[SURBL-Discuss] Re: Need help checking FP list from Theo

Jeff Chan jeffc at surbl.org
Wed Sep 8 03:16:36 CEST 2004

On Tuesday, September 7, 2004, 5:40:47 PM, Joe Wein wrote:
> Chris Santerre wrote:
>> Domain List matching contacts_email of hostmaster at 1and1.com
>>     * 1: 1-asian-sex.com
>>     * 2: 1and1.com
> ...
>>     * 48: uptimesoftware.com
>>     * 49: wonderfulldeals.com

> I think you're missing the point, Chris. The domain 1and1.com is unlikely to
> be listed in spam, let alone *only* listed in spam. Furthermore, of the
> domains you list I had a hard time finding one that was both active and
> SURBL-listed.

I hope Chris was showing us some other domains with similar
registration information.  That said, *registrar* information
isn't to useful except in the case of mostly blackhat registrars.

> Schlund+Partner AG (the company behind the domain) is one of the largest web
> hosters in Germany and incidentally hosts my site too.
> Given the size of their business they may well host some spammy sites from
> time to time (along with some 40,000 non-spam sites in their German data
> centre alone), but they are not a blackhat. Their abuse department is one of
> the more responsive in the business. When they get evidence more than once,
> they do take action.
> A definite whitelist case.

Schlund+Partner AG is probably not a blackhat registrar then,
so listing all of their domains probably isn't too useful, even
the spammy ones.  If this is a large hosting provider with many
legitimate customers, then we can't assume that any domain they
host is spammy.  Otherwise we would need to assume Joe's domain
is spammy....  On the other hand Joe's domain probably doesn't
appear in spams too often (unless it gets joe jobbed, no pun
intended), so we probably would not even see his registration
information very often.

Far more useful is the registrant information, i.e. who is
registering them, though of course that can be and often
is forged by the bad guys.  On the other hand as people who
track spam domain registration data know, there are many
repeated or similar fake registrant names, addresses, etc.
in the registrant data.  Those probably are useful to
note since they can be used to more quickly identify new
domains as likely spammy.  For example see the "Aruba"
domains or the "Eugene Oregon USA" domains.  When I see
one of those familiar (fake?) addresses in a registration,
I can be pretty sure they belong to the same old (lazy)
spammer.  Other spammers randomize their registrations.

A useful thing about listing domains and not IP addreses
(or name servers or registrars) is that we can list just
the specific bad guy domains and not the registrar,  IP
blocks, nameservers, etc.  It's an approach that focusses
more directly on the actual abuse.  It also means that if
they change ISPs, registrars, servers, etc. we still have
their domains listed.  :-)

Jeff C.

More information about the Discuss mailing list