OK, you asked for it ;)
Some of this info will give you a 'feel' for who the hosts operate.
Theo got us a list of 112 new false positives >from across all SURBLs. He showed me the source >messages which are almost all subscribed newsletters and mailing list >messages, so they seem quite hammy.
Given the type of source messages and some >spot checking, I'm inclined to whitelist them all, but I'd like to >ask for some help checking them first. Can anyone help check >these?
123inkjets.com
Oh, these guys are on my personal poop list!
http://groups.google.com/groups?q=123inkjets.com+abuse&hl=en&lr=&... =G&scoring=d
Domain List matching cluster of russ-effrig
* 1: 007inkjets.com * 2: 00inkjets.com * 3: 111inkjets.com * 4: 123cartridges.com * 5: 123inkjets.com * 6: 123lasertoner.com * 7: 411inkjets.com * 8: 911inkjets.com * 9: amazingofferings.com * 10: communicationadvisor.com * 11: customoffers.com * 12: customoffersmail.com * 13: ebabyloninc.com * 14: etoll.net * 15: freecartridges.com * 16: imagerocket.com * 17: inkjetorder.com * 18: itsimazing.com * 19: mosaicdatasolutions.com * 20: niftyoffer.com * 21: proinkjets.com * 22: rocketmouse.net * 23: yourmailsource.com * 24: zbeta.com
* @SPAM/spamsource: 553 SPEWS [1] zaconta, see http://spews.org/ask.cgi?S1467; SPEWS [1] tonerbuys, see http://spews.org/ask.cgi?S1506; 207.178.170/24: 553 SPAM,PINK 207.178.128.0/17 iswest.net AS5033 dedicated spam network - S1467,S2747,S2705,S2657,S786,S1467,SBL9192 2003-07 * SPEWS/spews.org: 553 SPEWS2 [1] zaconta, see http://spews.org/ask.cgi?S1467; SPEWS2 [1] tonerbuys, see http://spews.org/ask.cgi?S1506; 207.178.170/24: 553 SPEWS2 [2] zaconta, see http://spews.org/ask.cgi?S1467
1and1.com
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&scoring=d&... se&btnG=Search
Domain List matching contacts_email of hostmaster@1and1.com
* 1: 1-asian-sex.com * 2: 1and1.com * 3: ansonline.com * 4: attachs.com * 5: autoperl.com * 6: basix.com * 7: bb4f.info * 8: bloated.org * 9: bonzil.com * 10: clickforhosting.com * 11: college-nudes.net * 12: colomb.org * 13: cyber-cd.com * 14: discreetdvd.com * 15: diveadventurers.com * 16: domymarketing.com * 17: dynawebdesigns.com * 18: e-hostonline.net * 19: e-mazingdeals.com * 20: equestriantherapy.org * 21: equotesonline.com * 22: extremmovies.com * 23: ffa-usa.com * 24: freepussypass.com * 25: ghostbiz.com * 26: globaladvt.com * 27: gun-sales.com * 28: ivee.org * 29: ladygodivanetwork.com * 30: linethai.com * 31: marketingconceptsgroup.com * 32: medicalwebservices.net * 33: metreward.com * 34: micacy.com * 35: michigan-business.com * 36: myhouselist.com * 37: myproemail.com * 38: nastiest-teens.com * 39: njmovietime.com * 40: onlinehome-server.com * 41: onlinehome.us * 42: propappr-alachua-fl.org * 43: softwarepark-goa.org * 44: something-else.org * 45: speedyvalues.com * 46: systechintegration.com * 47: theinfoman.com * 48: uptimesoftware.com * 49: wonderfulldeals.com
Gotomypc.com sells a remote access product Yale.edu is the domain for Yale University
http://spews.org/html/S2611.html
Domain List matching spews of S2611
* 1: ca.us * 2: expertcity.com * 3: gotomypc.com * 4: internap.com * 5: pcmag-direct.com * 6: pnap.net * 7: spamlaws.com * 8: twtelecom.net * 9: wd10.com * 10: wd12.com * 11: whew.com * 12: worldatamail.com Results: Positive=5, Negative=25 (2004-09-07 15:44:25 UTC)
* @ISP/blackholes.us: 66.151/16: 553 ISP INTERNAP - http://hatcheck.org/google?internap; http://hatcheck.org/sbl?internap [Blockparade] * @SPAM/spamsource: 66.151.158/24: 553 SPEWS [1] expertcity/gotomypc, see http://spews.org/ask.cgi?S2611; 66.151/16: 553 SPAM,PINK,BLOCK 66.150/16 66.151/16 66.151 66.151.44.151 joe4257769@mailgeorgebush.net INTERNAP 2003-04 * DRBL/drbl.all: 66.151/16: 553 DRBL weight: 0.6; vote.drbl.vimas.kiev.ua@ns.vimas.kiev.ua/0.6 * SPEWS/spews.org: 66.151.158/24: 553 SPEWS2 [1] expertcity/gotomypc, see http://spews.org/ask.cgi?S2611 * FIVETEN/internap.com.spam-support: added 2002-07-07; spam support - hosting sendoutmail.com and jdrmedia.com; added 2003-07-22; spam support - hosting e-i1.com spamming from NET-63-251-54-64-1; added 2003-07-02; spam support - hosting http://www.adaniexports.com on 63.251.163.110; added 2004-03-08; spam support - see http://www.spamhaus.org/SBL/sbl.lasso?query=SBL14734; added 2004-07-31; spam support - see http://www.spamhaus.org/SBL/sbl.lasso?query=SBL10031; added 2004-07-31; spam support - transit for AS30038 whose entire 69.63.160.0/20 is on the SBL; added 2003-01-15; spam support - see http://www.spamhaus.org/sbl/listings.lasso?isp=internap.com; added 2003-05-20; spam support - hosting http://www.pr0debtc0nsu1tants.com on 64.74.96.230, was on 63.251.163.110, was on verio; added 2002-01-22; on sprint.net; added 2002-10-07; spam support - hosting netflip.com; added 2003-02-04; spam support - transit for AS18633; added 2003-04-13; spam support - transit for wholesalebandwidth; added 2002-12-07; spam support - dns service for columbiahouse.com; added 2002-09-17; spam support - see http://spews.org/html/S373.html; added 2002-09-10; spam support - hosting randbad.com on 209.191.175.226; added 2002-07-22; spam support - hosting internetseer.com and roving.com
I would love a copy of all the reported FPs. Perhaps they should be moved to the IC list?
--Chris
On Tuesday, September 7, 2004, 8:50:50 AM, Chris Santerre wrote:
OK, you asked for it ;)
Some of this info will give you a 'feel' for who the hosts operate.
Theo got us a list of 112 new false positives >from across all SURBLs. He showed me the source >messages which are almost all subscribed newsletters and mailing list >messages, so they seem quite hammy.
Given the type of source messages and some >spot checking, I'm inclined to whitelist them all, but I'd like to >ask for some help checking them first. Can anyone help check >these?
123inkjets.com
Oh, these guys are on my personal poop list!
http://groups.google.com/groups?q=123inkjets.com+abuse&hl=en&lr=&... =G&scoring=d
Domain List matching cluster of russ-effrig
* 1: 007inkjets.com * 2: 00inkjets.com * 3: 111inkjets.com * 4: 123cartridges.com * 5: 123inkjets.com
[...]
That's interesting, but I think it misses the point:
A. The question is not what domains has anyone ever seen in a spam.
B. The question is what domains has anyone ever seen in a ham.
If domains get mentioned in legitimate messages, we don't want to block them, right? That's the definition of a false positive. (That of course is assuming that people are smart enough to not process spam meta-discussion with anti-spam tools.)
A. In other words, we're not trying to catch every domain that's ever been mentioned in a spam.
B. We're trying to catch domains that are ***only*** mentioned in spams.
Anything else potentially causes false positives.
As I mentioned earlier this is a different paradigm than many people are used to. It may require some shifting of attitudes when dealing with these. I hope people are able to do that.
Jeff C.
Chris Santerre wrote:
Domain List matching contacts_email of hostmaster@1and1.com
* 1: 1-asian-sex.com * 2: 1and1.com
...
* 48: uptimesoftware.com * 49: wonderfulldeals.com
I think you're missing the point, Chris. The domain 1and1.com is unlikely to be listed in spam, let alone *only* listed in spam. Furthermore, of the domains you list I had a hard time finding one that was both active and SURBL-listed.
Schlund+Partner AG (the company behind the domain) is one of the largest web hosters in Germany and incidentally hosts my site too.
Given the size of their business they may well host some spammy sites from time to time (along with some 40,000 non-spam sites in their German data centre alone), but they are not a blackhat. Their abuse department is one of the more responsive in the business. When they get evidence more than once, they do take action.
A definite whitelist case.
Joe
On Tuesday, September 7, 2004, 5:40:47 PM, Joe Wein wrote:
Chris Santerre wrote:
Domain List matching contacts_email of hostmaster@1and1.com
* 1: 1-asian-sex.com * 2: 1and1.com...
* 48: uptimesoftware.com * 49: wonderfulldeals.com
I think you're missing the point, Chris. The domain 1and1.com is unlikely to be listed in spam, let alone *only* listed in spam. Furthermore, of the domains you list I had a hard time finding one that was both active and SURBL-listed.
I hope Chris was showing us some other domains with similar registration information. That said, *registrar* information isn't to useful except in the case of mostly blackhat registrars.
Schlund+Partner AG (the company behind the domain) is one of the largest web hosters in Germany and incidentally hosts my site too.
Given the size of their business they may well host some spammy sites from time to time (along with some 40,000 non-spam sites in their German data centre alone), but they are not a blackhat. Their abuse department is one of the more responsive in the business. When they get evidence more than once, they do take action.
A definite whitelist case.
Schlund+Partner AG is probably not a blackhat registrar then, so listing all of their domains probably isn't too useful, even the spammy ones. If this is a large hosting provider with many legitimate customers, then we can't assume that any domain they host is spammy. Otherwise we would need to assume Joe's domain is spammy.... On the other hand Joe's domain probably doesn't appear in spams too often (unless it gets joe jobbed, no pun intended), so we probably would not even see his registration information very often.
Far more useful is the registrant information, i.e. who is registering them, though of course that can be and often is forged by the bad guys. On the other hand as people who track spam domain registration data know, there are many repeated or similar fake registrant names, addresses, etc. in the registrant data. Those probably are useful to note since they can be used to more quickly identify new domains as likely spammy. For example see the "Aruba" domains or the "Eugene Oregon USA" domains. When I see one of those familiar (fake?) addresses in a registration, I can be pretty sure they belong to the same old (lazy) spammer. Other spammers randomize their registrations.
A useful thing about listing domains and not IP addreses (or name servers or registrars) is that we can list just the specific bad guy domains and not the registrar, IP blocks, nameservers, etc. It's an approach that focusses more directly on the actual abuse. It also means that if they change ISPs, registrars, servers, etc. we still have their domains listed. :-)
Jeff C.
On Tuesday, September 7, 2004, 6:16:36 PM, Jeff Chan wrote:
On Tuesday, September 7, 2004, 5:40:47 PM, Joe Wein wrote:
Chris Santerre wrote:
Domain List matching contacts_email of hostmaster@1and1.com
* 1: 1-asian-sex.com * 2: 1and1.com...
* 48: uptimesoftware.com * 49: wonderfulldeals.com
I think you're missing the point, Chris. The domain 1and1.com is unlikely to be listed in spam, let alone *only* listed in spam. Furthermore, of the domains you list I had a hard time finding one that was both active and SURBL-listed.
I hope Chris was showing us some other domains with similar registration information. That said, *registrar* information isn't to useful except in the case of mostly blackhat registrars.
I should add, this kind of data is only useful in proving a blackhat registrar if we also know how many other domains they have registered.
If a registrar has 100 spam domains but 100,000 legitimate ones they're probably not a blackhat registrar. If another registrar has 100 spam domains but 20 legitimate ones, they're likely a blackhat. Domains belonging to the second registrar could be "scored" as more likely spammy by some yet to be written (or revealed) software. However that only works if you can see the other 100,000 and the 20, which normally you can't.
In other words not enough information may be visible to draw reliable conclusions about the badness of a given registrar. On the other hand some general information about the number of domains some large registrar holds is available at registration statistics sites like:
http://www.whois.sc/internet-statistics/registrar-stats-2003.html
Jeff C.
Jeff Chan wrote:
I should add, this kind of data is only useful in proving a blackhat registrar if we also know how many other domains they have registered.
...
On the other hand some general information about the number of domains some large registrar holds is available at registration statistics sites like:
http://www.whois.sc/internet-statistics/registrar-stats-2003.html
According to that stat Schlund.de (1and1.com) is #8 worldwide with over a million live domains and almost a quarter of a million registered last year.
Joe
-
Chris Santerre -
Jeff Chan -
Joe Wein