I have a customer who keeps tripping catholicexchangeMUNGED.com
Can we get this removed from WS SURBL?
Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:info@i-is.com
Whois Results for catholicexchange.com Registrant: Catholic Exchange (CATHOLICEXCHANGE3-DOM) 162 S. Rancho Santa Fe Rd. Suite E Encinitas, CA 92024 US Domain Name: CATHOLICEXCHANGE.COM Administrative Contact, Technical Contact: Miller, Kathryn (KMY149) kmiller@catholicexchange.com P.O. Box 231820 ENCINITAS, CA 92023 US 760-942-4234 fax: 760-942-3038 Record expires on 28-Apr-2005. Record created on 28-Apr-2000. Database last updated on 17-Sep-2004 18:25:57 EDT. Domain servers in listed order: NS1.SBSI-NET.COM 64.66.6.3 NS2.SBSI-NET.COM 216.70.252.142
On Friday, September 17, 2004, 3:23:47 PM, Fred Fred wrote:
Whois Results for catholicexchange.com Registrant: Catholic Exchange (CATHOLICEXCHANGE3-DOM) 162 S. Rancho Santa Fe Rd. Suite E Encinitas, CA 92024 US Domain Name: CATHOLICEXCHANGE.COM Administrative Contact, Technical Contact: Miller, Kathryn (KMY149) kmiller@catholicexchange.com P.O. Box 231820 ENCINITAS, CA 92023 US 760-942-4234 fax: 760-942-3038 Record expires on 28-Apr-2005. Record created on 28-Apr-2000. Database last updated on 17-Sep-2004 18:25:57 EDT. Domain servers in listed order: NS1.SBSI-NET.COM 64.66.6.3 NS2.SBSI-NET.COM 216.70.252.142
FWIW, The 16 NANAS reports on this domain seem to be Joe Jobs or something smiliar. They used this domain as a return address in the message body of scams.
This domain appears to be a legitimate organization so I'm whitelisting them and asking the WS people to check and remove it from the source data.
Jeff C.
I have a customer who keeps tripping catholicexchangeMUNGED.com
Can we get this removed from WS SURBL?
Registered in 2000. The only spams I've seen this in were 419s, which generally use other people's domains, or (rarely) very recently registered domains.
Folks, please do not list domains mentioned in 419s or used as 419 sender domains, unless they are freshly registered (usually ns=yahoo, whois=melbourneit.com, but have seen others).
Joe
on Sat, Sep 18, 2004 at 07:45:45AM +0900, Joe Wein wrote:
I have a customer who keeps tripping catholicexchangeMUNGED.com
Can we get this removed from WS SURBL?
Registered in 2000. The only spams I've seen this in were 419s, which generally use other people's domains, or (rarely) very recently registered domains.
Folks, please do not list domains mentioned in 419s or used as 419 sender domains, unless they are freshly registered (usually ns=yahoo, whois=melbourneit.com, but have seen others).
I agree this shouldn't have been listed in SURBL, but their mail server is either an open relay or they have someone on the inside who's a 419 or lotto scammer, or they run an insecure webmail service (probably the latter):
Return-Path: universal_lottos@catholicexchange.com Received: from catholicexchange.com (mail.catholicexchange.com [64.66.6.208]) by serrano.hesketh.net (8.12.11/8.12.8/NO-UCE-NO-UBE-NO-spam) with ESMTP id i54EpauW029407 for info@salander.com; Fri, 4 Jun 2004 10:51:37 -0400 Received: from catholicexchange.com ([64.66.6.208]) by catholicexchange.com ; Fri, 04 Jun 2004 06:50:01 -0700 From: universal_lottos@catholicexchange.com Sender: universal_lottos@catholicexchange.com Reply-to: universal_lottos@catholicexchange.com To: universalstakeslottos@yahoo.co.in Date: Fri, 4 Jun 2004 06:50:01 -0700 Subject: CONGRATULATIONS (WINNING NOTICE) X-Mailer: CWMail Web to Mail Gateway 2.8c, http://netwinsite.com/top_mail.htm Message-id: 40c07e09.740.0@catholicexchange.com X-User-Info: 212.100.67.163 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Status: RO Content-Length: 2490 Lines: 56
212.100.67.163 is a Nigerian IP, but frankly, their mail server sucks if it can't put proper Received: headers in, showing where the email came from - and they shouldn't be accepting mail from Nigeria, anyway, given the current state of the 419/lotto scams...
On Friday, September 17, 2004, 3:45:45 PM, Joe Wein wrote:
I have a customer who keeps tripping catholicexchangeMUNGED.com
Can we get this removed from WS SURBL?
Registered in 2000. The only spams I've seen this in were 419s, which generally use other people's domains, or (rarely) very recently registered domains.
Folks, please do not list domains mentioned in 419s or used as 419 sender domains, unless they are freshly registered (usually ns=yahoo, whois=melbourneit.com, but have seen others).
Joe
I agree. They look like 419 Joe Jobs.
Usually the entire message body of 419s should be ignored for SURBL purposes. 419s are usually only interesting for the sender information, which SURBLs don't do.
Jeff C.