subdomains, www., randomized subdomains, etc. In order to determine the base domain it may be necessary to use a table of country code TLDs (ccTLDs) such as this partially-complete one SURBL uses. (Note that this file is only rarely updated. Please don't download it frequently.) For example, any domain found in the two level ccTLD list should have a three-level domain name extracted (like foo.co.uk) for matching against a SURBL. Domains not specifically on the two level ccTLD list (such as foo.com or foo.fr) should be checked at two levels." I believe SpamAssassin's URIDNSBL reduces the URIs to the base domain (e.g. example.com, example.co.uk), so if it encountered "www.freecat.biz," for example, it would lookup freecat.biz, which is not in the list. Besides URIDNSBL, are there other URI lookup implementations for which it makes sense to include subdomains? Thanks! Brandon

4 9

surbl.org / urilbl.com for blog comment spam tracking
by Karanbir Singh 16 May '06

16 May '06

hey guys, it seems a year back, there was a request to add blog comment spam uri / hosts to surbl.org. That thread went to no real conclusion, and I was just wondering if there is any move to have this uri in surbl or uribl.com ? - KB -- Karanbir Singh : http://www.karan.org/ : 2522219@icq

2 1

Recent SpamAssassin mass check results
by Jeff Chan 12 May '06

12 May '06

FWIW Here are last Saturday's SA mass check results, courtesy of Theo: http://www.surbl.org/news.html MSECS SPAM% HAM% S/O RANK SCORE NAME 0 181939 52229 0.777 0.00 0.00 (all messages) 0.00000 77.6959 22.3041 0.777 0.00 0.00 (all messages as %) 22.377 28.8009 0.0000 1.000 1.00 0.00 URIBL_SC_SURBL 26.604 34.2378 0.0134 1.000 1.00 0.00 URIBL_WS_SURBL 24.854 31.9854 0.0115 1.000 1.00 0.00 URIBL_JP_SURBL 12.423 15.9889 0.0000 1.000 0.98 0.00 URIBL_AB_SURBL 23.278 29.9463 0.0479 0.998 0.96 0.00 URIBL_OB_SURBL 0.236 0.3028 0.0038 0.988 0.67 0.00 URIBL_PH_SURBL 15.377 19.7803 0.0383 0.998 0.95 0.00 URIBL_SBL 29.707 38.1606 0.2585 0.993 0.85 0.00 URIBL_BLACK 0.020 0.0264 0.0000 1.000 0.50 0.00 URIBL_RED 0.515 0.4353 0.7946 0.354 0.45 0.00 URIBL_GREY Of particular relevance are the low false positives of some of the SURBL lists such as SC, AB and PH as shown in the low HAM% numbers. (Note that PH is important to use and score highly in order to detect phishes. It doesn't detect a large percentage of spams, but it likely detects many phishes.) The last three are presumably uribl.com lists. FPs on OB remain too high IMO, but we're continually working to try to improve both the FN and FP rates. Jeff C. -- Don't harm innocent bystanders.

2 1

en34.com
by Karen Wilson 04 May '06

04 May '06

I am getting a ton of porn spam about Russian girls. They come from a first name with no e-mail ID. On my fllter I found man, many e-mails from people at en34.com, which doesn't exist. Know anything? K

2 1

Re: [SURBL-Announce] MEFilter and milter-link add SURBL support
by Chris Sweeney 02 May '06

02 May '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone download this? I can't seem to find it listed on the downloads page even after login. Jeff Chan wrote: > Two applications add SURBL support to Sendmail and MailEnable > respectively: > > > Anthony Howe of SnertSoft reports that his milter-link/0.1 for > Sendmail "extracts URLs from the message body (text, HTML, and/or > MIME encoded)" and checks them against SURBLs, or after domain > resolution against RBLs. Written in C, milter-link does on-the-fly > MIME decoding without using temporary files. > > http://www.snertsoft.com/sendmail/milter-link/ > > > Martyn Keen reports that his MEFilter, a bolt-on for the MailEnable > mail server, adds beta SURBL support. Test results are very > favorable. > > http://www.mefilter.com/ > > > Cheers, > > Jeff C. - -- Thanks Chris Check me out! Finally setup a MySpace.com account http://www.osubucks.net csweeney(a)osubucks.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEUondS9AMNDUYgIcRAkCuAKCOFPTbVrfeNCbgyifUlsBbCQM0KACdHZEF JJWwX7NzjdYaTtidOaB0Hg8= =m413 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

2 1

Re: [SURBL-Announce] milter-uri.pl is a Perl Sendmail milter
by Todd Vierling 28 Apr '06

28 Apr '06

On 4/28/06, Jeff Chan <jeffc(a)surbl.org> wrote: > Steve Freegard of Fort Systems Ltd. reports that milter-uri.pl is > a basic Sendmail milter written in Perl using Sendmail::PMilter > and SpamAssassin libraries. I happen to be the Sendmail::PMilter author. I suppose this would be a good time for me to go revisit the package and clean up a few things I've meant to do for a couple years. Unexpected attention can be a good motivator. ;) (BTW, if this makes it to the discuss@ list, I'm not on it, so if anyone needs my attention, keep me on Cc:.) -- -- Todd Vierling <tv(a)duh.org> <tv(a)pobox.com> <todd(a)vierling.name>

1 0

Domains not getting listed on SURBL
by Guy Rosen 24 Apr '06

24 Apr '06

Hi, We noticed a whole bunch of domains which are used by spammers affiliated with AdultActionCam that are consistently not getting listed on SURBL, and I thought I'd point it out. Are they maybe doing something special there to prevent getting listed? These are a few examples: hookinghawks dot com Giggaty dot com jerkingcough dot com superflighter dot com largebegs dot com payperblew dot com rufflyruse dot com Slaptick dot com purplefist dot com fallingfallers dot com jarsfilling dot com dinkybars dot com lostloverznow dot com losingthefill dot com leadingloverz dot com Regards, Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss