[SURBL-Discuss] Possible large whitelist from DMOZ data

Joe Wein joewein at pobox.com
Thu Oct 7 10:14:48 CEST 2004


Jeff wrote:
> A couple points:
>
> 1.  We haven't whitelisted any of these yet.
>
> 2.  We need to bias against listing.  I don't dispute that some
> of these do send some spams.  The question remains, as ever,
> whether any have legitimate (non-spam) uses.  Those that do
> probably should not be listed.
>
> 3.  It is possible that some true spammers got into DMOZ, but
> most probably aren't.

Here's an update on the state of my checking:


[SP] = spammer
[UC] = spammy, but not for SURBL
[FP] = false positive
[TBD] = to be determined


1800patches.com [SP]
 - created in 1999
 - 210 NANAS sightings
 - Spamhaus SBL15666
 - listed in [WS]
 - received in spamfeed on 2004-09-21

adultlounge.com [FP?]
 - created in 1997
 - no NANAS listings
 - NS blacklisted, SBL10966
 - advertised in mail received in spamfeed on 2004-10-07 (nopostal address,
sent from adtmarket.com domain)

adultloveline.com: [FP?]
 - created in 2002
 - 11 NANAS listings, most from 2002 and 2003
 - listed on [WS]
 - spam sent to a spamtrap, advertising someone's entry on the site
 - sent via http://list.freemailpass.com

allofem.com [FP]
 - created 2000
 - NS blacklisted (conpuppy.com)
 - listed on [WS]
 - found in spamfeed on 2004-09-28 but may have been valid subscription by
recipient

ancientacu.com [FP?]
 - created in 2002
 - no NANAS listings
 - NS listed in open relay database
 - spam received on 2004-05-14 at German mailbox, from China, fake Hotmail
sender
 - also spammed some mailing lists
 - may have legitimate uses

bet-at-home.com [FP?]
 - sportsbetting site, created 1999
 - 58 NANAS listings, most recent 2003-12
 - mail received 2004-07-05, probably afiliate spam

christineyoung.com [FP?]
 - domain created 2001
 - no NANAS reports
 - NS blacklisted SBL17961
 - mail sent by sex4nothing.net to friend's mailbox on 2004-08-07 who
forwarded it
 - mail claimed subscription but used many anti-filter techniques
 - domain mentioned only as URL within URL

coid.biz [FP]
 - Indonesian portal and webmail site, created 2003
 - no NANAS
 - NS not blacklisted
 - listed by [WS]
 - abused as fake sender in pill spam on 2004-04-04

coins-and-banknotes.com [FP?]
 - Norwegian coin site, spam sent to a Norwegian mailbox,
recipient has no interest in coins whatsoever

diademtravel.com [SP]
 - see smyrnagroup.net

digienjoy.com [FP, block locally?]
 - Taiwanese video conferencing product, created in 2002
 - 2 NANAS postings
 - mail received on 2004-09-16, very similar to the NANAS spamtrap posting
 - looks like a legitimate company that sometimes spams

ebonyexclusive.com [TBD]
 - adult site, created 2001
 - no NANAS sightings
 - NS blacklisted SBL18947
 - listed on [WS]
 - advertised in mail from spamfeed on 2004-09-23 sent by adtmarket.com
 - no postal address in mail, but image with feedback code

evidence-eliminator.com [SP]
 - created 1999, spamming since at least 2000
 - 340 NANAS sightings
 - NS and MX blacklisted SBL10095
 - spam received 2003-05-28

fantasy-mail.com [TBD]
 - adult site, created in 1999
 - 228 NANAS sightings
 - NS and site blacklisted
 - banner ad in mail in spam feed on 2004-08-30
 - the fantasy-mail.com list itself seems confirmed opt-in.

fattyfarm.com [TBD]

flashcash.com [TBD]

greenguyandjim.com: [FP, removed]
 - appeared as sender domain for a refinance spam for finalsavings.com
 - went unnoticed because it's hosted by national.net (spammy porn-hoster),
   therefore NS are listed on Spamhaus, and only 4 months old

incomebuddy.com [TBD]

jackpot.com: [TBD]

kaplancollege.edu: [UC]
 - 31 NANAS sightings
 - SBL17199
 - persistent spams over extended period
 - no response to attempts to contact

knorad.com [TBD]

lasseters.com.au [TBD]

lovercash.com [TBD]

manevent.de: [FP]
 - sex contact mail to spamtrap included link to manevent.de (sex party
site)
 - no NANAS, no SBL, site seems to have legitimate uses

medchoicelabs.com [TBD]

moneytrend.at [TBD]

movieerotica.com [TBD]

mymailgenie.com [TBD]

online-dictionary.biz [TBD]

pcbugdoctor.com [TBD]

pibcash.com [TBD]

platinumbucks.com: [SP]
 - Spamhaus SBL7867 [marketingx.com/platinumbucks.com]
 - 123 NANAS sightings
 - listed on SORBS
- spam on 2004-03-10 advertising whitepussyblackcocks.com
used image hosted at pb
- domain created 1999 but hosted by national.net
- claim "zero-tolerance for spamming" by afiliates

pornindustryjobs.com: [SP]
 - 23 NANAS
 - the domains appears to have been suspended for spamming on or before
2004-09-12 and is not currently active.

realage.com [TBD]

realtimevideos.com [TBD]

robotreply.com [TBD]

silvercash.com [TBD]

smyrnagroup.net: [SP]
 - notorious spammer from Turkey (travel agency)
 - persistent usenet and email spams in .de/.ch
 - can be blocked by email address, as they only use a few sender email
addresses.

thebingoaffiliates.com [TBD]

tiptopjob.com [SP]
- job search site created in 2000
- received bulkmail from marketing at tiptopjob.com, 2004-05-12
- many samba.org, debian.org, kde.org mailinglists got same spam in May/June
- blacklisted on WS
- google finds tons of directory-type hits, but little else (search engine
spamming?)
- NS has SBL for another domain
- no NANAS listings
- outgoing mailserver not blacklisted anywhere

tomsnewbiebooster.com [TBD]

tripod.com.ar [FP, removed]
 - Oops!

tvujdum.cz [UC]:
- sent spam on 2004-02-16 advertizing "deinwohnen.de"
- same spam received by many German users
- no response when contacted
- probably no hardcore spammer

umtscom.org [SP]
- WAP Advertising Ltd.
- registered in 2000
- spam sent 2004-02-18 to addr probably harvested off web

vicp.net [TBD]

virtuagirl2.com [TBD]

visaforyou.com [TBD]

vistaprint.com: [SP]
 - 130 NANAS sightings
 - Spamhaus SBL14856

webspace4free.biz [TBD]

webway.at [FP, add to local blacklist]
 - coin collector magazine
 - unsolicited subsription of an unused mail account on 2004-09-24
 - appears to have legitimate use

wujidomartialarts.com [SP]
 - created 2003
 - no NANAS
 - NS not blacklisted
 - listed on [WS]
 - spam sent directly to Raymond's personal address (from=info at wujido.com)
from a SWBell DSL account, advertising this domain

xboxchips.com [SP]
 - created in 2003
 - 2 NANAS sightings (direct to MX from a DSL account in Cyprus)
 - spam received on 2004-02-21, same spam run as NANAS, same source
 - domain no longer live

yesmoke.ch: [UC, but blacklisting locally]
 - Mail order tobacco store, advertised in spam sent to a dormant personal
mailbox on 2004-05-26.
 - they have an MLM afiliate program, it probably was afiliate spam

Joe



More information about the Discuss mailing list