These are the latest versions of Leo Kuvayev's pill spam which does still come from many XX.geocities domains (recent ones from de and sg). An interesting twist to the newest stuff - the spam domains are at bookmyname and Namebay, but the name servers are at RGNames and YesNIC; Of particular interest is the ones at YesNIC have no name servers, just hosts in the root cache (e.g. filiaprom dot com, uses stomauset dot com and areshooti dot com), and YesNIC's standard procedure for "suspending" a domain is to remove its name servers - so this technique allows the domains to continue to be used long after they have been suspended (look up the various Spamhaus listings for the CP name server set in the domain serverbackup64 dot com - which was "suspended" Sept. 29, but is still getting new SBL listing mentions - e.g. SBL34264). A similar trick is used for the RGNames domains, where he buys a domain package including DNS from them, but never allows the RGNames' servers (i.e. pf[12].rgpack.com) to receive or serve and data for the domains. The most common case seems to be the spamvertised domain at bookmyname or Namebay with two name servers, one each at RGNames and YesNIC, with identical contact data, except for different email addresses (i.e. same name for the registrant and contacts, partial address at YesNIC and full address at RGNames).
The actual spam is the identical vertical pill stuff (not currently using HTML tables) and the various ED drug spams.
So, Jeff, can the tripod.com domain just be treated as if it were a two-level TLD for SURBL? Another pair are ianampolkcho tripod.com and armonmafinneywilco tripod.com (Yes, they have been reported).
BTW. He's also using the CNET redirector again (clearly CNET's policy of blacklisting instead of whitelisting doesn't work).
Paul Shupak track@plectere.com
On Tuesday, November 8, 2005, 5:12:52 AM, List User wrote:
So, Jeff, can the tripod.com domain just be treated as if it
were a two-level TLD for SURBL? Another pair are ianampolkcho tripod.com and armonmafinneywilco tripod.com (Yes, they have been reported).
For those keeping score, the systems are not currently set up to work that way, both on the data side and probably also on the application side. I'm not sure how smart we are to let the spammers know this. :-(
BTW. He's also using the CNET redirector again (clearly CNET's
policy of blacklisting instead of whitelisting doesn't work).
Perhaps you mean whitelisting instead of blacklisting?
Jeff C. -- Don't harm innocent bystanders.