Here is a list of urls that i compiled from spams. I queried sc.surbl.org, using them but didnt find them listed. Some of the domains are the randomly generated ones and might have became invalid as of now. However some of them are still working. I didnt knew where to report this list to, so I am posting it to this list and Jeff.
http://get-internet-software.com/cgi-bin/rd.cgi?poKzgADTMS http://get-internet-software.com/cgi-bin/rd.cgi?poKzgADTMS http://surfer-support.com/w30/pikapika.html http://surfer-support.com/w30/pikapika.html http://sanguozhi10.com/tp/default.asp http://sanguozhi10.com/tp/default.asp http://pinghetang.com/ http://get-internet-software.com/w30/pikapika.html http://get-internet-software.com/w30/pikapika.html http://tempole.com http://bma.net.mypillsvalues.com http://bma.net.mypillsvalues.com http://rckksa.a6.defenses8093biz.us http://rckksa.a6.defenses8093biz.us http://pj.decatur9854rx.us http://nht.p.aye3054biz.us http://i.p.aye3054biz.us http://rd.a6.defenses8093biz.us http://rd.a6.defenses8093biz.us http://rem.decatur9854rx.us http://xanb.su.aye3054biz.us http://pd.abk.crucify8156pi11.us http://pd.abk.crucify8156pi11.us opp.dacemhad.us http://opp.dacemhad.us images.dacemhad.us http://images.dacemhad.us http://q.m.crucify8156pi11.us http://popupblocker-software.com/w30/pikapika.html http://popupblocker-software.com/w30/pikapika.html http://history-cleaner-software.com http://history-cleaner-software.com http://www.spyware-killer-software.com http://www.spyware-killer-software.com http://images.NCatalpa2m.biz/ http://Passionvin.biz
Rakesh wrote:
Here is a list of urls that i compiled from spams. I queried sc.surbl.org, using them but didnt find them listed. Some of the domains are the randomly generated ones and might have became invalid as of now. However some of them are still working. I didnt knew where to report this list to, so I am posting it to this list and Jeff.
Rakesh,
Are you using http://www.rulesemporium.com/cgi-bin/uribl.cgi for your queries`?
although some of thses URIS may not be in sc.surbl.org some (haben't checked them all) seem to be listed in other surbl zones.
h2h
Alex
Alex Broens wrote:
Rakesh wrote:
Here is a list of urls that i compiled from spams. I queried sc.surbl.org, using them but didnt find them listed. Some of the domains are the randomly generated ones and might have became invalid as of now. However some of them are still working. I didnt knew where to report this list to, so I am posting it to this list and Jeff.
Rakesh,
Are you using http://www.rulesemporium.com/cgi-bin/uribl.cgi for your queries`?
although some of thses URIS may not be in sc.surbl.org some (haben't checked them all) seem to be listed in other surbl zones.
h2h
Alex
No sorry i didnt use that. I'll use it from next time before i report. Many thanks
On Thursday, March 10, 2005, 3:30:42 AM, Rakesh Rakesh wrote:
No sorry i didnt use that. I'll use it from next time before i report.
Or, if it's more convenient, do a name resolution against multi.surbl.org instead of sc.surbl.org. If you're just trying to see if a record is listed, an A record result will indicate that (regardless of the specific numeric answer), and NXDOMAIN will indicate that it's not listed.
The multi results can be decoded further according to:
http://www.surbl.org/lists.html#multi
Cheers,
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
On Thursday, March 10, 2005, 3:30:42 AM, Rakesh Rakesh wrote:
No sorry i didnt use that. I'll use it from next time before i report.
Or, if it's more convenient, do a name resolution against multi.surbl.org instead of sc.surbl.org. If you're just trying to see if a record is listed, an A record result will indicate that (regardless of the specific numeric answer), and NXDOMAIN will indicate that it's not listed.
The multi results can be decoded further according to:
http://www.surbl.org/lists.html#multi
Cheers,
Jeff C.
This sounds better and a simple shell script will make job more easier. I'll do this :-) . thanks for the pointer.
On Thursday, March 10, 2005, 4:38:58 AM, Rakesh Rakesh wrote:
Jeff Chan wrote:
If you're just trying to see if a record is listed, an A record result will indicate that (regardless of the specific numeric answer), and NXDOMAIN will indicate that it's not listed.
This sounds better and a simple shell script will make job more easier. I'll do this :-) . thanks for the pointer.
BTW, if you come up with a list of truly spammy domains that are not listed, we may be able to take those in and use them. But we'd need to be sure that they're 100% spam most of the time (i.e. never appearing in legitimate messages by ordinary users).
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
BTW, if you come up with a list of truly spammy domains that are not listed, we may be able to take those in and use them. But we'd need to be sure that they're 100% spam most of the time (i.e. never appearing in legitimate messages by ordinary users).
Jeff C.
"
ok, here is a list of 447 domains, that I have compiled from the 1500 mails that hit my spamtrap id, were detected as spam and confirmed by humans to be spam. Actually I had got 587 domains and tried to resolve them against multi.surbl.org. And these 447 were not listed. wrote a simple shell script to "dig domain.multi.surbl.org" and trapped only those who gave NX domain. I ran this script on 10 March 2005 at 7:30 IST (thats +530 GMT), so I don't know whether the list has been updated after that.
Please do the needful with them.
On Thursday, March 10, 2005, 9:47:23 PM, Rakesh Rakesh wrote:
ok, here is a list of 447 domains, that I have compiled from the 1500 mails that hit my spamtrap id, were detected as spam and confirmed by humans to be spam. Actually I had got 587 domains and tried to resolve them against multi.surbl.org. And these 447 were not listed.
Thanks for these. Note that SURBLs try to reduce URIs down to base domains (as they would be registered), so:
afoc2091185zj.fightrxbillz.com -> fightrxbillz.com military.com.appetizinggood.com -> appetizinggood.com
Doing that, sorting, etc. reduces the 447 to 284. Of those 284, 186 are already listed in multi.surbl.org, and 4 are whitelisted, which leaves 94:
aadbfbe.org acpvgcrh.com aizozwayb.com amdwdthjcy.net arysqg.com asgzxhhvld.com auyfcw.au bkwrcegzc.dk bnekw.net [...]
However of those 94, 92 appear to not resolve any NS records which means they're either not registered, had their registrations expire, revoked, etc. So they're not too useful for spammers. They could appear in spams, but any web sites referenced by them would not resolve. The remaining 2 are:
kuhat.com netmechanic.com
Both of which may have legitimate uses or owners, so they probably should not be listed. Neither domain has any common RBL or SBL listings. netmechaic has 21 NANAS but they look incidental. kuhat has no NANAS. (Can anyone here read Suomi? If so can you check out the kuhat.com site?)
domain: kuhat.com status: lock organization: Uintiseura Kuhat owner: Teppo Lehtinen email: teppo.lehtinen@kuhat.com address: Klaavuntie 10 M 111 city: Helsinki postal-code: 00910 country: FI admin-c: teppo.lehtinen@kuhat.com#0 tech-c: hostmaster@nebula.fi#0 billing-c: hostmaster@nebula.fi#0 reseller-1: ------------------------------------------------- reseller-2: Nebula Oy - Web-hotellipalvelut, konesalipalvelut reseller-3: ja internet-yhteydet. http://www.nebula.fi/ reseller-4: ------------------------------------------------- nserver: dns1.nebula.fi nserver: dns2.nebula.fi registrar: JORE-1 created: 2002-11-13 17:01:51 UTC JORE-1 modified: 2004-09-29 06:40:07 UTC JORE-1 expires: 2005-11-13 11:01:35 UTC source: joker.com
Keynote Systems (NXHIWSSUVD) 777 Mariners Island Blvd San Mateo, CA 94404 US
Domain Name: NETMECHANIC.COM
Administrative Contact: Keynote Systems (22205655O) NICADMIN@KEYNOTE.COM 777 Mariners Island Blvd San Mateo, CA 94404 US 650-403-2400 fax: 999 999 9999
Record expires on 13-Oct-2010. Record created on 15-Mar-2004. Database last updated on 11-Mar-2005 02:21:44 EST.
Domain servers in listed order:
NS01.KEYNOTE.COM 65.198.48.128 NS02.KEYNOTE.COM 65.198.48.160 NS03.KEYNOTE.COM 65.198.48.161 NS04.KEYNOTE.COM 63.94.64.66
So it appears that if you're using multi.surbl.org in your spam filters then it should be catching almost all of the ones you reported which are actually usable by spammers. Are they getting through? Are you hopefully using multi instead of sc alone?
Hope this helps,
Jeff C. -- "If it appears in hams, then don't list it."
On Thursday, March 10, 2005, 11:34:32 PM, Jeff Chan wrote:
However of those 94, 92 appear to not resolve any NS records which means they're either not registered, had their registrations expire, revoked, etc. So they're not too useful for spammers. They could appear in spams, but any web sites referenced by them would not resolve.
I should add that if a domain doesn't resolve it can still appear in spams, for example due to error or the spammer not noticing that the domain had been cancelled, etc. However most spammers keep pretty careful track of which domains are currently active. It doesn't benefit them too much to advertise a domain which doesn't work, so that tends not to happen too often.
It's also possible that these 92 did work before and perhaps appeared in some older spams. Spam is fairly dynamic so it can be useful to work with fresher examples. There appears to be a recency effect where new domains appear in spams and older ones are abandoned.
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
| However of those 94, 92 appear to not resolve any NS records which | means they're either not registered, had their registrations | expire, revoked, etc.
So I take it you are not listing non-existant domains ?
( makes sense )
I wonder if there'd be much mileage in a SpamAssaassin feature to award points for any URLs that don't resolve ?
-- Chris Edwards, Glasgow University Computing Service
On Friday, March 11, 2005, 4:33:45 AM, Chris Edwards wrote:
Jeff Chan wrote:
| However of those 94, 92 appear to not resolve any NS records which | means they're either not registered, had their registrations | expire, revoked, etc.
So I take it you are not listing non-existant domains ?
( makes sense )
If non-resolvable domains appeared in spams, we could list them, but it tends not to happen. Domains that don't resolve can't drive traffic to a spam site so they tend not to be useful for spammers.
I wonder if there'd be much mileage in a SpamAssaassin feature to award points for any URLs that don't resolve ?
In principle it's something that could be done, but the timeouts encountered trying to resolve non-existent domains could make it impractical.
Loading spams full of URIs probably dilutes the spammer's message, especially if many of them were clickable or visible, so they seem to not do it very often. They want people to go to their sites, not some other sites. If the URIs are not clickable then they aren't too useful for spammers, and a rule could be made to look for messages containing many unclickable ones where checking that would not require actual resolution.
Jeff C. -- "If it appears in hams, then don't list it."
On Fri, 11 Mar 2005, Jeff Chan wrote:
| On Friday, March 11, 2005, 4:33:45 AM, Chris Edwards wrote: | > Jeff Chan wrote: | | > I wonder if there'd be much mileage in a SpamAssaassin feature to award | > points for any URLs that don't resolve ? | | In principle it's something that could be done, but the timeouts | encountered trying to resolve non-existent domains could make it | impractical.
Ah yes.
Then again, if, in theory, one was to only query the relevant gtld server for the registered toplevel NS records, the answer (positive or negative) should be quick.
| Loading spams full of URIs probably dilutes the spammer's | message, especially if many of them were clickable
OK - interesting - understood.
-- Chris Edwards, Glasgow University Computing Service
On Friday, March 11, 2005, 7:32:18 AM, Chris Edwards wrote:
On Fri, 11 Mar 2005, Jeff Chan wrote:
| On Friday, March 11, 2005, 4:33:45 AM, Chris Edwards wrote:
| >> Jeff Chan wrote:
|
| >> I wonder if there'd be much mileage in a SpamAssaassin feature to award | >> points for any URLs that don't resolve ?
| | In principle it's something that could be done, but the timeouts | encountered trying to resolve non-existent domains could make it | impractical.
Ah yes.
Then again, if, in theory, one was to only query the relevant gtld server for the registered toplevel NS records, the answer (positive or negative) should be quick.
Point taken, but we also don't want to dDoS the root name servers if spammers decide to load up their spams with fake domains. Since there is so much spam, dealing with it needs to be kept pretty efficient.
Jeff C. -- "If it appears in hams, then don't list it."
Rakesh wrote:
Jeff Chan wrote:
BTW, if you come up with a list of truly spammy domains that are not listed, we may be able to take those in and use them. But we'd need to be sure that they're 100% spam most of the time (i.e. never appearing in legitimate messages by ordinary users).
Jeff C.
"
ok, here is a list of 447 domains, that I have compiled from the 1500 mails that hit my spamtrap id, were detected as spam and confirmed by
I am extremely sorry. I included all the subdomains in my earlier tests and later I realised that I need to look at only domains and not subdomain. Please ignore my earlier post. Here now the number of not listed domains in multi has now reduced to 105 from 447.
On Thursday, March 10, 2005, 11:35:00 PM, Rakesh wrote:
Rakesh wrote:
Jeff Chan wrote:
BTW, if you come up with a list of truly spammy domains that are not listed, we may be able to take those in and use them. But we'd need to be sure that they're 100% spam most of the time (i.e. never appearing in legitimate messages by ordinary users).
ok, here is a list of 447 domains, that I have compiled from the 1500 mails that hit my spamtrap id, were detected as spam and confirmed by
I am extremely sorry. I included all the subdomains in my earlier tests and later I realised that I need to look at only domains and not subdomain. Please ignore my earlier post. Here now the number of not listed domains in multi has now reduced to 105 from 447.
There's no need to apologize. It's always good to share notes and try to catch more spams, find new areas, etc. It's usually helpful to have more people checking things.
Jeff C. -- "If it appears in hams, then don't list it."
On Thursday, March 10, 2005, 1:10:32 AM, Rakesh Rakesh wrote:
Here is a list of urls that i compiled from spams. I queried sc.surbl.org, using them but didnt find them listed. Some of the domains are the randomly generated ones and might have became invalid as of now. However some of them are still working. I didnt knew where to report this list to, so I am posting it to this list and Jeff.
http://get-internet-software.com/cgi-bin/rd.cgi?poKzgADTMS http://get-internet-software.com/cgi-bin/rd.cgi?poKzgADTMS http://surfer-support.com/w30/pikapika.html http://surfer-support.com/w30/pikapika.html http://sanguozhi10.com/tp/default.asp http://sanguozhi10.com/tp/default.asp http://pinghetang.com/ http://get-internet-software.com/w30/pikapika.html http://get-internet-software.com/w30/pikapika.html http://tempole.com http://bma.net.mypillsvalues.com http://bma.net.mypillsvalues.com http://rckksa.a6.defenses8093biz.us http://rckksa.a6.defenses8093biz.us http://pj.decatur9854rx.us http://nht.p.aye3054biz.us http://i.p.aye3054biz.us http://rd.a6.defenses8093biz.us http://rd.a6.defenses8093biz.us http://rem.decatur9854rx.us http://xanb.su.aye3054biz.us http://pd.abk.crucify8156pi11.us http://pd.abk.crucify8156pi11.us opp.dacemhad.us http://opp.dacemhad.us images.dacemhad.us http://images.dacemhad.us http://q.m.crucify8156pi11.us http://popupblocker-software.com/w30/pikapika.html http://popupblocker-software.com/w30/pikapika.html http://history-cleaner-software.com http://history-cleaner-software.com http://www.spyware-killer-software.com http://www.spyware-killer-software.com http://images.NCatalpa2m.biz/ http://Passionvin.biz
Hi Rakesh, Thanks for the report, but all 15 of these domains are already in SURBLs:
aye3054biz.us on lists [ws][ob][jp] crucify8156pi11.us on lists [ws][ob][jp] decatur9854rx.us on lists [ws][ob][jp] defenses8093biz.us on lists [ob][jp] get-internet-software.com on lists [ws][ob][jp] history-cleaner-software.com on lists [ws][ob] mypillsvalues.com on lists [ws][ob][jp] ncatalpa2m.biz on lists [ws] passionvin.biz on lists [ws] pinghetang.com on lists [ws][ob][jp] popupblocker-software.com on lists [ws][ob] sanguozhi10.com on lists [ws][ob] spyware-killer-software.com on lists [ws][ob] surfer-support.com on lists [ws][ob] tempole.com on lists [ws][ob]
SC is only one of the lists. Folks using SURBLs should probably be using sc, jp, etc. The best way to do that is to use multi.surbl.org which has all the lists combined in this way.
Jeff C. -- "If it appears in hams, then don't list it."
-
Alex Broens -
Chris Edwards -
Jeff Chan -
Rakesh