Found the link below in a Ziff Davis "Baseline Magazine" renewal notification e-mail, and it was tagged by OB:
omessage.MUNGEcom
The URI was used in an unsubscribe link.
Bill
----- Original Message ----- From: "Bill Landry" billl@pointshare.com To: discuss@lists.surbl.org Sent: Monday, August 30, 2004 8:22 AM Subject: [SURBL-Discuss] FP on OB list
Found the link below in a Ziff Davis "Baseline Magazine" renewal notification e-mail, and it was tagged by OB:
omessage.MUNGEcomThe URI was used in an unsubscribe link.
Weird... http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=omessage.co...
Why would Ziff-Davis add such a link unless its a faked msg?
I doubt OB's spamtraps subscribe to ZD's Baseline Mag all on their own... --------------------------------------------------- http://omessage.com:
ForbiddenYou don't have permission to access / on this server.
---------------------------------------------------------------------------- ----
Apache/1.3.29 Server at omessage.com Port 8081 --------------------------------------------------------------
Smells like fishing for valid addresses.....
Alex
----- Original Message -----
Found the link below in a Ziff Davis "Baseline Magazine" renewal notification e-mail, and it was tagged by OB:
omessage.MUNGEcomThe URI was used in an unsubscribe link.
Weird...
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=omessage.co...
Why would Ziff-Davis add such a link unless its a faked msg?
I doubt OB's spamtraps subscribe to ZD's Baseline Mag all on their own...
What are you talking about? Who said anything about OB's spamtraps subscribing to anything?
This is a legitimate renewal notification. The renewals are being handled by a company called Omeda Communications (www.omeda.com), a media fulfillment service, for Ziff-Davis. In this case, omedia.com and omessage.MUNGEcom are owned by the same entity, and when you click on the "Renew now" button, you come to a page the is fully pre-populated with the customer's original subscription information.
I do my research before reporting FPs to this list. Please do your research before posting a challenge. As always, if anyone wants to see the actual message, let me know and I will forward it to you off-list.
Bill
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
On Sunday, August 29, 2004, 11:22:54 PM, Bill Landry wrote:
Found the link below in a Ziff Davis "Baseline Magazine" renewal notification e-mail, and it was tagged by OB:
omessage.MUNGEcomThe URI was used in an unsubscribe link.
Bill
Post at least the link.
Jeff, I will not post the link to this list because if someone executes it, the customer will be unsubscribed. I am sending you the message off-list for your review. At what point does one establish enough credibility that people on this list stop calling into question their ability to differentiate between spam and ham?
Bill
On Monday, August 30, 2004, 12:42:38 AM, Bill Landry wrote:
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
On Sunday, August 29, 2004, 11:22:54 PM, Bill Landry wrote:
Found the link below in a Ziff Davis "Baseline Magazine" renewal notification e-mail, and it was tagged by OB:
omessage.MUNGEcomThe URI was used in an unsubscribe link.
Bill
Post at least the link.
Jeff, I will not post the link to this list because if someone executes it, the customer will be unsubscribed. I am sending you the message off-list for your review. At what point does one establish enough credibility that people on this list stop calling into question their ability to differentiate between spam and ham?
Yes you don't need the post the entire link, just the relevant parts of it, specificially the fully qualified domain name of the URI. I got it from your off list message as:
http://bsl.omessage-MUNGED.com/unsubscribe/u.html?%5Bdeleted]
Which resolves to:
Name: bsl.omessage.com Address: 204.180.130.204
That block is a Sprint /24:
Omeda Communications FON-34343818247975 (NET-204-180-130-0-1) 204.180.130.0 - 204.180.130.255
Some of Omeda's NANAS sightings were sent from addresses in this same block, some from others:
209.228.32.60 loadmaster.omessage.com (65.216.70.15) (blaster2.omessage.com [204.180.130.222]) blaster2.omessage.com ::ffff:204.180.130.222 loadmaster.omessage.com ([65.216.73.33]) (blaster2.omessage.com[204.180.130.222]) loadmaster.omessage.com ([65.216.70.15]) (blaster1.omessage.com [204.180.130.221])
None of those IP addresses is listed in SBL or XBL. If they were a true spamhaus I would assume they would have been caught by now. And if they were a hard core spammer they'd probably use zombies to send their mail, and not mail servers on blocks registered to them, with reverse DNS entries set up resolving to their domain, etc.
Therefore I am whitelisting:
omeda.com omessage.com
And asking Outblaze to consider doing likewise.
Why should anyone be required to give any proof?
Sometimes the topic of whitelisting is controversial, so it's good to share research so we can understand the reasons for whitelisting. For example if you had already done this research and shared it, then less time would be wasted on duplicated efforts.
Jeff C.
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
Yes you don't need the post the entire link, just the relevant parts of it, specificially the fully qualified domain name of the URI. I got it from your off list message as:
http://bsl.omessage-MUNGED.com/unsubscribe/u.html?%5Bdeleted]
Which resolves to:
Name: bsl.omessage.com Address: 204.180.130.204
That block is a Sprint /24:
Omeda Communications FON-34343818247975 (NET-204-180-130-0-1) 204.180.130.0 - 204.180.130.255
Some of Omeda's NANAS sightings were sent from addresses in this same block, some from others:
209.228.32.60 loadmaster.omessage.com (65.216.70.15) (blaster2.omessage.com [204.180.130.222]) blaster2.omessage.com ::ffff:204.180.130.222 loadmaster.omessage.com ([65.216.73.33]) (blaster2.omessage.com[204.180.130.222]) loadmaster.omessage.com ([65.216.70.15]) (blaster1.omessage.com [204.180.130.221])
None of those IP addresses is listed in SBL or XBL. If they were a true spamhaus I would assume they would have been caught by now. And if they were a hard core spammer they'd probably use zombies to send their mail, and not mail servers on blocks registered to them, with reverse DNS entries set up resolving to their domain, etc.
Therefore I am whitelisting:
omeda.com omessage.com
And asking Outblaze to consider doing likewise.
Why should anyone be required to give any proof?
Sometimes the topic of whitelisting is controversial, so it's good to share research so we can understand the reasons for whitelisting. For example if you had already done this research and shared it, then less time would be wasted on duplicated efforts.
If you want specific data to prove a false positive, then put together a template and post it on the SURBL web site for all to follow.
Bill
On Monday, August 30, 2004, 1:24:27 AM, Bill Landry wrote:
From: "Jeff Chan" jeffc@surbl.org
Why should anyone be required to give any proof?
Sometimes the topic of whitelisting is controversial, so it's good to share research so we can understand the reasons for whitelisting. For example if you had already done this research and shared it, then less time would be wasted on duplicated efforts.
If you want specific data to prove a false positive, then put together a template and post it on the SURBL web site for all to follow.
That's a good suggestion, but I don't think there are any standard tests for legitimacy. If there were, then we could probably automated them and save a lot of trouble. Every case can be different so it's more open ended what one might provide as proof. The borderline spammers are even more difficult to prove or disprove.
But there needs to be some kind of proof provided that we can look at and decide if it's reasonable.
There still needs to be some human judgement and the types of proof can be different.
One obvious thing is to look at domain registration dates. In this case omessage.com was a 2003 registration so that doesn't help much. However the apparent parent domain omeda.com was registered in 1996, which tells us at least a little about the organization.
Another problem is that if you lay down purely objective tests of legitimacy, some spammer can probably engineer their domain to meet those requirements then claim their domain should be whitelisted. We would want to watch out for things like that and retain the ability to exercise some final human judgement.
Jeff C.
for your review. At what point does one establish enough credibility that people on this list stop calling into question their ability to differentiate between spam and ham?
Good question Bill, be interesting to see what everyone thinks.
I'm all for having some sort of formalised process or procedure, otherwise everytime someone posts to the list they will get 40 questions.
IMHO if a customer has subscribed to a mailing / advertising list, it's legit. Opt-out rubbish that just turns up in your mailbox is the bad stuff.
However it can be hard to tell what is borderline spam. Having people assume you are stupid and haven't researched a FP just makes others less willing to question FPs.
At present I couldn't be bothered wasting my time to report FPs because of precisely this.
Regards,
Joseph
On Monday, August 30, 2004, 2:15:42 AM, Joseph Burford wrote:
However it can be hard to tell what is borderline spam. Having people assume you are stupid and haven't researched a FP just makes others less willing to question FPs.
At present I couldn't be bothered wasting my time to report FPs because of precisely this.
We want FPs, but we need proof. It's only fair to ask for some proof otherwise how does everyone else know what the reasons are, unless they're psychic or something?
Jeff C.
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Monday, August 30, 2004 11:50 AM Subject: Re: [SURBL-Discuss] FP on OB list
On Monday, August 30, 2004, 2:15:42 AM, Joseph Burford wrote:
However it can be hard to tell what is borderline spam. Having people assume you are stupid and haven't researched a FP just makes others less willing to question FPs.
At present I couldn't be bothered wasting my time to report FPs because of precisely this.
We want FPs, but we need proof. It's only fair to ask for some proof otherwise how does everyone else know what the reasons are, unless they're psychic or something?
I herewith promise to keep my trap shut and if I don't agree with someone's FP whitelisting request, won't question it & will add to my local zone and everyone is happy.
Apologize for the noise
Alex
On Monday, August 30, 2004, 3:00:20 AM, Alex Broens wrote:
From: "Jeff Chan" jeffc@surbl.org
We want FPs, but we need proof. It's only fair to ask for some proof otherwise how does everyone else know what the reasons are, unless they're psychic or something?
I herewith promise to keep my trap shut and if I don't agree with someone's FP whitelisting request, won't question it & will add to my local zone and everyone is happy.
I don't mind debate. Sometimes it's good to disagree. All I'm saying is please give reasons.
Is that unreasonable?
Jeff C.
Another good reason to ask for proof up front is that we've seen at least one example where a spammer came on this forum and lied about the source and nature of the spam in order to try to get off the list. (Of course, this obviously wouldn't apply to Bill.) ...remember that classic case where, supposedly, a security hole in a company's server was exploited by hackers who were sending out spam that, for some strange reason, advertised this same company's products and services? ...you know, the one that Chris caught :)
Also, Bill, try not to take these challenges so personally. I think that some on this list question things sometimes more out of a concern to get it right and to be extra sure... not because we question any particular person's judgment. It seems like if you would include just two or three more of your top reasons for believing that the mail in question is a FP, you'd find the process to be smoother and quicker.
Rob McEwen
----- Original Message ----- From: "Rob McEwen" webmaster@powerviewsystems.com
Also, Bill, try not to take these challenges so personally. I think that some on this list question things sometimes more out of a concern to get
it
right and to be extra sure... not because we question any particular person's judgment. It seems like if you would include just two or three
more
of your top reasons for believing that the mail in question is a FP, you'd find the process to be smoother and quicker.
Agreed. I will start providing whatever test results I used to determine the FP nature of the domain with my initial post. I would also ask that people not post knee-jerk responses and only post a challenge if they have solid proof to the contrary.
Bill
-
Alex Broens -
Bill Landry -
Jeff Chan -
Joseph Burford -
Rob McEwen