On Wed, 18 May 2005, Jeff Chan wrote:
On Wednesday, May 18, 2005, 6:44:05 AM, Spam Admin wrote:
spam link.
http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564
Dan Zachary
Hi Dan, This is a recently registered domain (a couple weeks ago) but it doesn't seem to resolve into spaces that are known to be spammy. That may just mean spammers have moved into a new network space, etc.
However there are a number of odd things about this domain from the registration, to the host's registration, etc. And it doesn't seem to resolve currently.
Is anyone else seeing this in spams?
Jeff C.
Jeff, I've been getting spam containing that URL and other 'sisters' (such as "dealstoday.net").
They have major spam-sign hallmarks:
The payload is a few lines of HTML that reference images with the ad "message" and then massive amounts of "Bayes poison" hidden by HTML comments or CSS tricks (style="visibility:hidden"), bogus HTML (large amounts of text after the closing </HTML> tag), as well as being sent to stale local addresses.
Examples available upon request. ;)
-- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{ _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Jeff,
Now you have your answer about how "spammy" GMB is. (This is them also - check the name servers, and rDNS - also, look around the net-block for other nearby GMB sites). Also, another partial hidden "private" registration (i.e. dealstoday.net).
Paul Shupak track@plectere.com
On Fri, 20 May 2005, List Mail User wrote:
Jeff,
Now you have your answer about how "spammy" GMB is. (This is them also - check the name servers, and rDNS - also, look around the net-block for other nearby GMB sites). Also, another partial hidden "private" registration (i.e. dealstoday.net).
Paul Shupak track@plectere.com
A few more to add to that list: maxtad.com newdealplus.com inetworkplus.com mediaplusdata.com deal-plus.net
Most all seen coming from 206.131.233.0/24 within the past 2 weeks.
On Friday, May 20, 2005, 7:51:15 PM, David Funk wrote:
On Fri, 20 May 2005, List Mail User wrote:
Jeff, Now you have your answer about how "spammy" GMB is. (This isthem also - check the name servers, and rDNS - also, look around the net-block for other nearby GMB sites). Also, another partial hidden "private" registration (i.e. dealstoday.net).
Paul Shupak track@plectere.com
A few more to add to that list: maxtad.com newdealplus.com inetworkplus.com mediaplusdata.com deal-plus.net
Most all seen coming from 206.131.233.0/24 within the past 2 weeks.
Thanks; I see you've already listed those on WS.
Jeff C. -- Don't harm innocent bystanders.
-
David B Funk -
Jeff Chan -
List Mail User