Can I get some research help in deciding which of the following FPs to whitelist?
Date: Sat, 21 Aug 2004 10:06:57 -0400 From: John Lundin lundin@cavtel.net To: SURBL Discussion list discuss@lists.surbl.org Subject: [SURBL-Discuss] more possible FPs (2 OB, 4 WS and 2 DS)
Eight possible FPs. These were taken from items reported as non-spam. The "nanas" number is raw matches on the domain from google groups. Use your own judgement...
OB: www.mercenariesthegameMUNGED.com (nanas 0) mentioned in a lucasarts review
OB: www.jmiequityMUNGED.com (nanas 0) mentioned in a Dow Jones newsletter The original wasn't caught by OB, but it shows up now.
WS: Wireless.VentureReporterMUNGED.net (nanas 9) A stock newsletter. I checked back: it really had been subscribed to.
WS: nmailerMUNGED.com (nanas 36) Design center newsletter. http://ellington.nmailerMUNGED.com/mailman/listinfo/dtgnews
WS: www.imakenewsMUNGED.com (nanas 42) organization newsletter. http://www.imakenewsMUNGED.com/cabf/ (+ cleaned user tracking) imakenews makes me nervous... intrusive html.
WS: ntcrMUNGED.us (nanas 43, some similar) Jupitermedia Web Events. (origin of mailing list -- appearance in unsubscribe disclaimer) (Site won't display for me, insufficiently motivated to find out why it said "Your Web browser must have cookies enabled" regardless.)
(DS hits ignored)
Date: Saturday, August 21, 2004, 12:37:45 PM Subject: fps
bridgetrack.com (used by nytimes.com) elabs.com (EASTERN LABORATORIES INC.) mfcreative.com (ancestry.com/myfamily.com/rootsweb.com, Genealogy ad) secureserver.net (in message containing godaddy.com) dnews.com (Moscow-Pullman Daily News)
spinpalace.com (appeared in xe.com currency update mailing list)
Jeff C.
On Sunday, August 22, 2004, 10:18:03 PM, Jeff Chan wrote:
Can I get some research help in deciding which of the following FPs to whitelist?
OK I did some of my own research and whitelisted most of these:
Date: Sat, 21 Aug 2004 10:06:57 -0400 From: John Lundin lundin@cavtel.net To: SURBL Discussion list discuss@lists.surbl.org Subject: [SURBL-Discuss] more possible FPs (2 OB, 4 WS and 2 DS)
Eight possible FPs. These were taken from items reported as non-spam. The "nanas" number is raw matches on the domain from google groups. Use your own judgement...
OB: www.mercenariesthegameMUNGED.com (nanas 0) mentioned in a lucasarts review
Apparently a LucasArts game. Lucas are probably not spammers. Whitelisting:
thx.com lucasfilm.com lucasarts.com mercenariesthegame.com
OB: www.jmiequityMUNGED.com (nanas 0) mentioned in a Dow Jones newsletter The original wasn't caught by OB, but it shows up now.
A stock fund of an investment company whose original domain was registered in 1995. Probably not spammers. Whitelisting:
jmi-inc.com jmiequity.com
WS: Wireless.VentureReporterMUNGED.net (nanas 9) A stock newsletter. I checked back: it really had been subscribed to.
Belongs to Dow Jones. Unlikely to be spammers. Whitelisting:
dowjones.com siliconalleydaily.com venturereporter.net
WS: nmailerMUNGED.com (nanas 36) Design center newsletter. http://ellington.nmailerMUNGED.com/mailman/listinfo/dtgnews
Belongs to graphics design folks with a 1995 domain registration. Whitelisting:
graphic-design.com graphic-design.net nmailer.com
WS: www.imakenewsMUNGED.com (nanas 42) organization newsletter. http://www.imakenewsMUNGED.com/cabf/ (+ cleaned user tracking) imakenews makes me nervous... intrusive html.
Whitelisting; 1999 registration:
imakenews.com
WS: ntcrMUNGED.us (nanas 43, some similar) Jupitermedia Web Events. (origin of mailing list -- appearance in unsubscribe disclaimer) (Site won't display for me, insufficiently motivated to find out why it said "Your Web browser must have cookies enabled" regardless.)
Belongs to netcreations.com. Are they a spamhaus?
DS: surveyhelp.harrispollonlineMUNGED.com (nanas 19) http://www.harrispollonlineMUNGED.com/sweeps.asp (sigh) yes, they subscribed to it.
Legitimate pollsters. Whitelisting:
harrisinteractive.com harrispollonline.com
DS: www.winxpnewsMUNGED.com (nanas 42) http://www.winxpnewsMUNGED.com/issues.cfm Single reference in a tech newsletter...
Looks like a legitimate tech newsletter. Whitelisting:
winxpnews.com
The next domains were in WS:
Date: Saturday, August 21, 2004, 12:37:45 PM Subject: fps
bridgetrack.com (used by nytimes.com)
Looks like a legitimate web tracking operation. Whitelisting:
planninggroup.com bridgetrack.com
Some of their tracking image URIs may have appeared in spams but it's probably from citi phishers copying them from real messages.
Comments?
elabs.com (EASTERN LABORATORIES INC.)
1995 registration, whitelisting:
elabs.com
mfcreative.com (ancestry.com/myfamily.com/rootsweb.com, Genealogy ad)
Looks legit. Whitelisting:
myfamily.net myfamilyinc.com mfcreative.com
secureserver.net (in message containing godaddy.com)
Used by legitimate registrars like dotster and godaddy. Whitelisting:
secureserver.net securepaynet.net
dnews.com (Moscow-Pullman Daily News)
Small local newspaper in Idaho. Probably not a major spammer. Whitelisting:
dnews.com
spinpalace.com (appeared in xe.com currency update mailing list)
Online casino. Appears in marginally spammy places. Does anyone have any info about them?
It would be nice to distribute some of the work of checking FPs in future.
WS and OB folks may want to remove some of these ones from their respective lists, and/or share their research with us.
Jeff C.
On Mon, 23 Aug 2004, Jeff Chan wrote:
spinpalace.com (appeared in xe.com currency update mailing list)
Online casino. Appears in marginally spammy places. Does anyone have any info about them?
I've got some archived spam that claims to be from "betonodds.com" sent via a compromized PC in Germany that's a full add for spinpalace.com (sent in May of this year) if anybody is interested in seeing their spam.
Altho it does contain the disclaimer:
</font><font color="#FFFFFF">You are receiving this e-mail as you either opted to receive our newsletter, or you entered one of our competitions. Please note that this e-mail has not been sent by our sponsor, casino or partner that is being listed in this e-mail. Should you wish to be removed from our list, please </font></font><font color="#FFFFFF"> <a href="mailto:listcontrol@pcpostal.com?subject=No thanks."><u> <font face="Arial" size="1" color="#FFFFFF">click here
So maybe somebody else is spamming in their behalf. ;)
On Monday, August 23, 2004, 3:42:33 PM, David Funk wrote:
On Mon, 23 Aug 2004, Jeff Chan wrote:
spinpalace.com (appeared in xe.com currency update mailing list)
Online casino. Appears in marginally spammy places. Does anyone have any info about them?
I've got some archived spam that claims to be from "betonodds.com" sent via a compromized PC in Germany that's a full add for spinpalace.com (sent in May of this year) if anybody is interested in seeing their spam.
Using zombies is the mark of a spammer, but...
Altho it does contain the disclaimer:
</font><font color="#FFFFFF">You are receiving this e-mail as you either opted to receive our newsletter, or you entered one of our competitions. Please note that this e-mail has not been sent by our sponsor, casino or partner that is being listed in this e-mail. Should you wish to be removed from our list, please </font></font><font color="#FFFFFF"> <a href="mailto:listcontrol@pcpostal.com?subject=No thanks."><u> <font face="Arial" size="1" color="#FFFFFF">click here
So maybe somebody else is spamming in their behalf. ;)
It could also be someone trying to drive traffic to their personal casino. The parent casino could be relatively innocent.
It's these quasi-spammers who are the most difficult to categorize.
Jeff C.
-
David B Funk -
Jeff Chan