-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Friday, October 15, 2004 10:49 AM To: Chris Santerre Cc: 'Jeff Chan'; 'SURBL Discussion list'; Joe Wein; Ryan Thompson (E-mail) Subject: Re: [SURBL-Discuss] FP?: ultimatebizsource.biz
On Friday, October 15, 2004, 7:50:06 AM, Chris Santerre wrote:
From: Jeff Chan [mailto:jeffc@surbl.org]
By evidence I was referring to spams. If you have one, post it and how it got to you or at least a description of how it got to you.
Sorry I can't. It's the evil gaff back from 7/04 again.
Where none of the
sumissions were being archived.
How do you feel about removing the 7/04 list from WS? Or is there a subset of those we could remove?
2285 domains in that file. I dont' feel good about it at all. Especially because the domain we are talking about seems so iffy. I'm not one to remove all of these just because I don't have the archived reports. If they are proved to be FPs then hell yeah I will remove those FPs. But to remove over 2k of them just for 2 reported FPs in that file???
--Chris
On Friday, October 15, 2004, 7:55:54 AM, Chris Santerre wrote:
From: Jeff Chan [mailto:jeffc@surbl.org] On Friday, October 15, 2004, 7:50:06 AM, Chris Santerre wrote:
Sorry I can't. It's the evil gaff back from 7/04 again.
Where none of the
sumissions were being archived.
How do you feel about removing the 7/04 list from WS? Or is there a subset of those we could remove?
2285 domains in that file. I dont' feel good about it at all. Especially because the domain we are talking about seems so iffy. I'm not one to remove all of these just because I don't have the archived reports. If they are proved to be FPs then hell yeah I will remove those FPs. But to remove over 2k of them just for 2 reported FPs in that file???
--Chris
OK fair enough. There may be more than 2 FPs though. Here are the DMOZ hits:
/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
123go-shopping.com 24ktgoldcasino.com 3322.org abitz.com audiogalaxy.com bottomlinecom.net casinovendors.com chemicalhouse.com denversharedservices.com dimoskopisi.com dotphoto.com electroionic.com.ar etowns.net evite.com goldrush.com hotusa.org instoremag.com jlindustrial.com kinghost.com medica.de mwconsult.ru mypiece.com pcdi.com quevendo.com.ar response-o-matic.com spectralft.com telepolis.com tom.com vistaprint.com webwizguide.info wx-e.com zip.net
Number of matches: 32
Do we see any FPs in those?
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
On Friday, October 15, 2004, 7:55:54 AM, Chris Santerre wrote:
From: Jeff Chan [mailto:jeffc@surbl.org] On Friday, October 15, 2004, 7:50:06 AM, Chris Santerre wrote:
Sorry I can't. It's the evil gaff back from 7/04 again.
Where none of the
sumissions were being archived.
How do you feel about removing the 7/04 list from WS? Or is there a subset of those we could remove?
2285 domains in that file. I dont' feel good about it at all. Especially because the domain we are talking about seems so iffy. I'm not one to remove all of these just because I don't have the archived reports. If they are proved to be FPs then hell yeah I will remove those FPs. But to remove over 2k of them just for 2 reported FPs in that file???
--Chris
OK fair enough. There may be more than 2 FPs though. Here are the DMOZ hits:
/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
123go-shopping.com 24ktgoldcasino.com 3322.org abitz.com audiogalaxy.com bottomlinecom.net casinovendors.com chemicalhouse.com denversharedservices.com dimoskopisi.com dotphoto.com electroionic.com.ar etowns.net evite.com goldrush.com hotusa.org instoremag.com jlindustrial.com kinghost.com medica.de mwconsult.ru mypiece.com pcdi.com quevendo.com.ar response-o-matic.com spectralft.com telepolis.com tom.com vistaprint.com webwizguide.info wx-e.com zip.net
Number of matches: 32
Do we see any FPs in those?
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
on Fri, Oct 15, 2004 at 05:24:27PM +0200, Alex Broens wrote:
Do we see any FPs in those?
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
If I might recommend a strategy for cleaning up FPs in mass submissions?
There's a well-known ratware package that forges the HELO and sender domain from among a huge list of ccTLDs. e.g.:
Received: from cibo.be (DWM-21-63.go.retevision.es [81.60.63.21]) by serrano.hesketh.net (8.12.11/8.12.8) with SMTP id i55DcmW1015907 for <snip>; Sat, 5 Jun 2004 09:39:12 -0400 Message-ID: ed6201c44b8d$4e62a4a2$9181555a@cibo.be From: "Ian Monroe" monroezh@cilme.it
cibo.be, cilme.it are innocent victims, but it's likely that if you see a bare ccTLD domain in the HELO and a ccTLD in the From: header, and the message has a Message-ID header of the HELO domain, and it was sent via a likely spam zombie, it's spam. (YMMV)
So, I'd quarantine/remove all ccTLD domains from mass submissions until such time as they can be checked manually. It was a large source of FPs here when I started using my domain blacklist (built from many sources, unfortunately including HELOs from this ratware package before I knew what it was).
on Fri, Oct 15, 2004 at 11:45:57AM -0400, Steven Champeon wrote:
on Fri, Oct 15, 2004 at 05:24:27PM +0200, Alex Broens wrote:
Do we see any FPs in those?
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
If I might recommend a strategy for cleaning up FPs in mass submissions?
There's a well-known ratware package that forges the HELO and sender domain from among a huge list of ccTLDs. e.g.:
Received: from cibo.be (DWM-21-63.go.retevision.es [81.60.63.21]) by serrano.hesketh.net (8.12.11/8.12.8) with SMTP id i55DcmW1015907 for <snip>; Sat, 5 Jun 2004 09:39:12 -0400 Message-ID: ed6201c44b8d$4e62a4a2$9181555a@cibo.be From: "Ian Monroe" monroezh@cilme.it
cibo.be, cilme.it are innocent victims, but it's likely that if you see a bare ccTLD domain in the HELO and a ccTLD in the From: header, and the message has a Message-ID header of the HELO domain, and it was sent via a likely spam zombie, it's spam. (YMMV)
It's also worth mentioning that the sender address is related to the name given in the quoted portion of the From: header, a la:
"Ian Monroe" monroezh@cilme.it First Last lastzz
There's a set of ~60 of these rules, which is now part of SpamAssassin:
http://spamassassin.apache.org/full/3.0.x/dist/rules/20_ratware.cf
They use the simpler set; I've since defined more:
# check for ccTLDs in both mail_from and HELO KEL_FirstMLastZZccTLDs regex -aMATCH -f (at|au|be|ca|ch|de|dk|es|gr|hu|it|jp|kr|lv|md|mx|nl|no|nu|pt|ro|ru|ua|uk|us|za)$
# last_ # e.g. "First M. Last" last_zz@example.com # e.g. "First Last" last_zz@example.com KEL_FirstMLastZZ01 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2_[a-z]{2}@ # last # e.g. "First M. Last" lastzz@example.com # e.g. "First Last" lastzz@example.com KEL_FirstMLastZZ02 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2[a-z]{2}@
# flast_ # e.g. "First M. Last" flast_zz@example.com # e.g. "First Last" flast_zz@example.com KEL_FirstMLastZZ03 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2_[a-z]{2}@ # flast # e.g. "First M. Last" flastzz@example.com # e.g. "First Last" flastzz@example.com KEL_FirstMLastZZ04 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2[a-z]{2}@
# f.last_ # e.g. "First M. Last" f.last_zz@example.com # e.g. "First Last" f.last_zz@example.com KEL_FirstMLastZZ05 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2_[a-z]{2}@ # f.last # e.g. "First M. Last" f.lastzz@example.com # e.g. "First Last" f.lastzz@example.com KEL_FirstMLastZZ06 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2[a-z]{2}@
# f.mlast_ # e.g. "First M. Last" f.mlast_zz@example.com KEL_FirstMLastZZ07 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z][a-z]\2_[a-z]{2}@ # f.mlast # e.g. "First M. Last" f.mlastzz@example.com KEL_FirstMLastZZ08 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z][a-z]\2[a-z]{2}@
# f.m.last_ # e.g. "First M. Last" f.m.last_zz@example.com KEL_FirstMLastZZ09 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z].[a-z]\2_[a-z]{2}@ # f.m.last # e.g. "First M. Last" f.m.lastzz@example.com KEL_FirstMLastZZ10 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z].[a-z]\2[a-z]{2}@
# f.m_last_ # e.g. "First M. Last" f.m_last_zz@example.com KEL_FirstMLastZZ11 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]_[a-z]\2_[a-z]{2}@ # f.m_last # e.g. "First M. Last" f.m_lastzz@example.com KEL_FirstMLastZZ12 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]_[a-z]\2[a-z]{2}@
# f_last_ # e.g. "First M. Last" f_last_zz@example.com # e.g. "First Last" f_last_zz@example.com KEL_FirstMLastZZ13 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2_[a-z]{2}@ # f_last # e.g. "First M. Last" f_lastzz@example.com # e.g. "First Last" f_lastzz@example.com KEL_FirstMLastZZ14 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2[a-z]{2}@
# f_mlast_ # e.g. "First M. Last" f_mlast_zz@example.comKEL_FirstMLastZZ15 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2_[a-z]{2}@ # f_mlast # e.g. "First M. Last" f_mlastzz@example.comKEL_FirstMLastZZ16 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2[a-z]{2}@
# f_m.last_ # e.g. "First M. Last" f_m.last_zz@example.comKEL_FirstMLastZZ17 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z].[a-z]\2_[a-z]{2}@ # f_m.last # e.g. "First M. Last" f_m.lastzz@example.comKEL_FirstMLastZZ18 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z].[a-z]\2[a-z]{2}@
# f_m_last_ # e.g. "First M. Last" f_m_last_zz@example.comKEL_FirstMLastZZ19 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]_[a-z]\2_[a-z]{2}@ # f_m_last # e.g. "First M. Last" f_m_last_zz@example.comKEL_FirstMLastZZ20 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]_[a-z]\2[a-z]{2}@
# firstlast_ # e.g. "First M. Last" firstlast_zz@example.com # e.g. "First Last" firstlast_zz@example.comKEL_FirstMLastZZ21 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]\2_[a-z]{2}@ # firstlast # e.g. "First M. Last" firstlastzz@example.com # e.g. "First Last" firstlastzz@example.comKEL_FirstMLastZZ22 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]\2[a-z]{2}@ # first.last_ # e.g. "First M. Last" first.last_zz@example.com # e.g. "First Last" first.last_zz@example.com KEL_FirstMLastZZ23 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]\2_[a-z]{2}@ # first.last # e.g. "First M. Last" first.lastzz@example.com # e.g. "First Last" first.lastzz@example.com KEL_FirstMLastZZ24 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]\2[a-z]{2}@
# first.mlast_ # e.g. "First M. Last" first.mlast_zz@example.com KEL_FirstMLastZZ25 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z][a-z]\2_[a-z]{2}@ # first.mlast # e.g. "First M. Last" first.mlastzz@example.com KEL_FirstMLastZZ26 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z][a-z]\2[a-z]{2}@
# first.m.last_ # e.g. "First M. Last" first.m.last_zz@example.com KEL_FirstMLastZZ27 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z].[a-z]\2_[a-z]{2}@ # first.m.last # e.g. "First M. Last" first.m.lastzz@example.com KEL_FirstMLastZZ28 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z].[a-z]\2[a-z]{2}@
# first.m_last_ # e.g. "First M. Last" first.m_last_zz@example.com KEL_FirstMLastZZ29 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]_[a-z]\2_[a-z]{2}@ # first.m_last # e.g. "First M. Last" first.m_lastzz@example.com KEL_FirstMLastZZ30 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]_[a-z]\2[a-z]{2}@
# first_last_ # e.g. "First M. Last" first_last_zz@example.com# e.g. "First Last" first_last_zz@example.com KEL_FirstMLastZZ31 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]\2_[a-z]{2}@ # first_last # e.g. "First M. Last" first_lastzz@example.com# e.g. "First Last" first_lastzz@example.com KEL_FirstMLastZZ32 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]\2[a-z]{2}@
# first_mlast_# e.g. "First M. Last" first_mlast_zz@example.com KEL_FirstMLastZZ33 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z][a-z]\2_[a-z]{2}@ # first_mlast# e.g. "First M. Last" first_mlastzz@example.com KEL_FirstMLastZZ34 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z][a-z]\2[a-z]{2}@
# first_m.last_# e.g. "First M. Last" first_m.last_zz@example.com KEL_FirstMLastZZ35 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z].[a-z]\2_[a-z]{2}@ # first_m.last# e.g. "First M. Last" first_m.lastzz@example.com KEL_FirstMLastZZ36 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z].[a-z]\2[a-z]{2}@
# first_m_last_# e.g. "First M. Last" first_m_last_zz@example.com KEL_FirstMLastZZ37 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]_[a-z]\2_[a-z]{2}@ # first_m_last # e.g. "First M. Last" first_m_lastzz@example.com KEL_FirstMLastZZ38 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]_[a-z]\2[a-z]{2}@ # firstmlast_ # e.g. "First M. Last" firstmlast_zz@example.com KEL_FirstMLastZZ39 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2_[a-z]{2}@# firstmlast # e.g. "First M. Last" firstmlastzz@example.com KEL_FirstMLastZZ40 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2[a-z]{2}@ # firstm.last_ # e.g. "First M. Last" firstm.last_zz@example.com KEL_FirstMLastZZ41 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z].[a-z]\2_[a-z]{2}@# firstm.last # e.g. "First M. Last" firstm.lastzz@example.com KEL_FirstMLastZZ42 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z].[a-z]\2[a-z]{2}@ # firstm_last_ # e.g. "First M. Last" firstm_last_zz@example.com KEL_FirstMLastZZ43 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]_[a-z]\2_[a-z]{2}@# firstm_last # e.g. "First M. Last" firstm_lastzz@example.com KEL_FirstMLastZZ44 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]_[a-z]\2[a-z]{2}@ # fmlast_ # e.g. "First M. Last" fmlast_zz@example.com KEL_FirstMLastZZ45 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z][a-z]\2_[a-z]{2}@# fmlast # e.g. "First M. Last" fmlastzz@example.com KEL_FirstMLastZZ46 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z][a-z]\2[a-z]{2}@
# fm.last_ # e.g. "First M. Last" fm.last_zz@example.com KEL_FirstMLastZZ47 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z].[a-z]\2_[a-z]{2}@ # fm.last # e.g. "First M. Last" fm.lastzz@example.com KEL_FirstMLastZZ48 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z].[a-z]\2[a-z]{2}@
# fm_last_ # e.g. "First M. Last" fm_last_zz@example.com KEL_FirstMLastZZ49 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]_[a-z]\2_[a-z]{2}@ # fm_last # e.g. "First M. Last" fm_lastzz@example.com KEL_FirstMLastZZ50 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]_[a-z]\2[a-z]{2}@
# mlast_ # e.g. "First M. Last" mlast_zz@example.com KEL_FirstMLastZZ51 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2_[a-z]{2}@ # mlast # e.g. "First M. Last" mlastzz@example.com KEL_FirstMLastZZ52 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2[a-z]{2}@
# m.last_ # e.g. "First M. Last" m.last_zz@example.com KEL_FirstMLastZZ53 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2_[a-z]{2}@ # m.last # e.g. "First M. Last" m.lastzz@example.com KEL_FirstMLastZZ54 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2[a-z]{2}@
# m_last_ # e.g. "First M. Last" m_last_zz@example.com KEL_FirstMLastZZ55 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2_[a-z]{2}@ # m_last # e.g. "First M. Last" m_lastzz@example.com KEL_FirstMLastZZ56 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2[a-z]{2}@
These are sendmail 'maps', hence the stilted syntax.
On Friday, October 15, 2004, 8:24:27 AM, Alex Broens wrote:
/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
Thanks. Agreed, not a spam gang. Legitimate medical show. No SBL. No NANAS. Domain at least 4 years old.
Whitelisting.
Can't imagine how these could get onto any list, other than a joe job or open subscription?
Jeff C. -- "If it appears in hams, then don't list it."
on Fri, Oct 15, 2004 at 06:42:21PM -0700, Jeff Chan wrote:
On Friday, October 15, 2004, 8:24:27 AM, Alex Broens wrote:
/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
Thanks. Agreed, not a spam gang. Legitimate medical show. No SBL. No NANAS. Domain at least 4 years old.
Whitelisting.
Can't imagine how these could get onto any list, other than a joe job or open subscription?
Please see my post WRT the "firstmlastzz" spammer. I know back in the day before I started distinguishing between blocking and tagging I'd throw the domains of any spam sender I saw into the blacklist. The list I sent Chris a few months ago was like that - full of ccTLD domains harvested from spam senders and HELOs - but I've since cleaned it up and started to distinguish between the badhelos and spammer domains.
On Saturday, October 16, 2004, 7:49:16 AM, Steven Champeon wrote:
on Fri, Oct 15, 2004 at 06:42:21PM -0700, Jeff Chan wrote:
On Friday, October 15, 2004, 8:24:27 AM, Alex Broens wrote:
/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
Can't imagine how these could get onto any list, other than a joe job or open subscription?
Please see my post WRT the "firstmlastzz" spammer. I know back in the day before I started distinguishing between blocking and tagging I'd throw the domains of any spam sender I saw into the blacklist. The list I sent Chris a few months ago was like that - full of ccTLD domains harvested from spam senders and HELOs - but I've since cleaned it up and started to distinguish between the badhelos and spammer domains.
Can you do a diff from an earlier version and get us a list to remove from the current data? It could help a lot. :-)
Jeff C. -- "If it appears in hams, then don't list it."
on Sat, Oct 16, 2004 at 08:09:52AM -0700, Jeff Chan wrote:
On Saturday, October 16, 2004, 7:49:16 AM, Steven Champeon wrote:
on Fri, Oct 15, 2004 at 06:42:21PM -0700, Jeff Chan wrote:
On Friday, October 15, 2004, 8:24:27 AM, Alex Broens wrote:
/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
Can't imagine how these could get onto any list, other than a joe job or open subscription?
Please see my post WRT the "firstmlastzz" spammer. I know back in the day before I started distinguishing between blocking and tagging I'd throw the domains of any spam sender I saw into the blacklist. The list I sent Chris a few months ago was like that - full of ccTLD domains harvested from spam senders and HELOs - but I've since cleaned it up and started to distinguish between the badhelos and spammer domains.
Can you do a diff from an earlier version and get us a list to remove from the current data? It could help a lot. :-)
I've already sent this to Chris IIRC, but here's my 'badhelos' file - you should be able to use it as a FP test; most of the legit domains in it were passed as part of the firstmlastzz spamware's HELO or sender.
http://enemieslist.com/downloads/badhelos
On Saturday, October 16, 2004, 8:21:57 AM, Steven Champeon wrote:
on Sat, Oct 16, 2004 at 08:09:52AM -0700, Jeff Chan wrote:
On Saturday, October 16, 2004, 7:49:16 AM, Steven Champeon wrote:
on Fri, Oct 15, 2004 at 06:42:21PM -0700, Jeff Chan wrote:
On Friday, October 15, 2004, 8:24:27 AM, Alex Broens wrote:
>/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
Can't imagine how these could get onto any list, other than a joe job or open subscription?
Please see my post WRT the "firstmlastzz" spammer. I know back in the day before I started distinguishing between blocking and tagging I'd throw the domains of any spam sender I saw into the blacklist. The list I sent Chris a few months ago was like that - full of ccTLD domains harvested from spam senders and HELOs - but I've since cleaned it up and started to distinguish between the badhelos and spammer domains.
Can you do a diff from an earlier version and get us a list to remove from the current data? It could help a lot. :-)
I've already sent this to Chris IIRC, but here's my 'badhelos' file - you should be able to use it as a FP test; most of the legit domains in it were passed as part of the firstmlastzz spamware's HELO or sender.
Thanks. Should we ask Chris to try to remove these from his 7/04 data?
Jeff C. -- "If it appears in hams, then don't list it."
On Saturday, October 16, 2004, 8:27:36 AM, Jeff Chan wrote:
On Saturday, October 16, 2004, 8:21:57 AM, Steven Champeon wrote:
on Sat, Oct 16, 2004 at 08:09:52AM -0700, Jeff Chan wrote:
On Saturday, October 16, 2004, 7:49:16 AM, Steven Champeon wrote:
on Fri, Oct 15, 2004 at 06:42:21PM -0700, Jeff Chan wrote:
On Friday, October 15, 2004, 8:24:27 AM, Alex Broens wrote:
>>/home/gorilla/black-gorilla-7_04.txt in nouse-white-jeffc-dmoz
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
Can't imagine how these could get onto any list, other than a joe job or open subscription?
Please see my post WRT the "firstmlastzz" spammer. I know back in the day before I started distinguishing between blocking and tagging I'd throw the domains of any spam sender I saw into the blacklist. The list I sent Chris a few months ago was like that - full of ccTLD domains harvested from spam senders and HELOs - but I've since cleaned it up and started to distinguish between the badhelos and spammer domains.
Can you do a diff from an earlier version and get us a list to remove from the current data? It could help a lot. :-)
I've already sent this to Chris IIRC, but here's my 'badhelos' file - you should be able to use it as a FP test; most of the legit domains in it were passed as part of the firstmlastzz spamware's HELO or sender.
Thanks. Should we ask Chris to try to remove these from his 7/04 data?
Looks like he's taken them out:
$ join badhelos /home/gorilla/black-gorilla-7_04.txt $ join badhelos /home/gorilla/black-gorilla-8_04.txt hotvsnot.com BYE hotvsnot.com BYE rate-em.com BYE
However some of them appear in the prolocation and old Bill Stearns data:
/home/prolocation/black-prolocation-master in badhelos
blackpencils.com BYE dfhu876.com BYE emailgaul.com BYE ev24.net BYE happpymail.com BYE hideakifan.com BYE jjgfdk.com BYE kyokodate.com BYE ondagrupera.com BYE online--net.net BYE palmoffers.com BYE pinknewsletter.com BYE polkamail.com BYE profitablereport.com BYE real-coupons.com BYE safekidsbrowser.com BYE somefunspots.com BYE sunmail1.com BYE toutreporter.com BYE true-values.com BYE zz99zz.com BYE
/home/wstearns/black-wstearns-sa-blacklist.200406281446.domains in badhelos
212.com BYE 88998.com BYE aguascalientes.com BYE be3a.com BYE casino-rankings.com BYE datacds.net BYE deportista.com BYE dfhu876.com BYE dutchteenagers.com BYE e-ugm.com BYE elturista.com BYE formarriedcouples.com BYE freezing-my-butt-off.com BYE gamblerportal.com BYE gamblerspalace.com BYE head-in-the-clouds.com BYE i-love-blocker.com BYE i-love-qpr.com BYE jjgfdk.com BYE justkidding.biz BYE kinki-kids.com BYE mail15.com BYE mailru.com BYE miesto.sk BYE mms02.com BYE newageoptin.net BYE newfunpages.com BYE nilfen8.com BYE polkamail.com BYE profitablereport.com BYE quickinfo247.com BYE real-coupons.com BYE safekidsbrowser.com BYE sexyloupe.com BYE slamdunkfan.com BYE somefunspots.com BYE teeneyweeney.com BYE thefreesite.com BYE top--sites.com BYE tosser.com BYE true-values.com BYE tsd01.com BYE ugly-as-sin.com BYE whitesmoke.com BYE www--directory.net BYE your-days-are-numbered.com BYE yourpretty.info BYE zsf567.com BYE zz99zz.com BYE
Number of matches: 49
Raymond and Bill, is it possible you got some of these from Chris earlier? If so is it possible for you to remove this "bad hello" list as a source?
Jeff C. -- "If it appears in hams, then don't list it."
Hi!
However some of them appear in the prolocation and old Bill Stearns data:
/home/prolocation/black-prolocation-master in badhelos
blackpencils.com BYE dfhu876.com BYE emailgaul.com BYE ev24.net BYE happpymail.com BYE hideakifan.com BYE
Raymond and Bill, is it possible you got some of these from Chris earlier? If so is it possible for you to remove this "bad hello" list as a source?
No, the data we got is only from our own source, there are some reported via the SURBL+ webform, but we have the evidence files of those seperate.
We didnt use any other list to get this going.
A bad HELO btw, will be killed, most likely, by our mailers, since we do some strict checking there.
# Forged hostname -HELOs as one of my own IPs
deny message = Forged IP detected in HELO: $sender_helo_name hosts = !+relay_from_hosts log_message = Forged IP detected in HELO: $sender_helo_name condition = ${if \ eq{$sender_helo_name}{$interface_address}{yes}{no}}
We really get a LOAD of hits on a stupid ACL like that.
Bye, Raymond.
-
Alex Broens -
Chris Santerre -
Jeff Chan -
Raymond Dijkxhoorn -
Steven Champeon