on Sat, Sep 18, 2004 at 07:45:45AM +0900, Joe Wein wrote:
I have a customer who keeps tripping catholicexchangeMUNGED.com
Can we get this removed from WS SURBL?
Registered in 2000. The only spams I've seen this in were 419s, which generally use other people's domains, or (rarely) very recently registered domains.
Folks, please do not list domains mentioned in 419s or used as 419 sender domains, unless they are freshly registered (usually ns=yahoo, whois=melbourneit.com, but have seen others).
I agree this shouldn't have been listed in SURBL, but their mail server is either an open relay or they have someone on the inside who's a 419 or lotto scammer, or they run an insecure webmail service (probably the latter):
Return-Path: universal_lottos@catholicexchange.com Received: from catholicexchange.com (mail.catholicexchange.com [64.66.6.208]) by serrano.hesketh.net (8.12.11/8.12.8/NO-UCE-NO-UBE-NO-spam) with ESMTP id i54EpauW029407 for info@salander.com; Fri, 4 Jun 2004 10:51:37 -0400 Received: from catholicexchange.com ([64.66.6.208]) by catholicexchange.com ; Fri, 04 Jun 2004 06:50:01 -0700 From: universal_lottos@catholicexchange.com Sender: universal_lottos@catholicexchange.com Reply-to: universal_lottos@catholicexchange.com To: universalstakeslottos@yahoo.co.in Date: Fri, 4 Jun 2004 06:50:01 -0700 Subject: CONGRATULATIONS (WINNING NOTICE) X-Mailer: CWMail Web to Mail Gateway 2.8c, http://netwinsite.com/top_mail.htm Message-id: 40c07e09.740.0@catholicexchange.com X-User-Info: 212.100.67.163 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Status: RO Content-Length: 2490 Lines: 56
212.100.67.163 is a Nigerian IP, but frankly, their mail server sucks if it can't put proper Received: headers in, showing where the email came from - and they shouldn't be accepting mail from Nigeria, anyway, given the current state of the 419/lotto scams...