[SURBL-Discuss] Re: uk DOT geocities DOT com
Frank Ellermann
nobody at xyzzy.claranet.de
Sat Oct 8 18:10:35 CEST 2005
Jeff Chan wrote:
>> it's a black hat.
> No it's not.
IBTD.
> Yahoo is currently trying to properly organize their handling
> of hosting abuse.
It's no general Yahoo! problem, it's only uk. geocities .com
>> <news://news.spamcop.net/43456728.12D5@xyzzy.claranet.de>
> What does the article say please?
| Date: Thu, 06 Oct 2005 20:04:24 +0200
| From: Frank Ellermann <nobody at xyzzy.claranet.de>
[...]
| Newsgroups: spamcop.routing
| CC: network-abuse at cc.yahoo-inc.com
| Subject: O/R: 66.218.64.0 - 66.218.95.255:network-abuse at cc.yahoo-inc.com
[...]
| Hi, for the infamous uk.geocities.com series of spam runs
| SpamCop tries:
| : Using abuse net on network-abuse at cc.yahoo-inc.com
| : abuse net cc.yahoo-inc.com = postmaster at cc.yahoo-inc.com
| : Using best contacts postmaster at cc.yahoo-inc.com
| : postmaster at cc.yahoo-inc.com bounces (7 sent : 7 bounces)
| But ARIN apparently says that SC should use:
| : "whois 66.218.77.68 at whois.arin.net"
| [...]
| : Found AbuseEmail in whois network-abuse at cc.yahoo-inc.com
| : 66.218.64.0 - 66.218.95.255:network-abuse at cc.yahoo-inc.com
| I recommend to block all mails containing any URL with FQDN
| uk.geocities.com in local URIBLs.
| http://www.spamcop.net/sc?id=z812431135z90373e8638a8645cf7c1de6de25ebb36z
| As always SpamCop needed at least five "reloads" to find the
| relevant IP for uk.geocities.com spam, and after that effort
| it should use some working abuse@ address at Yahoo!
| Bye, Frank
The SC problems with numerous uk. geocities .com spams are a
known issue for some months, it just deteriorated. The spam
is _apparently_ (don't take my word for it, check it) designed
to bypass SURBL, the page contains some harmless plain text
plus an "encrypted" JavaScript - I didn't try to unescape() it:
So there's a small chance that it's a Joe Job or some kind of
DOS attack. OTOH I hope that I'd hear about it if it's "only"
a Joe Job, after all I got this stuff for months.
BTW, why does...
http://spamcheck.freeapp.net/whitelist-hits.new.log.sort
...not list the (probably) hundreds of hits for this FQDN ?
Bye, Frank
More information about the Discuss
mailing list