Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

uk.geocities-munged-.com
by Kevin A. McGrail 10 Oct '05

10 Oct '05

As a follow-up to the UK geocities issue, I fear that this may be related to spyware or a virus. Over the past few weeks, I've identified a few patterns. For example the email below contains 5 email addresses, 4 of which are quite unique. You will also note they are not indicative of a dictionary attack yet they were all email in one single SPAM. Further, at least one of the people on this list passed away over a year ago. Additionally, what I have been seeing is VERY VERY unique emails getting hammered with SPAM and I believe it must be a virus/spyware that is getting the address books off of machines because the emails are too unique to guess. I don't know what to do with this information other than put out my $0.02 that I think people are targeting address books and I can't prove it :-( Regards, KAM > ----- Original Message ----- > From: "parker hair" <lyric(a)bowiewonderworld.com> > To: "Carson Magruder" <payne(a)summerconsultants.com> > Cc: <nance(a)summerconsultants.com>; <hoffman(a)summerconsultants.com>; > <ward(a)summerconsultants.com>; <mail(a)summerconsultants.com> > Sent: Thursday, October 06, 2005 10:06 AM > Subject: bon In a relaxing ishopping mall, nail down quick alleviators. bus > > > > > > Cutback costs for real remedies. > > > > Fast effects antibiotics to allay your fever. > > It's our value that fulfils efficient shipping. > > Ours affordable because of lessen operating cost. > > > > Let our expert review your meddical profiles at zero charge. > > Thanks for facilitating gratis online consultation. Ben J --CA. > > > > http://uk.geocities-munged-.com/windsnarlgreatb/?owgroclo > >

2 1

New redirector: www.nate.com
by Richard Grabowski 07 Oct '05

07 Oct '05

Dear David, I am an attorney in California. Our firm represent ISPs and have begun to actively pursue SPAMMERS under the California fraud laws and the Federal Can SPAM act. I have been following yours and your colleague's messages on [SURBL-Discuss]. Our primary problem is identifying SPAMMERS in a way that we can start a federal action against them. "Redirect" problems add to our other problems of identifying SPAMMERS. Currently we are trying to Identify defendant's by tracking them to the retail site they represent. We then include the owner of the retail site, the registrar of the domain (in almost every case this is YES NICK LTD), and any technicians we identify along the way. Ignore the arguments you have heard about what can and cannot be brought under the current law - I really think this has been produced by attorneys who are defending SPAMMERS to get ISP's and federal/State prosecutors not to bring actions, or to set up some kind of future defense. I am looking for any help you or your associates might be able to provide. I realize you must be skeptical. Therefore you can check my credentials at the CA State Bar site (look it up on google) by doing an attorney search on my name - Richard Grabowski. I am located in Eureka, CA. In addition to being an attorney I have over 30 years experience as a technician in the IT and Telecommunications industry. I worked for GTE, DMR and BusinessEdge as a senior enterprise architect. I am looking for tools, freeware or paid, that help track domains, email servers, senders, etc. Anything that will help identify the actual source of the SPAM in a quick and efficient manner. I am working with high end technicians that have extensive experience in this area, but I am always looking for more help. We will bring actions against SPAMMERS in foreign countries. We do not actually expect them to respond to a federal complaint, so we will end up with default judgments. These are relatively cheap to pursue. We will then try to make a deal with the legal agencies in the foreign country, a percentage, to try and recover on the judgment. This may eventually make it too expensive for the SPAMMERS to continue, or it may incent the local legal agencies to actually pursue the SPAMMERS, rather than protect them. As I have said we are actively pursuing this tactic now. I am hoping that you and your colleagues will want to help. The enforcement of SPAM laws is currently being left to the FTC and State prosecutors. These agencies have little or no budget to pursue these activities. I unfortunately believe that the laws were set up limiting enforcement primarily to the FTC in order to prevent any real prosecutions. This is a tactic of some politicians to support their contributors without actually having to oppose legislation. In this case it has made enforcement of the SPAM laws very unlikely. The only case I know of is a joint action by the FTC and CA State Atty Gnl.: FTC and People of CA v. Optin Global, Inc. and Vision Media Limited, Corp. You can find the federal filing at: http://www.ftc.gov/os/caselist/0423172/050413comp0423172.pdf We are using this filing as the template for our filings. If you can help I would really like to hear from you. Thanks, Richard Grabowski rgrabows(a)pacbell.net W - 707 441-1487 C - 707 771-9585

2 1

[PLEASE NOTE] Change in location for sa-blacklist downloads
by William Stearns 29 Sep '05

29 Sep '05

Good day, all, (Summary - the sa-blacklist content is moving to new machines. If you're downloading any of the 15 versions of this list, you'll need to change the hostname you use in your download; see "What you need to do" below for instructions.) I had a chat with my ISP last week. They've known for a long time that the bandwidth spike at the top of very hour was my web server, but since they knew the sa-blacklist was hosted there and it was a public service project, they told me not to worry. Fast forward to last week. *smile* When I asked this new contact what amount of bandwidth my hosting contract would normally allow and how much bandwidth I'd actually been using over the last few months, he told me that I should be around 10G/month, but I've been using 1000G/month. Woah. Luckily, he wasn't asking me to pay 100X my current contract. *smile* They really have been great about it (I mean that sincerely), but both they and I know that's an unreasonable drain on their bandwidth and unfair to the other customers. To fix that, I'm transitioning the content to new machines with more available bandwidth. I owe a heartfelt thanks to Raymond, David, Panagiotis, Rob, Wim, Jeff, and Chris for offering to host the content at no cost on much faster lines than mine and offering suggestions on how to make the process more efficient. Their generousity makes it possible for me to continue providing this content. ==== What you need to do ==== I've already set up new hostnames (*) from which the sa-blacklist files can be pulled. If you're getting any sa-blacklist files over http, please change the hostname you use to "www.sa-blacklist.stearns.org". If you are using rsync to pull content, please use "rsync.sa-blacklist.stearns.org". If you're using ftp, please use "ftp.sa-blacklist.stearns.org". In other words, the exact same content should be viewable at http://www.sa-blacklist.stearns.org/sa-blacklist/ ftp://ftp.sa-blacklist.stearns.org/pub/wstearns/sa-blacklist/ rsync://rsync.sa-blacklist.stearns.org/wstearns/sa-blacklist/ (although this last one is commonly used by the rsync application and won't work in a web browser.) There's a real benefit to you in taking the time to make this switchover. My server was getting pegged for multiple minutes at the top of the hour, so you'll find your downloads are much faster. Because of the way the files are distributed, the content on the mirrors should always be as current as the ones on the main server. At some point in the near future, I'll be limiting access to or completely shutting down the old URLs, so it's to your advantage to switch over sooner rather than later. *smile* I'd sincerely appreciate it if you could check any automated download scripts or cron jobs and point them to these new hostnames. Sorry for the inconvenience, but because these URL's are only used for this content, you won't need to make this change again. As one last suggestion, you might want to consider using the ws.surbl.org dns lookup service which performs the same checks as sa-blacklist.current.uri.cf , but _much_ faster and with a _lot_ less memory. More information about this dns-based service is available at http://www.surbl.org/ . Cheers, - Bill * These aliases will transparently pick a random server out of the available machines, spreading out the load. As more mirrors come online you'll be sent to them automatically. --------------------------------------------------------------------------- (Referring to the 32 bit system that feeds out files for kernel.org) "We learned that the Linux load average rolls over at 1024. And we actually found this out empirically." -- Peter Anvin -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 1

sc2.surbl.org and xs.surbl.org
by Peter M. Abraham 26 Sep '05

26 Sep '05

Greetings: sc2.surbl.org and xs.surbl.org are not mentioned on http://www.surbl.org/lists.html What's the criteria for being listed in these two new ones? Are there any changes to implementation and usage of them? Thank you.

4 4

FP: Emigrant Direct
by sare＠menschel.net 25 Sep '05

25 Sep '05

The attached email hit URIBL_OB_SURBL -- it's a normal marketing email from EmigrantDirect.com, for which I signed up at the recipient email address. I've never seen any spam from EmigrantDirect. Please check into this OB entry ... should probably be removed. Bob Menschel This is a forwarded message From: EmigrantDirect(a)emigrant.com <EmigrantDirect(a)emigrant.com> To: Date: Tuesday, September 20, 2005, 5:05:54 PM Subject: Rate increase - EmigrantDirect races to 4.0% APY ===8<==============Original message text=============== Return-path: <return(a)fire2.sumnet.com> Envelope-to: emigrant(a)menschel.net Delivery-date: Tue, 20 Sep 2005 17:13:34 -0700 Received: from pascal.ctyme.com ([69.50.226.20]) by newton.ctyme.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1EHsEq-0004hA-9k for emigrant(a)menschel.net; Tue, 20 Sep 2005 17:13:30 -0700 Received: from mail by pascal.ctyme.com with ctyme-spam-scanned (Exim 4.52) id 1EHsEm-00061R-ND for emigrant(a)menschel.net; Tue, 20 Sep 2005 17:13:27 -0700 Received: from broadcast5.sumnet.com ([206.139.137.83] helo=sumnet.com) by pascal.ctyme.com with esmtp (Exim 4.52) id 1EHsEl-0005yz-JW for emigrant(a)menschel.net; Tue, 20 Sep 2005 17:13:23 -0700 Received: (from return@localhost) by sumnet.com (8.11.7p1+Sun/8.11.7) id j8L05s917331; Tue, 20 Sep 2005 20:05:54 -0400 (EDT) Date: Tue, 20 Sep 2005 20:05:54 -0400 (EDT) Message-Id: <200509210005.j8L05s917331(a)sumnet.com> From: EmigrantDirect(a)emigrant.com Subject: Rate increase - EmigrantDirect races to 4.0% APY Bcc: X-Sumid: H0000AE4 X-Mailer: Email Broacaster 1.2 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="-----00000AE3_0000001A_4330946D_000835SUM.ALT" X-Mail-from: return(a)fire2.sumnet.com X-Spamprobe: neutral ***** 0.3518373 OK X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on pascal.ctyme.com X-Spam-Level: ********** X-Spam-Status: Yes, score=10.4 required=5.0 tests=CT_APPLY,HTML_40_50, HTML_MESSAGE,LINK_PHRASE,MAILTO_LINK,MISSING_HEADERS,NO_FEE, NO_REAL_NAME,URIBL_OB_SURBL autolearn=no version=3.0.4 X-Spam-Report: * 1.0 NO_REAL_NAME From: does not include a real name * 2.0 LINK_PHRASE Phrase within link * 1.0 MISSING_HEADERS Missing To: header * 1.0 NO_FEE BODY: No Fees * 0.1 CT_APPLY BODY: Apply for Something * 0.0 HTML_40_50 BODY: Message is 40% to 50% HTML * 1.0 HTML_MESSAGE BODY: HTML included in message * 1.0 MAILTO_LINK RAW: Includes a URL link to send an email * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: emigrant-direct.com] X-Spam-filter-host: pascal.ctyme.com - http://www.junkemailfilter.com X-Spam: [SPAM] - LOW X-Spam: [SPAM] - LOW [INLINE] We are pleased to announce that effective today, Tuesday, September 20, your American Dream Savings Account from EmigrantDirect now yields 4.0% APY, the highest rate in the country with no fees and no minimums, FDIC insured. Responding immediately to the most recent news from the Federal Reserve, EmigrantDirect is pleased to be able to offer this unmatched rate to our loyal customers. You may wish to take this opportunity to put all your available funds to work for you. If you have deposits earning less interest at other institutions, now is a good time to consolidate those savings at EmigrantDirect. Electronic transfers into and out of your account are free and our new 4.0% APY is guaranteed through December 31, 2005 (subject to upward adjustments only). Additionally, we are also pleased to announce the upcoming launch of a no-fee credit card from EmigrantDirect offering the highest cash back rebate in the country on all your purchases - from the first dollar spent on your card to the very last. This revolutionary credit card featuring platinum-level benefits will be offered only to EmigrantDirect customers and be available before yearend. Cash back amounts will be deposited into your American Dream Savings Account automatically not once, but twice a year for added convenience. If you would like to be sent a priority invitation to apply for the card once it becomes available, please send a quick email with your name and email address to [1]emigrantdirect(a)emigrant.com. We hope that you will become a cardholder and discover yet another way that EmigrantDirect serves and rewards its customers with outstanding value. Sincerely, [INLINE] Howard P. Milstein Co-Chairman, President and CEO Emigrant Savings Bank Emigrant Bancorp, Inc. [INLINE] Subject to applicable terms and conditions and account disclosures as set out at EmigrantDirect.com. No minimum balance required. All rights reserved. You are receiving this email in accordance with the terms and conditions of your account with EmigrantDirect. If you do not wish to receive general informational or promotional emails from EmigrantDirect about products and services that might be of interest to you, [2]click here. References 1. mailto:emigrantdirect@emigrant.com 2. mailto:emigrantdirect@emigrant.com?subject=Unsubscribe ===8<===========End of original message text===========

2 1

FP AddictionReport (dot) com
by Mariano Absatz 20 Sep '05

20 Sep '05

Hi, AddictionReport (dot) com is listed in ws & jp, however, I just received a legit mail including a (supposedly pay) advertisement by them. The mail is Randy Cassingham's newslatter "This is True" (http://www.thisistrue.com/), which includes plain text advertisement, and one of these hit badly. The advertisement read like this: ----------==========**********O**********==========---------- HOW CAN ANYONE BE SUCH AN IDIOT? What's the connection between suicide bombers, New Orleans thugs, half the people you read about in This is True, financial abuse, emotional abuse and the need to blame everyone else for one's problems? Doug Thorburn explains destructive behaviors and more, including how to AVOID being caught up in their games. Fascinating books, FREE monthly Addiction Report newsletter: http://www (dot) AddictionReport (dot) com ----------==========**********O**********==========---------- Regards. -- Mariano Absatz - El Baby el (dot) baby (AT) gmail (dot) com el (punto) baby (ARROBA:@) gmail (punto) com

4 5

RE: [SURBL-Discuss] Help with sa-blacklist load
by William Stearns 17 Sep '05

17 Sep '05

Good afternoon, all, (One kind responder said) >> Try to get people to grab the file at different >> times, not all at the same time of the hour. > > Not that Jeff mentions it, I'm now fearful the hourly surge would tax my > server too much at certain moments??? > > Is there any way that these updates could be spread out more? I actually tried to do that from day 1. The instructions on the web site encouraged people to put in a random pause in the cron line before downloading. It's a little hard to tell whether people are doing that or not, as I'm pegging the line starting at the top of the hour for a number of minutes. :-) Cheers, - Bill --------------------------------------------------------------------------- Weinberg's Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. (Courtesy of David E. Vandewalle, vandewal(a)prairienet.org) -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

1 0

Help with sa-blacklist load
by William Stearns 16 Sep '05

16 Sep '05

Good day, all, I'm running into a problem with the sa-blacklist content I host at http://www.stearns.org/sa-blacklist/ . The box (*) is hosted at pa.net, a colo facility once employing a good friend. A new guy was going over the bandwidth stats and noticed that that machine hogs the available bandwidth on its ethernet segment for a few minutes after each hour as people download the sa-blacklist. I asked him what kind of bandwidth he'd ideally like that system to use, and how much I'm using at the moment. I should be using around 10G/month. I'm currently using 1TB/month. Oops. I'm not in imminent danger of being kicked off their cable, but both they and I agree that I need to do something differently. I could put another physical box at another ISP with unlimited bandwidth, but I'm already paying around $1500/year to host the site, and am reluctant to double that. Because that box hosts 27 virtual machines, moving it is a project that would need a few months of lead time to arrange, and would be a nightmare in itself. It would be great if someone already has enough bandwidth to host the content on a different cable, but I think people with a terabyte/month to spare may be rare. *smile* If you've got some bandwidth you could share, would you consider doing round-robin with me with the content? 10 sites spreading the load would have 100GB/month, or an average of about 300 kilobits/sec. 20 sites sould be half that each, and so on. I'd need to upload content via rsync over ssh. The actual content is published via web, rsync, and ftp, although I could easily set up www.sa-blacklist.stearns.org for the sites willing to share over http, rsync.sa-blacklist.stearns.org, for the sites willing to share over rsync, and ftp.sa-blacklist.stearns.org. If you can spare some bandwidth, please respond. Let me know what you can spare in average kilobits/sec. That way, if only 10 people respond and one of them can provide 100 kilobits/sec, I'll know not to include that person in the mirror until I can get 30 people. If you can take part, I'd be forever grateful. *sincere smile* Cheers, - Bill * http://www.stearns.org/slartibartfast/uml-coop.current.html --------------------------------------------------------------------------- (Referring to the 32 bit system that feeds out files for kernel.org) "We learned that the Linux load average rolls over at 1024. And we actually found this out empirically." -- Peter Anvin -------------------------------------------------------------------------- William Stearns (wstearns(a)pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------

2 1

cheetahmail / rhsbl.ahbl.org
by wolfgang 31 Aug '05

31 Aug '05

Hi, when experimenting with rhsbl.ahbl.org sender blacklists on MTA level, I noticed: reject_warning: RCPT from mta121.cheetahmail.com[66.165.100.122]: 571 Service unavailable; Sender address [bo-byytbuda6faq70bcxwgsmb73r6zqxc(a)b.apc.chtah.com] blocked using rhsbl.ahbl.org; Domain used in spam. Access is not allowed.; To me, the email seemed to be a valid product hotfix notification from http://www.apc.com to registered recipients. What are your experiences with or views about cheetah.com? They appear to be mass mailers, but also engaged in anti-spam measures / sender verification acitivities, and what are your experiences with rhsbl.ahbl.org? I would like to make up my mind - whether to whitelist cheetah.com mailservers from being blocked on MTA level in order to avoid FPs when using ahbl - whether to use rhsbl.ahbl.org to reject mails at the MTA level. Cheers, wolfgang

4 7

Fw: [off-topic] Free Opera Registration
by Kevin A. McGrail 30 Aug '05

30 Aug '05

Just passing along some interesting news: Opera is celebrating 10 years with a free registration code. It's very simply and very much on the up and up. Go to http://my.opera.com/community/party/reg.dml " SURPRISE!!! Free registration codes - Party favors: Get a free Opera registration code by clicking the "go free" button below. We're giving away registration codes for as long as the party lasts!" Regards, KAM

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss