[SURBL-Discuss] Took top percentiles of DMOZ and wikipedia domains, some results

Jeff Chan jeffc at surbl.org
Sat Oct 16 12:57:36 CEST 2004 

On Wednesday, October 13, 2004, 9:00:29 PM, Jeff Chan wrote:
> On Monday, October 11, 2004, 4:59:24 PM, Jeff Chan wrote:

>> See the first message in this thread for a little more
>> information about some of these:

>>   http://lists.surbl.org/pipermail/discuss/2004-October/003169.html

Thanks to Ryan and others for identifying most of the free hosting
sites in the full list.  We whitelisted those free sites earlier.


>> We still need help identifying the other potential FPs from the
>> percentiled top DMOZ and wikipedia list:

>>   http://spamcheck.freeapp.net/whitelists/percentile-wikipedia-dmoz-blocklist.txt
                           ]
I went ahead and checked the remainder:

>> arena.ne.jp

1997 domain, web hosting site belonging to Japan's national telco
NTT, no SBL, 72 NANAS - mostly sender addresses and a few abuse
reporting addresses.  36 DMOZ hits.   Probably should not be
listed.

>> away.com

1995 domain, no SBL, 7 NANAS - all apparently joe job or
"whitening" or "chaff" type false inclusions in spam.  away.com
appears to be a legitimate travel site with no actual abuse.
Probably should not be listed.

>> centralhome.com

1998 domain, no SBL, no NANAS, May be a legitimate site: "Dance,
Exercise, Sports and Fitness Videos, DVD, Books & Accessories".
Probably should not be listed.

>> cheapass.com

1997 domain, no SBL, no NANAS, sells board games.  Looks
legitimate.  Probably should not be listed.

>> kit.net

1997 domain, no SBL, 2000+ NANAS - user abuse of this hosting
site.  Redirects to kitnet.globo.com.  Clearly this domain is
abused.  The only question is whether it has enough legitimate
use to whitelist.

Hosting IP belongs to Embratel, and is listed in only SPEWS as a
 /24, which I don't consider particularly meaningful.  IP is not
listed in any other RBLs that openrbl.org knows about.  Possibly
ok to whitelist, though as others have noted, it does get abused
a lot.  4 DMOZ hits.

>> kki.net.pl

1997 domain, no SBL, 248 NANAS - almost all in forged headers,
appears to be a legitimate Polish ISP with mail and web hosting.
Personal web sites probably subject to some abuse, but the NANAS
hits were almost all forged mentions in mail headers.  Appears
to have legitimate uses.  15 DMOZ hits.

>> ledger-enquirer.com

1997 domain, no SBL, 1 NANAS in spam headers as forged recipient,
which is usually meaningless.  This is the web site of a local
Georgia newspaper owned by large newspaper chain Knight Ridder.
Almost certainly not a spam gang.

>> nana.co.il

2000 or earlier domain, no SBL, 754 NANAS - mostly forged
headers, major Internet portal in Israel, appears to have
legitimate uses.  40 DMOZ hits.

>> online-dictionary.biz

March 2004 domain registration, no SBL, no NANAS, mentioned
as an online reference in Wikipedia as "free multi-lingual online
dictionary between English and seven modern languages".  Probably
has legitimate uses despite the bizarre choice of TLD.

>> p5.org.uk

2001 domain belonging to portland.co.uk like 8bit.co.uk and some
other free hosts we recently whitelisted, no SBL, 17 NANAS,
appears to have some legitimate uses and some minor abuse.
2 DMOZ.

>> quuxuum.org

1996 domain, no SBL, 23 NANAS, all referring to "evan's" Bill
Gates' net worth page, probably a Joe Job or chaff in contest
scams.  (Or some kind of sick, envy-driven justification in
the scammers' puny brains for trying to scam people.)  This
site looks like a personal web server with some legitimate
personal hobbyist uses.  Does not seem to be a major spam
destination or spammer, at least based on visible sites and
NANAS mentions.  6 DMOZ.

>> republika.pl

1999 domain, no SBL, 12 NANAS, but 2526 DMOZ mentions, so it
probably has far more legitimate uses than spam uses.  Appears
to be a Polish hosting provider.  Probably should not be listed.

>> s5.com

1996 domain, no SBL, 116 NANAS, free hosting site belongs to
freeservers.com.  Already whitelisted along with others belonging
to them.

>> spaceports.com

1997 domain, no SBL, 22 NANAS from 1999 through 2003.  None in
2004.  Hosting provider with reasonable looking abuse policies.
The reports seem short-lived and few, indicating that they may be
stopping abusers.  229 DMOZ hits.  Probably should be whitelisted.

>> t35.com

1999 domain, no SBL, 59 NANAS, 44 DMO. Hosting provider.  Seems
to have reasonable abuse policies including specifically prohibiting
spam mentions.

>> telepolis.com

1996 domain, no SBL, 33 NANAS, 262 DMOZ.  Wanadoo Spain ISP.
Minor spam from personal web or picture hosting.  Spam-mentioned
sites seem shut down, so probably has a functional abuse desk.
Has some minor abuse, but probably should not be listed.

>> transnationale.org

1999 domain, no SBL, 250 NANAS, 3 DMOZ, French web site
apparently tracking social policies of international companies.
The NANAS hits are almost entirely mentions in 419-type spams,
probably due to socio-political articles, but that does not make
the domain spammers.  Oddly it's the same article URI mentioned
in every spam I checked, and that URI no longer serves a page.
Perhaps the site owners got tired of the abuse and took it down.
Again, this does not make the site spammers, more like victims
of the mention.  Probably should not be listed.

>> up.co.il

1998 or earlier domain, no SBL, 23 NANAS - mix of senders and
hosts but relatively few, 48 DMOZ, Israel web hosting company.
Some minor abuse, but probably should not be listed.   Spam-
mentioned sites seem shut down.

>> xiloo.com

2000 domain, in SBL, 345 NANAS, 8 DMOZ.  Appears to be a China
ISP or portal.  Can't determine much more than that.  Also owns
xilu.com.  Source on WS is:

  /home/dbfunk/black-dbfunk-2:xiloo.com

Dave, got any data on them?

>> zip.net

1998 domain, not in SBL, 230 NANAS looking like abusive users.

Already whitelisted per Joe Wein's report:

"zip.net (http://zipmail.uol.com.br/) is a webmailer by UOL in
Brazil."

>> zonai.com

1999 domain, no SBL, 88 NANAS, 2 DMOZ.  Looks like Puerto Rico
web portal.  Appears to have legitimate uses.  NANAS hits all
appear to be 419-scam reply mentions and mail headers.  Probably
should not be listed.


So out of the above all should probably be whitelisted, except
xiloo.com and kit.net for which I can't determine enough.  Can
any Chinese readers check out xiloo.com?

Does anyone have any comments on any of these?

Jeff C.
--
"If it appears in hams, then don't list it."

More information about the Discuss mailing list