{Spam?} Re: [SURBL-Discuss] Possible fps

Joe Wein joewein at pobox.com
Fri Aug 13 01:06:10 CEST 2004 

> Here is a list of 130 domains that come from messages
> have been manually marked as "not spam" at a large
> but deliberately unnamed mail provider.   We may want
> to consider whitelisting these.

Hi Jeff,

the following are on my blacklist:

anyxhost.com
geileheissemaus.com
golady.com
goldnow.st
grmushkinsexxx.com
lenovo2008.com
magicpages.biz
megacockcravers.com
mellamed.com
messagizer.de
mtnonline.com
mypharmanex.com
onlywantsex.net
pdgexchanger.com
pdginventory.com
recyclemycell.com
totallyamateurs.com
trickortranny.com
vetomail.com
webmasterlose.de
xuevsdes.net
ysmtrucker.com


I manually rechecked every one of them in detail. Here are the results:


anyxhost.com:
Not sure about this one. Spamvertized URL
<http://www.top-10-search-engine-ranking.anyxhost.MUNGEcom> in spam received
on May 9, 2004. This spamvertized subdomain ist still active today.
anyxhost.com was only 3 weeks old at the time of the spam.

geileheissemaus.com:
German porn site; URL <http://geileheissemaus.MUNGEcom/?ref=AX965759486>
received in spam on July 30,2004. Originating IP=217.173.157.165, which is
the IP of geileheissemaus.com. This definitely is spam.

golady.com:
URL <http://rds.yahoo.com/*-http://www.yahoo.com.golady.MUNGEcom/rd/b.html>
received in pill spam ("If you are forking out loads for your pills these
people can help") on Feb 29, 2004.

goldnow.st
URL <http://www.goldnow.MUNGEst>  advertized in spam on March 23, 2004,
offering anonymous credit cards; spam listed various phone numbers of the
company that also appear on their website. This would have to be a Joe job
for them to be innocent, but a .st domain is anything but confidence
inspiring.

grmushkinsexxx.com
Porn site; URL http://www.grmushkinsexxx.MUNGEcom/index.html  advertised in
spam with explicit pictures on July 27, 2004.

lenovo2008.com
Spamvertised URL
<http://www.51mymail.MUNGEcom/projects/tracker.jsp?o=1151&;u=39242396&s=1&e=
2&d=1&r=http://www.lenovo2008.MUNGEcom/edm/1.html> which opens
<http://www.lenovo2008.MUNGEcom/edm/1.html> in Chinese language spam
received on July 29, 2004.

magicpages.biz
Google spamming service site; Spamvertized URL
<http://www.magicpages.MUNGEbiz/>  in spam received on July 26, 2004.

megacockcravers.com:
Porn site; Spamvertized URL
<http://www.megacockcravers.MUNGEcom/main.htm?id=9142120>  in spam received
on May 12, 2004.

mellamed.com
419 scam from barukh at mellamed.com received on August 8, 2004. The website is
not functionional (i.e. incomplete Apache setup). mellamed.com was
registered only four days earlier and is hosted by a company in -out of all
places- Lagos, Nigeria that has hosted at least two other 419 scam sites
before.

messagizer.de
Spam from host "news.messagizer.de" received here on February 25, 2004 at an
unused address harvested off my website. A google news groups search for
"messagizer.de *abuse*" finds many threads.

mtnonline.com:
Spamvertised URL: <www.mtnonline.MUNGEcom> in spam from Nigeria
(adekunleadekoya at sirltech.com) selling ringing tones for mobile phones,
received on July 15, 2004.

mypharmanex.com:
Spamvertized URL <http://gaylemarie.mypharmanex.MUNGEcom/>  in spam received
on May 15, 2004. Gayle Marie may only be a spamming affiliate. However, her
subdomain still works three months later. Maybe nobody reported her spam?

onlywantsex.net
Porn site, Curacao, Netherlands Antilles; Spamvertized URL
<http://OnlyWantSex.MUNGEnet/enter.asp?src=786> received in spam on May 4,
2004.

pdgexchanger.com:
Sender domain of spam received on August 6, 2004. Domain registered with
Joker.com five days earlier, on August 1, 2004.
http://www.pdgexchanger.MUNGEcom/ gives only a blank webpage.The URL
advertised was <Http://pde.spedis.MUNGEinfo/wpfrnd/>. The MID domain was
<pdgproclaimer.com>.

The Name server is PDGBLURB.COM which was also only registered on August 1.
This name server was used by spams using the following domains on these
dates:
    pdgexchanger.com;2004-08-06
    pdgbroadcast.com;2004-08-09
    pdginventory.com;2004-08-09
    pdgcampaigner.com;2004-08-11

pdginventory.com:
Sender domain of spam received on August 9, 2004. Domain registered with
Joker.com five days earlier, on August 1, 2004.
http://www.pdginventory.MUNGEcom/ gives only a blank webpage.The URL
advertised was Http://cmhr.spedis.MUNGEinfo/wpfrnd/. The MID domain was
<pdgpitch.com>. The Name server is PDGBLURB.COM again.

recyclemycell.com:
Spam received on July 26, 2004 from "Recycle My Cell.com"
<advertise at recyclemycell.MUNGEcom>.

totallyamateurs.com:
Spamvertized URL <http://www.totallyamateurs.MUNGEcom/ft=pimp1946> in
"SEXUALLY-EXPLICIT:"  spam received on May 26, 2004.

trickortranny.com:
Japanese porn video site; Spamvertized URL
<http://www.trickortranny.MUNGEcom/1261379920> in spam received on January
19, 2004.

vetomail.com:
A challenge & response spam filter. A link to this site was included in an
adult site spam received on February 15, 2004. Hmmm... A spam filter
recommended by spammers?

That alone wouldn't have done it, but at the time the name server for
vetomail.com appears to have been blacklisted by spamhaus (it no longer is)
and I had seen some pages accusing vetomail of spamming or other unethical
behaviour.

webmasterlose.de
Spamvertized URL
<http://www.webmasterlose.de/paid-ad-mail.php?id=8&user=1698> in spam (From:
"Webmasterlose (Paidmail)" <Info at webmasterlose.MUNGEde>) received February
12, 2004.

xuevsdes.net:
Spamvertised URL <http://www.xuevsdes.MUNGEnet/s50.htm?NqchCxweJvhRgvjfIuJ>
in Cyrillic code page porn spam received on July 28, 2004. The links in that
spam no longer work.

ysmtrucker.com:
See pdgexchanger.com / pdginventory.com. This seems to be the same spammer.
ysmtrucker.com was the sender domain in a spam received on August 3, 2004.
The domain of its name server, ysmbroadcaster.com, was registered with
Joker.com on August 1, same as PDGBLURB.COM. Spamvertized URL:
www.gqh.kredis.MUNGEinfo/wpfrnd/?zhc>, domain registered by the same person
as spedis.info...


Bottom line:

The following domains may be innocent. I'll remove them here.

vetomail.com
anyxhost.com
webmasterlose.de
mypharmanex.com

But the following should stay on there:

geileheissemaus.com
golady.com
goldnow.st
grmushkinsexxx.com
lenovo2008.com
magicpages.biz
megacockcravers.com
mellamed.com
messagizer.de
mtnonline.com
mypharmanex.com
onlywantsex.net
pdgexchanger.com
pdginventory.com
recyclemycell.com
totallyamateurs.com
trickortranny.com
xuevsdes.net
ysmtrucker.com

Joe

More information about the Discuss mailing list