... On Tuesday, November 8, 2005, 10:08:46 PM, List User wrote:
a quick extract of the HTML pages shows that the 179 tripod pages seem to only redirect to a total of 8 sites currently - those should get blacklisted. The current set is (not the same as the ones I saw earlier):
Site Registrar Contact email
http://www.aneigpie.com-MUNG - NameBay caturedin@yahoo.com http://www.arecurel.com-MUNG - NameBay livoutsid@yahoo.com http://www.baniclu.com-MUNG - NameBay caturedin@yahoo.com http://www.cherdon.info-MUNG - Directi tospecie@yahoo.com http://www.cherit.info-MUNG - Directi tospecie@yahoo.com http://www.chersky.info-MUNG - Directi tospecie@yahoo.com http://www.offmantate.com-MUNG - YesNIC greatestemal@yahoo.com http://www.onlialowus.com-MUNG - YesNIC greatestemal@yahoo.com
All currently have a 5 minute TTL and are at IP 211.233.16.84, which is listed at Spamhaus under SBL31414, a general dirty block at KIDC, though the example domains in the SBL include Kurayev's name servers registered by the ex-Joker (now Nicline) ROKSO domain reseller "Alex Blood"/"Ryan Kelly".
Hi Paul, Thanks I've blacklisted those, but TBH it may not help too much since they don't seem to be appearing in spams themselves.
Keep on getting those domains shut down. :-)
Jeff C.
Don't harm innocent bystanders.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
I didn't even notice, but the tripod subdomains got their own SBL yesterday - SBL34478 for dafhicksha.tripod.com-MUNG redirecting to arecurel.com-MUNG, but at a different IP, 222.122.72.120 (at KORNET instead of KIDC - same country, different spam haven). Chances are that the IPs 211.233.16.107 and 221.143.42.212 were either earlier sites, or soon to be used sites (there are 4 'A' records for the each of the name servers - with 5 minute TTLs its is hard to tell which direction things are moving, to or from, without staying on top on them and checking).
Similar SBLs include SBL34456/SBL34454 for 211.233.16.78 and 211.233.16.107 respectively - though those show the domain conumese.com of SBL34454, which was spam'd directly (i.e. not tripod'd) and a batch of other directly spam'd domains at the same IP 211.233.16.107. There, at least the domain doubelev.com-MUNG was using ascii and multi-character HTML table formated spam:
-------------------------------------------------------------------------------- [headers - snipped] Content-Transfer-Encoding: quoted-printable
Ho overpayi or your Meddi isit our Pharm ress Sho wdy, Quit ng f cations - v aExp p. AmCIXaVALeVI bienALISnaxLIUMvitraAGRA 3.70 1.20 3.30 Want to know more? - http://hardselleex.doubelev.com-MUNG
------=_NextPart_000_004A_01C5E293.A074B480 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable [HMTL - snipped] --------------------------------------------------------------------------------
So there are many parallel drug spams hosted and advertising the same site(s) at once (my copy of the spam is from Sunday early morning). The one above is using the more common three-registrar system; Spam domain at Namebay, name server rosettarkin.com-MUNG at RGNames and nearly identical name server indivualre.com-MUNG at YesNIC (the name servers use the same contact data, except the email, at both registrars).
Paul Shupak track@plectere.com