[SURBL-Discuss] Re: Need help checking FP list from Theo

Alden Levy alden at engineno9inc.com
Tue Sep 7 19:01:56 CEST 2004


>Date: Tue, 7 Sep 2004 11:50:50 -0400
>From: Chris Santerre <csanterre at merchantsoverseas.com>
>Subject: RE: [SURBL-Discuss] Re: Need help checking FP list from Theo
>To: "'SURBL Discussion list'" <discuss at lists.surbl.org>
>Message-ID:
	<620A4FF9B83DD511B69900062939D037AC015E at internal.merchantsoverseas.com>


>OK, you asked for it ;)

>Some of this info will give you a 'feel' for who the hosts operate.

>>>Theo got us a list of 112 new false positives >from across all
>>>SURBLs.  He showed me the source >messages which are almost
>>>all subscribed newsletters and mailing list >messages, so they
>>>seem quite hammy.
>>
>>>Given the type of source messages and some >spot checking, I'm
>>>inclined to whitelist them all, but I'd like to >ask for some help
>>>checking them first.  Can anyone help check >these?
>>
>>123inkjets.com
>
>Oh, these guys are on my personal poop list!
>
>http://groups.google.com/groups?q=123inkjets.com+abuse&hl=en&lr=&ie=UTF-8&s
a
>=G&scoring=d
>
>Domain List matching cluster of russ-effrig
>
>    * 1: 007inkjets.com
<snip>
>    * 24: zbeta.com
>
>    * @SPAM/spamsource: 553 SPEWS [1] zaconta, see
>http://spews.org/ask.cgi?S1467;
>      SPEWS [1] tonerbuys, see http://spews.org/ask.cgi?S1506;
>      207.178.170/24: 553 SPAM,PINK 207.178.128.0/17 iswest.net AS5033
>dedicated spam network - S1467,S2747,S2705,S2657,S786,S1467,SBL9192 2003-07
>    * SPEWS/spews.org: 553 SPEWS2 [1] zaconta, see
>http://spews.org/ask.cgi?S1467;
>      SPEWS2 [1] tonerbuys, see http://spews.org/ask.cgi?S1506;
>      207.178.170/24: 553 SPEWS2 [2] zaconta, see
>http://spews.org/ask.cgi?S1467
>
>>1and1.com
>http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&scoring=d&q=1and1.com+ab
u
>se&btnG=Search
>
>Domain List matching contacts_email of hostmaster at 1and1.com
>
>    * 1: 1-asian-sex.com
>    * 2: 1and1.com
<snip>
>    * 49: wonderfulldeals.com
>>
>>Gotomypc.com sells a remote access product
>>Yale.edu is the domain for Yale University
>
>http://spews.org/html/S2611.html
>
>Domain List matching spews of S2611
>
>    * 1: ca.us
<snip>
>    * 12: worldatamail.com
> Results: Positive=5, Negative=25 (2004-09-07 15:44:25 UTC)
>
>    * @ISP/blackholes.us: 66.151/16: 553 ISP INTERNAP -
>http://hatcheck.org/google?internap; http://hatcheck.org/sbl?internap
>[Blockparade]
>    * @SPAM/spamsource: 66.151.158/24: 553 SPEWS [1] expertcity/gotomypc,
>see http://spews.org/ask.cgi?S2611;
>      66.151/16: 553 SPAM,PINK,BLOCK 66.150/16 66.151/16 66.151
>66.151.44.151 joe4257769 at mailgeorgebush.net INTERNAP 2003-04
>    * DRBL/drbl.all: 66.151/16: 553 DRBL weight: 0.6;
>      vote.drbl.vimas.kiev.ua at ns.vimas.kiev.ua/0.6
>    * SPEWS/spews.org: 66.151.158/24: 553 SPEWS2 [1] expertcity/gotomypc,
>see http://spews.org/ask.cgi?S2611
>    * FIVETEN/internap.com.spam-support: added 2002-07-07;
>      spam support - hosting sendoutmail.com and jdrmedia.com; added
>2003-07-22;
>      spam support - hosting e-i1.com spamming from NET-63-251-54-64-1;
>added 2003-07-02;
>      spam support - hosting http://www.adaniexports.com on 63.251.163.110;
>added 2004-03-08;
>      spam support - see
>http://www.spamhaus.org/SBL/sbl.lasso?query=SBL14734; added 2004-07-31;
>      spam support - see
>http://www.spamhaus.org/SBL/sbl.lasso?query=SBL10031; added 2004-07-31;
>      spam support - transit for AS30038 whose entire 69.63.160.0/20 is on
>the SBL;
>      added 2003-01-15;
>      spam support - see
>http://www.spamhaus.org/sbl/listings.lasso?isp=internap.com;
>      added 2003-05-20;
>      spam support - hosting http://www.pr0debtc0nsu1tants.com on
>64.74.96.230, was on 63.251.163.110, was on verio;
>      added 2002-01-22; on sprint.net; added 2002-10-07; spam support -
>hosting netflip.com;
>      added 2003-02-04; spam support - transit for AS18633; added
>2003-04-13;
>      spam support - transit for wholesalebandwidth; added 2002-12-07;
>      spam support - dns service for columbiahouse.com; added 2002-09-17;
>      spam support - see http://spews.org/html/S373.html; added 2002-09-10;
>      spam support - hosting randbad.com on 209.191.175.226; added
>2002-07-22;
>      spam support - hosting internetseer.com and roving.com

>I would love a copy of all the reported FPs. Perhaps they should be moved
to
>the IC list?

>--Chris

Chris,
I agree that these (with the exception of yale.edu) should be moved to the
IC list.  Unfortunately, since these companies DO have SOME (ONE?)
legitimate function, we can't blacklist them here. Of course, I wouldn't
object if they were!

--Alden





More information about the Discuss mailing list