>...
>
>On Wednesday, May 18, 2005, 6:44:05 AM, Spam Admin wrote:
>> spam link.
>
>> http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564
>
>> Dan Zachary
>
>Hi Dan,
>This is a recently registered domain (a couple weeks ago)
>but it doesn't seem to resolve into spaces that are known
>to be spammy. That may just mean spammers have moved into
>a new network space, etc.
>
>However there are a number of odd things about this domain
>from the registration, to the host's registration, etc.
>And it doesn't seem to resolve currently.
>
>Is anyone else seeing this in spams?
>
>Jeff C.
>--
>Don't harm innocent bystanders.
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
The actual registrant is below - have to do better to hide behind
a "private registration".
% jwhois madplus.com
[Querying whois.internic.net]
[Redirected to whois.enom.com]
[Querying whois.enom.com]
[whois.enom.com]
Registration Service Provided By:
Contact: abuse-ns(a)gmbdream.com
Visit:
Domain name: madplus.com
Administrative Contact:
Paul Davis (abuse-ns(a)gmbdream.com)
+1.6465363193
Fax: +1.-
60 E 42 Street
Suite 449
NewYork, NY 10165
US
Billing Contact:
Paul Davis (abuse-ns(a)gmbdream.com)
+1.6465363193
Fax: +1.-
60 E 42 Street
Suite 449
NewYork, NY 10165
US
Technical Contact:
Paul Davis (abuse-ns(a)gmbdream.com)
+1.6465363193
Fax: +1.-
60 E 42 Street
Suite 449
NewYork, NY 10165
US
Registrant Contact:
Paul Davis (abuse-ns(a)gmbdream.com)
+1.6465363193
Fax: +1.-
60 E 42 Street
Suite 449
NewYork, NY 10165
US
Status: Active
Name Servers:
ns1.madplus.comns2.madplus.com
Creation date: 15 Mar 2005 07:56:39
Expiration date: 15 Mar 2006 07:56:39
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us. The registrar of record is eNom. We reserve the right
to modify these terms at any time. By submitting this query, you agree
to abide by these terms.
Version 6.3 4/3/2002
Paul Shupak
track(a)plectere.com
>...
>> All DNS provided by:
>>
>> nserver: ns1.dnsm.net 218.7.120.70
>> nserver: ns2.dnsm.net 218.7.120.70
>>
>> And all domains registered to:
>>
>> owner: Roelf Van der Brug
>> email: admin(a)taiwanmedialtd.com
>> address: Singel 2
>> address: Jordaan
>> city: Amsterdam
>> state: --
>> postal-code: 1015JT
>> country: NL
>> phone: +31 84 220 2586
>
>We have seen fake registrations before, and this also fits there.
>Amsterdam is 020. not 084. The PO code fits Amsterdam however.
>
>domain: taiwanmedialtd.com
>status: lock
>owner: Mohammad Khan
>email: admin(a)taiwanmedialtd.com
>address: Kizilelma Caddesi No
>address: Findikzade
>city: Istanbul
>
>Funny, we have seen that also before.
>
>Bye,
>Raymond.
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
The postal code would be correct, if it was on land, but for the on
the docks (and this is a boat slip), the proper postal code is 1013JT.
Also, there are two variants of the Istanbul address, one has just
"No" at the end, the other is "No. 62" - It is actually a rug shop in the
bazaar. The "really" old registrations used taiwantelco. com as the email
domain and dnst. net for name service. (I have found over a hundred, before
I started using other people's data - from Joe Wein's, Bill Stearns' and a
few other peoples collected and published lists I've found a few hundred
more.) My favorite's are still the ones which use the address from the
Beverley Hills 90210 TV show (mostly a couple of months ago).
The most recent Turkish address, Pakistani telephone number, and email
they are using is (Note: there is a bazaar at Oguzhan Caddesi No. 1 that fills
the entire block - this address does not exist, but the telephone is a valid
mobile phone registered in Pakistan and the email is functional):
Gulhan Ozgur
Oguzhan Caddesi No:2 Kat: 2
Denizli
TR-20100
TR
+9.2582411726
magicgoodman(a)yahoo.com
Paul Shupak
track(a)plectere.com
>-----Original Message-----
>From: Steven Champeon [mailto:schampeo@hesketh.com]
>Sent: Monday, May 16, 2005 11:32 AM
>To: discuss(a)lists.surbl.org
>Subject: [SURBL-Discuss] yet another joe job
>
>
>
>Please list the following domains:
>
>dnbfbsqs.com SPAMMER
>ghtnsecn.com SPAMMER
>rumbumbale.com SPAMMER
>tnashbsv.com SPAMMER
>turuntale.com SPAMMER
All but one were already in uribl.com. I added the other ;)
Keep up the good fight Steven!
--Chris
Excellent thank you. I wasn't sure if the actual sites they were linking
were involved.
/E.
-----Original Message-----
From: discuss-bounces(a)lists.surbl.org
[mailto:discuss-bounces@lists.surbl.org] On Behalf Of Raymond Dijkxhoorn
Sent: Monday, May 16, 2005 11:25 AM
To: SURBL Discussion list
Subject: RE: [SURBL-Discuss] German spam crap
Hi!
> So I saw the rule, but will any of the links in most of the messages be
> added to SURBL? It's my understanding this is virus related coming
> sometimes from internal hosts infected with a new class of virus that will
> turn the infected PC into a spam host. We do filter internal mail for
spam
> also so I thought I would check if the links in these messages will
> eventually make it to SURBL.
No, since the sites itself didnt do the spamrums, but were just abused
also. And no, thats not SURBL material...
>> http://mailscanner.prolocation.net/german.cf
>>
>> Ruleset to stop the Sober crap thats been going around like crazy
>> currently. The political spams written in german language...
>>
>> Hopefully it will help some people to stop this crap.
So get the ruleset if you wanna filter those.
Bye,
Raymond.
_______________________________________________
Discuss mailing list
Discuss(a)lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss
Hi!
Its mentioned on the SA list also, but since we got some questions about
it from other people who didnt read it there:
http://mailscanner.prolocation.net/german.cf
Ruleset to stop the Sober crap thats been going around like crazy
currently. The political spams written in german language...
Hopefully it will help some people to stop this crap.
Bye,
Raymond.
>>
>>
>> >-----Original Message-----
>> >From: Steven Champeon [mailto:schampeo@hesketh.com]
>> >Sent: Monday, May 16, 2005 11:32 AM
>> >To: discuss(a)lists.surbl.org
>> >Subject: [SURBL-Discuss] yet another joe job
>> >
>> >
>> >
>> >Please list the following domains:
>> >
>> >dnbfbsqs.com SPAMMER
>> >ghtnsecn.com SPAMMER
>> >rumbumbale.com SPAMMER
>> >tnashbsv.com SPAMMER
>> >turuntale.com SPAMMER
>>
>> All but one were already in uribl.com. I added the other ;)
>>
>> Keep up the good fight Steven!
>
>Can't really help not ;)
>
>More domains just came in today:
>
>aupd.com
>bnik.com
>c5t.net
>d3w.net
>da9.net
>ei7.net
>el9.net
>f5s.net
>g3r.net
>h64.net
>l73.net
>lzac.com
>mq5.net
>myyv.com
>nf0.net
>nlav.com
>pi11.com
>pq4.net
>pqer.com
>przc.com
>rgry.com
>t6i.net
>uosb.com
>vf9.net
>viags.com
>wlue.com
>xi4.net
>yi4.net
>ymil.com
>
>Looks like a completely different spammer. :(
>
>All DNS provided by:
>
>nserver: ns1.dnsm.net 218.7.120.70
>nserver: ns2.dnsm.net 218.7.120.70
>
>And all domains registered to:
>
>owner: Roelf Van der Brug
>email: admin(a)taiwanmedialtd.com
>address: Singel 2
>address: Jordaan
>city: Amsterdam
>state: --
>postal-code: 1015JT
>country: NL
>phone: +31 84 220 2586
>admin-c: admin(a)taiwanmedialtd.com#0
>tech-c: admin(a)taiwanmedialtd.com#0
>billing-c: admin(a)taiwanmedialtd.com#0
>nserver: ns1.dnsm.net 218.7.120.70
>nserver: ns2.dnsm.net 218.7.120.70
>created: 2005-04-21 14:11:39 UTC
>modified: 2005-05-09 10:20:38 UTC
>expires: 2006-04-21 10:11:39 UTC
>
>--
>hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
>join us! http://hesketh.com/about/careers/account_manager.html join us!
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
All taiwantelco/taiwanmedialtd - also uses addresses in Turkey and
telephone numbers in Pakistan. Look at the domain dnst. net for some
historic data. Many new domains are registered on a "Bay Drive" in
Beverley Hills - zipcodes 90210 and 90211 (no such street exists, except
on the TV show, it did) and some in New York and a few other places.
There is some relationship, maybe shared customers. Some of their
sites are hosted on the same machines as the multitrade group machines (see
the spamhaus records on both).
BTW. The 2 Singel address is a boat slip with no tenant (also the proper
postal code for the boat docks is 1013, not 1015). They just switched
registrars after Joker marked almost all of their domains as "invalid address".
See 900mg. com, aekb. com, b7x. com, cpko. com, dgko. com, and about a hundred
more.
Paul Shupak
track(a)plectere.com