[SPAM-TAG] Re: [SURBL-Discuss] A list of spammers urls

Jeff Chan jeffc at surbl.org
Fri Mar 11 08:34:32 CET 2005


On Thursday, March 10, 2005, 9:47:23 PM, Rakesh Rakesh wrote:
> ok, here is a list of 447 domains, that I have compiled from the 1500
> mails that hit my spamtrap id, were detected as spam and confirmed by
> humans to be spam. Actually I had got 587 domains and tried to resolve
> them against multi.surbl.org. And these 447 were not listed.

Thanks for these.  Note that SURBLs try to reduce URIs down to
base domains (as they would be registered), so:

  afoc2091185zj.fightrxbillz.com  -> fightrxbillz.com
  military.com.appetizinggood.com -> appetizinggood.com

Doing that, sorting, etc. reduces the 447 to 284.  Of those
284, 186 are already listed in multi.surbl.org, and 4 are
whitelisted, which leaves 94:

aadbfbe.org
acpvgcrh.com
aizozwayb.com
amdwdthjcy.net
arysqg.com
asgzxhhvld.com
auyfcw.au
bkwrcegzc.dk
bnekw.net
[...]

However of those 94, 92 appear to not resolve any NS records which
means they're either not registered, had their registrations
expire, revoked, etc.  So they're not too useful for spammers.
They could appear in spams, but any web sites referenced by them
would not resolve.  The remaining 2 are:

kuhat.com
netmechanic.com

Both of which may have legitimate uses or owners, so they
probably should not be listed.  Neither domain has any common
RBL or SBL listings.  netmechaic has 21 NANAS but they look
incidental.  kuhat has no NANAS.  (Can anyone here read Suomi?
If so can you check out the kuhat.com site?)

> domain:       kuhat.com
> status:       lock
> organization: Uintiseura Kuhat
> owner:        Teppo Lehtinen
> email:        teppo.lehtinen at kuhat.com
> address:      Klaavuntie 10 M 111
> city:         Helsinki
> postal-code:  00910
> country:      FI
> admin-c:      teppo.lehtinen at kuhat.com#0
> tech-c:       hostmaster at nebula.fi#0
> billing-c:    hostmaster at nebula.fi#0
> reseller-1:   -------------------------------------------------
> reseller-2:   Nebula Oy - Web-hotellipalvelut, konesalipalvelut
> reseller-3:   ja internet-yhteydet. http://www.nebula.fi/
> reseller-4:   -------------------------------------------------
> nserver:      dns1.nebula.fi
> nserver:      dns2.nebula.fi
> registrar:    JORE-1
> created:      2002-11-13 17:01:51 UTC JORE-1
> modified:     2004-09-29 06:40:07 UTC JORE-1
> expires:      2005-11-13 11:01:35 UTC
> source:       joker.com


> Keynote Systems (NXHIWSSUVD)
>    777 Mariners Island Blvd
>    San Mateo, CA 94404
>    US
> 
>    Domain Name: NETMECHANIC.COM
> 
>    Administrative Contact:
>       Keynote Systems  (22205655O)              NICADMIN at KEYNOTE.COM
>       777 Mariners Island Blvd
>       San Mateo, CA 94404
>       US
>       650-403-2400 fax: 999 999 9999
> 
>    Record expires on 13-Oct-2010.
>    Record created on 15-Mar-2004.
>    Database last updated on 11-Mar-2005 02:21:44 EST.
> 
>    Domain servers in listed order:
> 
>    NS01.KEYNOTE.COM             65.198.48.128
>    NS02.KEYNOTE.COM             65.198.48.160
>    NS03.KEYNOTE.COM             65.198.48.161
>    NS04.KEYNOTE.COM             63.94.64.66

So it appears that if you're using multi.surbl.org in your
spam filters then it should be catching almost all of the ones
you reported which are actually usable by spammers.  Are they
getting through?  Are you hopefully using multi instead of sc
alone? 

Hope this helps,

Jeff C.
--
"If it appears in hams, then don't list it."



More information about the Discuss mailing list