[SURBL-Discuss] Re: uk DOT geocities DOT com

Frank Ellermann nobody at xyzzy.claranet.de
Sat Oct 8 18:10:35 CEST 2005


Jeff Chan wrote:

>> it's a black hat.
> No it's not.

IBTD.

> Yahoo is currently trying to properly organize their handling
> of hosting abuse.

It's no general Yahoo! problem, it's only  uk. geocities .com

>> <news://news.spamcop.net/43456728.12D5@xyzzy.claranet.de>
> What does the article say please?

| Date: Thu, 06 Oct 2005 20:04:24 +0200
| From: Frank Ellermann <nobody at xyzzy.claranet.de>
[...]
| Newsgroups: spamcop.routing
| CC: network-abuse at cc.yahoo-inc.com
| Subject: O/R: 66.218.64.0 - 66.218.95.255:network-abuse at cc.yahoo-inc.com
[...]

| Hi, for the infamous uk.geocities.com series of spam runs
| SpamCop tries:

| : Using abuse net on network-abuse at cc.yahoo-inc.com
| : abuse net cc.yahoo-inc.com = postmaster at cc.yahoo-inc.com
| : Using best contacts postmaster at cc.yahoo-inc.com
| : postmaster at cc.yahoo-inc.com bounces (7 sent : 7 bounces)

| But ARIN apparently says that SC should use:

| : "whois 66.218.77.68 at whois.arin.net"
| [...]
| : Found AbuseEmail in whois network-abuse at cc.yahoo-inc.com
| : 66.218.64.0 - 66.218.95.255:network-abuse at cc.yahoo-inc.com

| I recommend to block all mails containing any URL with FQDN
| uk.geocities.com in local URIBLs.

| http://www.spamcop.net/sc?id=z812431135z90373e8638a8645cf7c1de6de25ebb36z

| As always SpamCop needed at least five "reloads" to find the
| relevant IP for uk.geocities.com spam, and after that effort
| it should use some working abuse@ address at Yahoo!

|                            Bye, Frank

The SC problems with numerous  uk. geocities .com  spams are a
known issue for some months, it just deteriorated.  The spam
is _apparently_ (don't take my word for it, check it) designed
to bypass SURBL, the page contains some harmless plain text
plus an "encrypted" JavaScript - I didn't try to unescape() it:

So there's a small chance that it's a Joe Job or some kind of
DOS attack.  OTOH I hope that I'd hear about it if it's "only"
a Joe Job, after all I got this stuff for months.

BTW, why does...

http://spamcheck.freeapp.net/whitelist-hits.new.log.sort

...not list the (probably) hundreds of hits for this FQDN ?

                           Bye, Frank




More information about the Discuss mailing list