Reposting, for those not following the original thread.
I found the following FPs in WS in a large recent ham corpus. I suggest whitelisting all of these.
buckeye-express.com -- Used in a personal email address, looks legit; 7 examples nm.ru -- Used in a personal email address, looks legit advanstar.com -- Legit uses; found in a well-known dental newsletter; also personal email address of one of the editors; 3 messages 00fun.com -- Confirmed, more than one user on our system sent or received eCards from them northstarconferences.com -- Legit conference host site subscribed to by two users; 9 messages in this corpus mardox.com -- Search engine; registered 1875 days ago, and *looks* like the user did actually submit their site to them. postsnet.com -- Registered exactly one year ago, 51 NANAS, blank home page, ehh... but I have 4 different legit newsletters with links to them. webspawner.com -- Created in 1996; free host/email npdor.com -- Surveys; been around since 1999. 103 NANAS, but they've been advertised by some reputable "word of the day" mailers (dictionary.com) Maybe a good candidate for UC. :-) 2 examples imninc.com -- Domain is 507 days old; they do newsletters. At least one of them is legit. :-) worldhealth.net -- It's 3468 days old today (1995). One of our users attended a conference of theirs, and signed up for a newsletter. hoteldiscounts.com -- 2459 days old (1997), found in actual room booking confirmations for Comfort Inn.
- Ryan
Hi Ryan,
postsnet.com -- Registered exactly one year ago, 51 NANAS, blank home page, ehh... but I have 4 different legit newsletters with links to them. webspawner.com -- Created in 1996; free host/email npdor.com -- Surveys; been around since 1999. 103 NANAS, but they've been advertised by some reputable "word of the day" mailers (dictionary.com) Maybe a good candidate for UC. :-) 2 examples imninc.com -- Domain is 507 days old; they do newsletters. At least one of them is legit. :-) worldhealth.net -- It's 3468 days old today (1995). One of our users attended a conference of theirs, and signed up for a newsletter. hoteldiscounts.com -- 2459 days old (1997), found in actual room booking confirmations for Comfort Inn.
Some are also found in Joe's list, Joe can you have a look what triggered them? Postsnet is a little tricky, they seem a little 'grey' ... the rest i could not find much references to.
Thanks! Raymond.
Raymond Dijkxhoorn wrote to SURBL Discussion list:
Hi Ryan,
postsnet.com -- Registered exactly one year ago, 51 NANAS, blank home page, ehh... but I have 4 different legit newsletters with links to them.
Some are also found in Joe's list, Joe can you have a look what triggered them? Postsnet is a little tricky, they seem a little 'grey' ...
;-) Yeah. Definitely. But, they have legit uses, so they're not fit for WS.
- Ryan
Hi!
postsnet.com -- Registered exactly one year ago, 51 NANAS, blank home page, ehh... but I have 4 different legit newsletters with links to them.
Some are also found in Joe's list, Joe can you have a look what triggered them? Postsnet is a little tricky, they seem a little 'grey' ...
;-) Yeah. Definitely. But, they have legit uses, so they're not fit for WS.
Hmm yeah, i guess so ;)
Ohw well, i have whitelisted it on my end, so if Bill gets the stuff going for WS again it will be gone there also.
Bye, Raymond.
Raymond wrote:
Some are also found in Joe's list, Joe can you have a look what triggered them? Postsnet is a little tricky, they seem a little 'grey' ... the rest i could not find much references to.
Three of those appear on my my list:
1) mardox.com
The spammed me on August 13, 2004 using a bulk mailer program. The email said that a URL in one of my sites had been submitted for their search engines, but that the IP of the submitting machine was unavailable: "Unknown IP. User had used an automated software for url submission". That explanation didn't make any sense to me and smelled very fishy.
According to Google, similar messages went to lots of other people, see
http://nlug.org/mail/nlugsc/nlugsc__2004_06/0013.html http://lists.cwrl.utexas.edu:81/read/messages?id=2906 http://juul-punt.com/index.php?itemid=4906
for instance. Looks more like they created their own submissions by harvesting addresses off websites and then spamming the site owners.
If they do have legitimate uses however, I guess I'll just locally block the sender address (request@global-submit.com) and whitelist the domain.
2) postsnet.com
Received spam on May 12, 2004 from mail server mta9br.postsnet.com. The domain was only 8 months old. There are 39 NANAS sightings. In it went...
3) worldhealth.net
On April 14 I received a bulk-mailed email from one of these guys, inviting me to a conference. He obviously had used an address harvester, because the subject of the site he contacted me about is only only marginally related to what their group is about. I ignored the mail.
On April 27, 2004 I started receiving a newsletter from them that I'd never subscribed to.
A Google search for the domain name and "spam" finds another page quoting from a newsletter by these guys that includes this passage:
"To be removed from this list just follow the instructions at the end of this newsletter. All addresses are double opt in. If you did not sign up for this newsletter, perhaps someone did in your name, we apologize. THIS IS NOT SPAM!"
Interesting, if this "double opt in", how can someone else subscribe in your name? As to "THIS IS NOT SPAM!", we know what that usually means...
Anyway, inquiries in June as to why I ended up on their recipient list went unanswered and so I decided to list them.
Maybe this is another grey case. They've been around since 1995 and claim to have thousands of members. I'll remove the domain and locally block the sender address.
Joe
on Sun, Sep 05, 2004 at 11:34:55AM -0600, Ryan Thompson wrote:
Reposting, for those not following the original thread.
I found the following FPs in WS in a large recent ham corpus. I suggest whitelisting all of these.
buckeye-express.com -- Used in a personal email address, looks legit; 7 examples
It's a cablevision branch ISP in Ohio.
nm.ru -- Used in a personal email address, looks legit
Newmail.ru - same thing.
advanstar.com -- Legit uses; found in a well-known dental newsletter; also personal email address of one of the editors; 3 messages
ISP in Minnesota.
postsnet.com -- Registered exactly one year ago, 51 NANAS, blank home page, ehh... but I have 4 different legit newsletters with links to them.
Yeah, but they're really very dirty. Lots of unconfirmed mail coming from there in my experience. Anyway - not relevant for surbl, but I've had some real issues with these guys.
On Tuesday, September 7, 2004, 3:55:48 PM, Steven Champeon wrote:
on Sun, Sep 05, 2004 at 11:34:55AM -0600, Ryan Thompson wrote:
Reposting, for those not following the original thread.
I found the following FPs in WS in a large recent ham corpus. I suggest whitelisting all of these.
buckeye-express.com -- Used in a personal email address, looks legit; 7 examples
It's a cablevision branch ISP in Ohio.
nm.ru -- Used in a personal email address, looks legit
Newmail.ru - same thing.
advanstar.com -- Legit uses; found in a well-known dental newsletter; also personal email address of one of the editors; 3 messages
ISP in Minnesota.
postsnet.com -- Registered exactly one year ago, 51 NANAS, blank home page, ehh... but I have 4 different legit newsletters with links to them.
Yeah, but they're really very dirty. Lots of unconfirmed mail coming from there in my experience. Anyway - not relevant for surbl, but I've had some real issues with these guys.
Thanks for your feedback Steve. I've whitelisted newmail.ru.
Jeff C.
-
Jeff Chan -
Joe Wein -
Raymond Dijkxhoorn -
Ryan Thompson -
Steven Champeon