.pw / Palau URL domains in spam

2013-04-26 Thread Axb 

@home I'm not expecting mail with Palau URIs


if (version >= 3.004000)
blacklist_uri_host pw
endif

Re: .pw / Palau URL domains in spam

2013-04-26 Thread Axb 

On 04/26/2013 05:56 PM, Axb wrote:

@home I'm not expecting mail with Palau URIs


if (version >= 3.004000)
blacklist_uri_host pw
endif


Maybe old news:

Directi to relaunch .pw as an open TLD

http://domainincite.com/10705-directi-to-relaunch-pw-as-an-open-tld


Directi involved? nuff said.

Re: .pw / Palau URL domains in spam

2013-04-29 Thread Jason Haar 
I agree. We've seen a huge increase in ".pw" email - 100% spam

I see one antispam vendor is telling its customers to just block
anything containing .pw references - I'm rapidly warming to the idea...


http://www.fortantispam.com/top-level-pw-domain-source-of-spam-outbreak/

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: .pw / Palau URL domains in spam

2013-04-29 Thread John Levine 
In article <517f122c.3050...@trimble.com> you write:
>I agree. We've seen a huge increase in ".pw" email - 100% spam
>
>I see one antispam vendor is telling its customers to just block
>anything containing .pw references - I'm rapidly warming to the idea...

You can report them to ab...@registry.pw, who will tell you to contact
the registrar (uh, no, not my problem) and sometimes grudgingly shut
down the offending domain.

I agree that there's little reason to expect that anyone would miss
any .pw mail unless you live in a certain part of the South Pacific.

R's,
John

Re: .pw / Palau URL domains in spam

2013-05-01 Thread doneshlaher 
Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse Team
at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names and have
already started taking actions against the abusive domain names that have
been reported to us.

We request you all to report us with the domain names which are involved in
any abusive activities, along with an appropriate evidence for the same.

We have a dedicated abuse desk which operates 24/7. 

Kindly report all the complaints at abuse.al...@registry.pw and CC to
abuse.al...@directi.com.

Upon receiving the domain name, we will take stringent actions against them.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104485.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 01:24 PM, doneshlaher wrote:

Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse Team
at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names and have
already started taking actions against the abusive domain names that have
been reported to us.
We request you all to report us with the domain names which are involved in
any abusive activities, along with an appropriate evidence for the same.


Where do we send the invoices for the time spent on reporting?

For $5.-/domain you've just burnt your "product" for good.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 01:24 PM, doneshlaher wrote:

Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse Team
at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names and have
already started taking actions against the abusive domain names that have
been reported to us.

We request you all to report us with the domain names which are involved in
any abusive activities, along with an appropriate evidence for the same.

We have a dedicated abuse desk which operates 24/7.

Kindly report all the complaints at abuse.al...@registry.pw and CC to
abuse.al...@directi.com.

Upon receiving the domain name, we will take stringent actions against them.


whois  freshtimesfor.pw
This TLD has no whois server.

WTF?  can't afford a WHOIS server?

isn't this against ICANN rules?

http://www.icann.org/en/about/aoc-review/whois

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Kevin A. McGrail 

On 5/1/2013 8:17 AM, Axb wrote:

On 05/01/2013 01:24 PM, doneshlaher wrote:

Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse 
Team

at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names 
and have
already started taking actions against the abusive domain names that 
have

been reported to us.

We request you all to report us with the domain names which are 
involved in

any abusive activities, along with an appropriate evidence for the same.

We have a dedicated abuse desk which operates 24/7.

Kindly report all the complaints at abuse.al...@registry.pw and CC to
abuse.al...@directi.com.

Upon receiving the domain name, we will take stringent actions 
against them.


whois  freshtimesfor.pw
This TLD has no whois server.

WTF?  can't afford a WHOIS server?

isn't this against ICANN rules?

http://www.icann.org/en/about/aoc-review/whois


I don't show the issue:

whois  freshtimesfor.pw
[Querying whois.nic.pw]
[whois.nic.pw]
This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

Domain ID:CNIC-DO1131478
Domain Name:FRESHTIMESFOR.PW
Created On:30-Apr-2013 02:54:23 UTC
Last Updated On:30-Apr-2013 02:59:44 UTC
Expiration Date:30-Apr-2014 23:59:59 UTC
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:RYKZFYNBNL0TWL4I
Registrant Name:Protected WhoisGuard
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant FAX:+1.6613102107
Registrant Email:764ff70f57a249e2a7c364b887bbba63.prot...@whoisguard.com
Admin ID:2P4A2LO5XAXUNVMF
Admin Name:Protected WhoisGuard
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200
Admin City:Los Angeles
Admin State/Province:CA
Admin Postal Code:90064
Admin Country:US
Admin Phone:+1.6613102107
Admin FAX:+1.6613102107
Admin Email:764ff70f57a249e2a7c364b887bbba63.prot...@whoisguard.com
Tech ID:BHCT114WVOPPNKWA
Tech Name:Protected WhoisGuard
Tech Organization:WhoisGuard
Tech Street1:11400 W. Olympic Blvd. Suite 200
Tech City:Los Angeles
Tech State/Province:CA
Tech Postal Code:90064
Tech Country:US
Tech Phone:+1.6613102107
Tech FAX:+1.6613102107
Tech Email:764ff70f57a249e2a7c364b887bbba63.prot...@whoisguard.com
Billing ID:YENNA0PQM1JBAG5M
Billing Name:Protected WhoisGuard
Billing Organization:WhoisGuard
Billing Street1:11400 W. Olympic Blvd. Suite 200
Billing City:Los Angeles
Billing State/Province:CA
Billing Postal Code:90064
Billing Country:US
Billing Phone:+1.6613102107
Billing FAX:+1.6613102107
Billing Email:764ff70f57a249e2a7c364b887bbba63.prot...@whoisguard.com
Sponsoring Registrar ID:H1772673
Sponsoring Registrar IANA ID:1068
Sponsoring Registrar Organization:Namecheap
Sponsoring Registrar Street1:11400 W Olympic Blvd.
Sponsoring Registrar Street2:Suite 200
Sponsoring Registrar City:Los Angeles
Sponsoring Registrar State/Province:CA
Sponsoring Registrar Postal Code:90064
Sponsoring Registrar Country:US
Sponsoring Registrar Phone:0123456789
Sponsoring Registrar FAX:0123 456 789
Sponsoring Registrar Website:http://www.namecheap.com
Name Server:DNS1.REGISTRAR-SERVERS.COM
Name Server:DNS2.REGISTRAR-SERVERS.COM
Name Server:DNS3.REGISTRAR-SERVERS.COM
Name Server:DNS4.REGISTRAR-SERVERS.COM
Name Server:DNS5.REGISTRAR-SERVERS.COM
DNSSEC:Unsigned

regards,
KAM

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Kevin A. McGrail 

On 5/1/2013 7:41 AM, Axb wrote:

On 05/01/2013 01:24 PM, doneshlaher wrote:

Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse 
Team

at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names 
and have
already started taking actions against the abusive domain names that 
have

been reported to us.
We request you all to report us with the domain names which are 
involved in

any abusive activities, along with an appropriate evidence for the same.


Where do we send the invoices for the time spent on reporting?

For $5.-/domain you've just burnt your "product" for good.


I recommend not blaming them for having a low priced product that 
spammers are abusing.  Seems to me a bit like blaming the victim.


To me, it sounds like they are trying to get a handle on the outbreak 
and better than many other registrars out there.


However, Donesh, I would like to hear more about what you will be doing 
to have senior people try and stop the abusers.  Is anyone looking for 
accounts that are abusing the system to shutdown, stolen credit card 
patterns, 24-hour holds on domains going active, etc.?


I've got spam showing these .pw domains for example:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=visiondealz.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=besthotdealz.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=azontick.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=simplyhotdealz.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=impactincredible.pw;

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=mynews.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=allmedia.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=simplymedia.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=amonsved.pw;

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=aweeck.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=specialzbay.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=tophotdealz.pw;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; 
d=neathotdealz.pw;


I'd like some assurance my time is worth it to report these domains 
because so far I haven't seen any collateral damage / False Positives to 
blocking the entire .pw TLD.


Regards,
KAM

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 03:02 PM, Kevin A. McGrail wrote:

On 5/1/2013 8:17 AM, Axb wrote:

On 05/01/2013 01:24 PM, doneshlaher wrote:

Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse
Team
at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names
and have
already started taking actions against the abusive domain names that
have
been reported to us.

We request you all to report us with the domain names which are
involved in
any abusive activities, along with an appropriate evidence for the same.

We have a dedicated abuse desk which operates 24/7.

Kindly report all the complaints at abuse.al...@registry.pw and CC to
abuse.al...@directi.com.

Upon receiving the domain name, we will take stringent actions
against them.


whois  freshtimesfor.pw
This TLD has no whois server.

WTF?  can't afford a WHOIS server?

isn't this against ICANN rules?

http://www.icann.org/en/about/aoc-review/whois


I don't show the issue:

whois  freshtimesfor.pw
[Querying whois.nic.pw]
[whois.nic.pw]


ACK:

bug in WHOIS version
___
whois --version
Version 5.0.20.

Report bugs to .
__

jwhois version 4.0  handles ok.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 03:11 PM, Kevin A. McGrail wrote:

I recommend not blaming them for having a low priced product that
spammers are abusing.  Seems to me a bit like blaming the victim.



To me, it sounds like they are trying to get a handle on the outbreak
and better than many other registrars out there.
This is not about a registrar - Directi is playing registry. They set 
the policy (or lack of).


It gets abused because of low price, allowing cloacked WHOIS, etc.
The few legit they may have are mostproably the brand 
collectors/typosquatters.
I truly hope the press does what abuse hasn't taken care of yet: make 
.pw worthless.



I'd like some assurance my time is worth it to report these domains
because so far I haven't seen any collateral damage / False Positives to
blocking the entire .pw TLD.


http://pastebin.com/75nTHMXt

and growing...

at $0.50/domain Directi would owe me 881.-
fun!

Re: .pw / Palau URL domains in spam

2013-05-01 Thread doneshlaher 
Hello Axb,

The whois information can be fetched from multiple public whois websites.
Below are the whois websites from where whois can be fetched.

www.registry.pw/whois
www.drwhois.com
www.who.is
www.port43.com

and many more. However, if any particular whois website is not fetching the
whois information, than we request you to contact the admin or the webmaster
of that particular website.

Regards
Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104494.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread doneshlaher 
Dear Kevin A. McGrail,

Thank you very much for reporting the domain names. We have suspended all
the reported 13 domain names.

Regards
Donesh Laher
Cyber Security Analyst
.PW Registry




--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104495.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread doneshlaher 
Hello Axb,

Thank you for providing with the domain names. We will be suspending all
these reported domain names. 

However, in the mean time may i know what kind of spams have been received
?? also can you please forward us the email headers of few of the reported
domain names. 

This would help us to analyse the headers and understand, whether we the
account is compromised or not.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104496.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 04:06 PM, doneshlaher wrote:

Hello Axb,

Thank you for providing with the domain names. We will be suspending all
these reported domain names.

However, in the mean time may i know what kind of spams have been received
??


snowshoe / pillz / you name it


also can you please forward us the email headers of few of the reported
domain names.


this won't happen. I have zero plans of disclosing any of my users data.


This would help us to analyse the headers and understand, whether we the
account is compromised or not.


check you own mail traffic - you must get enough spam to figure this out 
yourselves.
Fixin AFTER abuse doesn't scale  - preventing it is what you should have 
prepared for in the first place?


.meanwhile the list grows as does Directi's revenue.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Kevin A. McGrail 

On 5/1/2013 9:58 AM, doneshlaher wrote:

Dear Kevin A. McGrail,

Thank you very much for reporting the domain names. We have suspended all
the reported 13 domain names.

And that's good to hear and I applaud you for reaching out to the 
mailing list about this issue.  And as a consumer, I like cheap prices 
and I blame the hackers/spammers for the issue.  But protecting your 
systems against abuse is important to this issue.


So If the issue is simply going to be reactive based on reports, there 
is little benefit to this process for me at least since I have no FPs 
just blocking the TLD.  However, if the reactive process is also going 
to lead to proactive changes, I support it.


So to repeat my question: I would like to hear more about what you will 
be doing to have senior people try and stop the abusers.  Is anyone 
looking for accounts that are abusing the system to shutdown, stolen 
credit card patterns, 24-hour holds on domains going active, etc.?


Regards,
KAM

RE: .pw / Palau URL domains in spam

2013-05-01 Thread hospice admin 
I don't care what some folks are saying about .pw, compared to Nominet they 
totally rock.
When was the last time anyone saw Nominet suspend a .UK spammer?
Judy

> Date: Wed, 1 May 2013 06:58:41 -0700
> From: dones...@directi.com
> To: users@spamassassin.apache.org
> Subject: Re: .pw / Palau URL domains in spam
> 
> Dear Kevin A. McGrail,
> 
> Thank you very much for reporting the domain names. We have suspended all
> the reported 13 domain names.
> 
> Regards
> Donesh Laher
> Cyber Security Analyst
> .PW Registry
> 
> 
> 
> 
> --
> View this message in context: 
> http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104495.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 04:28 PM, hospice admin wrote:

I don't care what some folks are saying about .pw, compared to Nominet they 
totally rock.
When was the last time anyone saw Nominet suspend a .UK spammer?
Judy


You miss the point.

Nominet is a registrar
Directi is acting as THE .pw registry
Registrars selling .pw domains and we all know where the crud goes to 
get theirs.
They are the top entity - and lowering all barriers they've opend a can 
of worms.

But this is become off topic

my EOT

Re: .pw / Palau URL domains in spam

2013-05-01 Thread John Levine 
>Nominet is a registrar

No, Nominet is THE .co.uk registry

R's,
John

>Directi is acting as THE .pw registry

Re: .pw / Palau URL domains in spam

2013-05-01 Thread John Levine 
> Kindly report all the complaints at abuse.al...@registry.pw and CC to
> abuse.al...@directi.com.

Hmmn.  Is there some reason you don't take abuse reports at 
ab...@registry.pw and at cont...@registry.pw, which is the only address on 
the web site?

Remember, everyone who sends you an abuse report rather than just blocking 
.PW out of exasperation is doing you a favor.  The easier you make it, the 
better off you'll be.

I hope you're not still telling people to figure out who the registrar is 
and contact them, which was impressively lame.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 05:25 PM, John Levine wrote:

Nominet is a registrar


No, Nominet is THE .co.uk registry

R's,
John



thanks for the correction.

Still - fixing after abuse is putting us back 10 years.

RE: .pw / Palau URL domains in spam

2013-05-01 Thread hospice admin 


> Date: Wed, 1 May 2013 16:34:48 +0200
> From: axb.li...@gmail.com
> To: users@spamassassin.apache.org
> Subject: Re: .pw / Palau URL domains in spam
> 
> On 05/01/2013 04:28 PM, hospice admin wrote:
> > I don't care what some folks are saying about .pw, compared to Nominet they 
> > totally rock.
> > When was the last time anyone saw Nominet suspend a .UK spammer?
> > Judy
> 
> You miss the point.
> 
> Nominet is a registrar
> Directi is acting as THE .pw registry
> Registrars selling .pw domains and we all know where the crud goes to 
> get theirs.
> They are the top entity - and lowering all barriers they've opend a can 
> of worms.
> But this is become off topic
> 
> my EOT
> 
> 
> 
> 

Have I missed the point? I don't think so, and I appreciate this is off 
topic(ish), but ...
The point is, a great deal of the stuff we have to deal with comes from 
commercial organisations that spam for a living. These guys can't operate 
without access to a ready source of domains.
If Nominet wanted to stop a huge lump of spam originating from .UK , they 
could. All they need to do is link every commercial registration to a UK 
company number or similar for of ID, then react when someone complains. After 
that, three strikes (pick a number) and you're out of business.
It won't stop it all, sure, but it will stop some, and not just 'after the 
fact', ...
Right ... off to take a chill pill :)
J.

Re: .pw / Palau URL domains in spam

2013-05-01 Thread Axb 

On 05/01/2013 03:15 PM, Axb wrote:

On 05/01/2013 03:02 PM, Kevin A. McGrail wrote:

On 5/1/2013 8:17 AM, Axb wrote:

On 05/01/2013 01:24 PM, doneshlaher wrote:

Hello All,

I am Donesh Laher and I work as a Cyber Security Analyst in the Abuse
Team
at .PW Registry.

We are aware of the recent spam outbreak from the .PW domain names
and have
already started taking actions against the abusive domain names that
have
been reported to us.

We request you all to report us with the domain names which are
involved in
any abusive activities, along with an appropriate evidence for the
same.

We have a dedicated abuse desk which operates 24/7.

Kindly report all the complaints at abuse.al...@registry.pw and CC to
abuse.al...@directi.com.

Upon receiving the domain name, we will take stringent actions
against them.


whois  freshtimesfor.pw
This TLD has no whois server.

WTF?  can't afford a WHOIS server?

isn't this against ICANN rules?

http://www.icann.org/en/about/aoc-review/whois


I don't show the issue:

whois  freshtimesfor.pw
[Querying whois.nic.pw]
[whois.nic.pw]


ACK:

bug in WHOIS version
___
whois --version
Version 5.0.20.

Report bugs to .
__

jwhois version 4.0  handles ok.


Following up on this, just in case someone else gets no .pw whois data.
This may affect Ubuntu/Debian flavours using Marco D'Itri's whois binaries.

Source files :

tld_serv_list

replace:
.pw # http://www.pwregistry.pw/

with
.pw whois.nic.pw

recompile /install

tested this with latest source

http://ftp.debian.org/debian/pool/main/w/whois/whois_5.0.24.tar.xz

CC: Marco, please correct me if there's a better way to do this.

Axb

Re: .pw / Palau URL domains in spam

2013-05-04 Thread Dave Funk 

On Wed, 1 May 2013, doneshlaher wrote:


Hello Axb,

Thank you for providing with the domain names. We will be suspending all
these reported domain names.

However, in the mean time may i know what kind of spams have been received
?? also can you please forward us the email headers of few of the reported
domain names.

This would help us to analyse the headers and understand, whether we the
account is compromised or not.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry


Donesh,
How many dozen spams a day would you like to receive?
Should I send them to your personal address or is there some
other reporting address I should use?

We are not a large site (only a few thousand users) but in the past few
weeks have been receiving hundreds of spams a day advertising ".pw" domains.
Here's a partial list of some of the past 3 days worth:
(this list would be much larger except that I've been black-listing the
IP addresses of their hosting providers as fast as I can identify them)

vision-virtuahosting1.pw
visionsvirtualwebhost4.pw
allsupremedeal.pw
alltopdeals.pw
amerivalues.pw
autopricefind.pw
autopricefinder.pw
banesgroup.pw
dallyhost.pw
dimehosts.pw
dursidis.pw
efulan.pw
efundess.pw
ekmsgroup.pw
ezhotdealz.pw
getgreatwins.pw
gethotdealz.pw
grevaluaqu.pw
igreatness.pw
imaginec1.pw
iradjead.pw
islity.pw
metagreatwins.pw
neathotdealz.pw
newgreatdealz.pw
progreatdealz.pw
servermaximum.pw
sharpgreatdealz.pw
sleekgreatdealz.pw
specialzhome.pw
specialzland.pw
specialztoday.pw
successtopdeals.pw
superbtopdeals.pw
supertopdeals.pw
usdirects1.pw
vision-virtualhosting12.pw
vision-virtualhosting14.pw
visionsvirtualwebhost2.pw
zbidnow.pw
avanheertyu.pw
getsuperiordeal.pw
sleeplessdaysnow.pw
gwampuer.pw
treelendnews.pw
getmatchednows.pw

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: .pw / Palau URL domains in spam

2013-05-05 Thread doneshlaher 
Hello Axb,

All the domain names provided in the pastebin link have been suspended. We
request you to report as much domain names as possible, which are involved
in spamming or any other abusive activities and I assure you that we will
take them down within 24 - 48 hours.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104547.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-05 Thread doneshlaher 
Hello Dave Funk,

Thank you for providing us with the list of domain names. We are acting on
them and will be taken down within 24/48 hours.

We request you to report the domain names at abuse.al...@registry.pw and
also cc the same mail to abuse.al...@directi.com.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104548.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-05 Thread Dave Funk 

Donesh,

Thanks for your prompt response.
Do you just want the domain names or do you also want copies of the spam?

Dave

On Sun, 5 May 2013, doneshlaher wrote:


Hello Dave Funk,

Thank you for providing us with the list of domain names. We are acting on
them and will be taken down within 24/48 hours.

We request you to report the domain names at abuse.al...@registry.pw and
also cc the same mail to abuse.al...@directi.com.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: .pw / Palau URL domains in spam

2013-05-05 Thread doneshlaher 
Hey Dave,

It would be great if you provide us with the email headers also. As it would
act as an evidence for us and for the registrar too.

Thanks

Regards

Donesh Laher 
Cyber Security Analyst 
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104550.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-05 Thread Axb 

On 05/05/2013 06:55 PM, doneshlaher wrote:

Hello Axb,

All the domain names provided in the pastebin link have been suspended.


In the case of "suspended" domains you mention, what should whois look like?

Please post an example.

Re: .pw / Palau URL domains in spam

2013-05-05 Thread doneshlaher 
Hello Axb,

The domain will be on ServerHold. A status of ServerHold will be displayed
in whois. 

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry 



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104552.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-05 Thread Benny Pedersen 

doneshlaher skrev den 2013-05-05 18:58:

We request you to report the domain names at abuse.al...@registry.pw 
and

also cc the same mail to abuse.al...@directi.com.


why does ab...@any-sender-domain.pw not work ?

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-05 Thread doneshlaher 
Hello Benny,

Can you please provide with the email address by adding spaces to it. As I
can only see [hidden email], in place of the actual email.

Thanks 

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry 



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104554.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-05 Thread John Hardin 

On Sun, 5 May 2013, Benny Pedersen wrote:


doneshlaher skrev den 2013-05-05 18:58:


 We request you to report the domain names at abuse.al...@registry.pw and
 also cc the same mail to abuse.al...@directi.com.


why does ab...@any-sender-domain.pw not work ?


Because that's the responsibility of the domain owner, not the registrar.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Mine eyes have seen the horror of the voting of the horde;
  They've looted the fromagerie where guv'ment cheese is stored;
  If war's not won before the break they grow so quickly bored;
  Their vote counts as much as yours.  -- Tam
---
 3 days until the 68th anniversary of VE day

Re: .pw / Palau URL domains in spam

2013-05-05 Thread Benny Pedersen 

doneshlaher skrev den 2013-05-05 22:23:

Can you please provide with the email address by adding spaces to it. 
As I

can only see [hidden email], in place of the actual email.


napple problems is not my problem

Authentication-Results: duggi.junc.org/BB74625C041; dmarc=none 
header.from=directi.com


do i need to trust this domain ?

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-05 Thread Benny Pedersen 

John Hardin skrev den 2013-05-05 22:44:

 We request you to report the domain names at 
abuse.al...@registry.pw and

 also cc the same mail to abuse.al...@directi.com.

why does ab...@any-sender-domain.pw not work ?
Because that's the responsibility of the domain owner, not the 
registrar.


abuse-alert on any domain is not rfc compliant

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-05 Thread John Hardin 

On Sun, 5 May 2013, Benny Pedersen wrote:


John Hardin skrev den 2013-05-05 22:44:

> >  We request you to report the domain names at abuse.al...@registry.pw 
> >  and

> >   also cc the same mail to abuse.al...@directi.com.
>  why does ab...@any-sender-domain.pw not work ?

 Because that's the responsibility of the domain owner, not the registrar.


abuse-alert on any domain is not rfc compliant


Agreed.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...to announce there must be no criticism of the President or to
  stand by the President right or wrong is not only unpatriotic and
  servile, but is morally treasonous to the American public.
  -- Theodore Roosevelt, 1918
---
 3 days until the 68th anniversary of VE day

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Neil Schwartzman 


On May 5, 2013, at 7:04 PM, John Hardin  wrote:

> On Sun, 5 May 2013, Benny Pedersen wrote:
> 
>> John Hardin skrev den 2013-05-05 22:44:
>> 
>> abuse-alert on any domain is not rfc compliant
> 
> Agreed.

Disagreed. So long as abuse@ is working, the domain is compliant with RFCs. 
There is nothing wrong with having an alternate address, particularly since 
abuse@ tends to garner a ton of spam.




Neil Schwartzman
Executive Director
CAUCE - the Coalition Against Unsolicited Commercial Email
Mob: (415) 361-0069
Skype: spamfighter666
SkypeIn: (303) 800-6345
Web: http://cauce.org
Twitter: @cauce

RE: .pw / Palau URL domains in spam

2013-05-06 Thread Chris Santerre 
10 days and still being abused badly. Recommending for everyone to just
refuse any .pw 
 
for those wanting an SA rule, here:
 
header PW_IS_BAD_TLDFrom =~ /\.pw\b/
describe PW_IS_BAD_TLDPW TLD ABUSE
score PW_IS_BAD_TLD3
 
Change score to whatever you want.  Enjoy. 
 

--Chris

Re: .pw / Palau URL domains in spam

2013-05-06 Thread John Hardin 

On Mon, 6 May 2013, Neil Schwartzman wrote:


On May 5, 2013, at 7:04 PM, John Hardin  wrote:


On Sun, 5 May 2013, Benny Pedersen wrote:


John Hardin skrev den 2013-05-05 22:44:

abuse-alert on any domain is not rfc compliant


Agreed.


Disagreed. So long as abuse@ is working, the domain is compliant with RFCs.


Sorry, I was assuming that abuse-alert@ was being offered *instead of* 
rather than in addition to abuse@


If there is a working abuse@ address that *isn't being ignored*, they're 
compliant.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Trusting in anti-gun laws to keep you from being shot is like
  refusing to wear your seatbelt because you trust traffic laws to
  keep you from being in a car accident.  -- Erin Palette
---
 2 days until the 68th anniversary of VE day

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Neil Schwartzman 
heh, i don't think 'don't ignore' is part of the RFC, but yeah.

On May 6, 2013, at 9:08 AM, John Hardin  wrote:

> If there is a working abuse@ address that *isn't being ignored*, they're 
> compliant.

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Matus UHLAR - fantomas 

On May 6, 2013, at 9:08 AM, John Hardin  wrote:

If there is a working abuse@ address that *isn't being ignored*, they're
compliant.


On 06.05.13 09:55, Neil Schwartzman wrote:

heh, i don't think 'don't ignore' is part of the RFC, but yeah.


well, if it clearly is not working, it's not compliant. if it's visibly
ignored, trashed, dropped, it violates the RFC
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Neil Schwartzman 


On May 6, 2013, at 10:39 AM, Matus UHLAR - fantomas  wrote:

>> On May 6, 2013, at 9:08 AM, John Hardin  wrote:
>>> If there is a working abuse@ address that *isn't being ignored*, they're
>>> compliant.
> 
> On 06.05.13 09:55, Neil Schwartzman wrote:
>> heh, i don't think 'don't ignore' is part of the RFC, but yeah.
> 
> well, if it clearly is not working, it's not compliant. if it's visibly
> ignored, trashed, dropped, it violates the RFC


At risk of being pedantic, but this is, after all an RFC discussion, where do 
you see that in 2142? So long as someone receives a report, there is no 
specification against ignoring it, visibly or not.

http://www.ietf.org/rfc/rfc2142.txt

   The purpose of this memo is to aggregate and specify the basic set of
   mailbox names which organizations need to support.  Most
   organizations do not need to support the full set of mailbox names
   defined here, since not every organization will implement the all of
   the associated services.  However, if a given service is offerred, (sic)
   then the associated mailbox name(es) must be supported, resulting in
   delivery to a recipient appropriate for the referenced service or
   role.

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Tom Hendrikx 
On 06-05-13 19:55, Neil Schwartzman wrote:
> 
> 
> On May 6, 2013, at 10:39 AM, Matus UHLAR - fantomas  > wrote:
> 
>>> On May 6, 2013, at 9:08 AM, John Hardin >> > wrote:
 If there is a working abuse@ address that *isn't being ignored*, they're
 compliant.
>>
>> On 06.05.13 09:55, Neil Schwartzman wrote:
>>> heh, i don't think 'don't ignore' is part of the RFC, but yeah.
>>
>> well, if it clearly is not working, it's not compliant. if it's visibly
>> ignored, trashed, dropped, it violates the RFC
> 
> 
> At risk of being pedantic, but this is, after all an RFC discussion,
> where do you see that in 2142? So long as someone receives a report,
> there is no specification against ignoring it, visibly or not.
> 
> http://www.ietf.org/rfc/rfc2142.txt
> 
>The purpose of this memo is to aggregate and specify the basic set of
>mailbox names which organizations need to support.  Most
>organizations do not need to support the full set of mailbox names
>defined here, since not every organization will implement the all of
>the associated services.  However, if a given service is offerred, (sic)
>then the associated mailbox name(es) must be supported, resulting in
>delivery to a recipient appropriate for the referenced service or
>role.

Chiming in here, the 'abstract' of the same RFC clearly states:

   This specification enumerates and describes Internet mail addresses
   (mailbox name @ host reference) to be used when contacting personnel
   at an organization.

To me, that sounds as if you should be able to reach an actual human
being ('personnel') by sending to the specified addresses. Ignoring
messages that get sent there which are valid within the context for the
addressee seems a clear violation. I.e. ignoring marketing mails sent to
abuse@ would be ok, but  ignoring abuse complaints isn't.

--
Tom

Re: .pw / Palau URL domains in spam

2013-05-06 Thread doneshlaher 
Hello,

We have an email address ab...@registry.pw in place. The mails sent on this
email address will be processed within 24-48 hours, which is our SLA.

However, if an email is sent on abuse.al...@registry.pw and
abuse.al...@directi.com, it reaches to us directly on our mailboxes and it
will be taken up on priority. The SLA is 4 Hours max.

Hence, to expedite the process, I had given u people abuse.al...@registry.pw
and abuse.al...@directi.com email addresses.

Secondly, we are the Registry and not the Registrar. However, to curb this
spam outbreak, we have started taking domain the domain names as soon as
they are reported. These registrations have been done from a single
registrar, and that will be handled soon.

Thanks

Regards
Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p104567.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Joe Acquisto-j4 
And how, exactly, is a sender to determine someone read an email one has sent?

Seems to me, the best one can do is be satisfied with no DSN.

joe a.

.

Chiming in here, the 'abstract' of the same RFC clearly states:

   This specification enumerates and describes Internet mail addresses
   (mailbox name @ host reference) to be used when contacting personnel
   at an organization.

To me, that sounds as if you should be able to reach an actual human
being ('personnel') by sending to the specified addresses. Ignoring
messages that get sent there which are valid within the context for the
addressee seems a clear violation. I.e. ignoring marketing mails sent to
abuse@ would be ok, but  ignoring abuse complaints isn't.

--
Tom

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Matus UHLAR - fantomas 

On 06.05.13 16:16, Joe Acquisto-j4 wrote:

And how, exactly, is a sender to determine someone read an email one has sent?

Seems to me, the best one can do is be satisfied with no DSN.


That's why I wrote "if it's visibly ignored, trashed, dropped" (according to
old explanation of D.J.Balling in rfc-ignorant conference).

We can't confirm compliancy, but in some clear situations we can confirm
uncompliancy.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

RE: .pw / Palau URL domains in spam

2013-05-06 Thread Benny Pedersen 

Chris Santerre skrev den 2013-05-06 17:27:

10 days and still being abused badly. Recommending for everyone to
just refuse any .pw


time for spamhaus ? :=)


for those wanting an SA rule, here:

header PW_IS_BAD_TLD From =~ /.pwb/
describe PW_IS_BAD_TLD PW TLD ABUSE
score PW_IS_BAD_TLD 3


here i would like to use -3


Change score to whatever you want. Enjoy.


thats the point of opensource imho :)

hopefully the good pw domains start using opendkim, and then let the 
world repute it from there


--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Benny Pedersen 

Neil Schwartzman skrev den 2013-05-06 14:58:


Disagreed. So long as abuse@ is working, the domain is compliant with
RFCs. There is nothing wrong with having an alternate address,
particularly since abuse@ tends to garner a ton of spam.


problem is to know what email to "spam" abuse reports to, no ?

olso why i suggested to ab...@example-from-spamassassin-maillist.pw 
then just another domain, if that complains are then not handled then 
its time to block sender domain in mta stage


--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Benny Pedersen 

John Hardin skrev den 2013-05-06 18:08:


Sorry, I was assuming that abuse-alert@ was being offered *instead
of* rather than in addition to abuse@


no need to sorry, there is alot of admins that assume the same, only 
rule is to start with abuse@



If there is a working abuse@ address that *isn't being ignored*,
they're compliant.


yes, admins dont need to guess what email to send to in the first place

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-06 Thread Benny Pedersen 

Joe Acquisto-j4 skrev den 2013-05-06 22:16:
And how, exactly, is a sender to determine someone read an email one 
has sent?


there was something last year that was called rfc-ignorant.org :)

if one of there listed domains wanted to be unlisted thay must reply to 
a link sent to ab...@listed.example.org :)



Seems to me, the best one can do is be satisfied with no DSN.


i still miss this rfc-ignorant.org domain back in full service

http://www.rfc-ignorant.de/

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-07 Thread Joe Acquisto-j4 
>>> On 5/7/2013 at 2:01 AM, Benny Pedersen  wrote:
> Joe Acquisto-j4 skrev den 2013-05-06 22:16:
>> And how, exactly, is a sender to determine someone read an email one 
>> has sent?
> 
> there was something last year that was called rfc-ignorant.org :)
> 
> if one of there listed domains wanted to be unlisted thay must reply to 
> a link sent to ab...@listed.example.org :)
> 
>> Seems to me, the best one can do is be satisfied with no DSN.
> 
> i still miss this rfc-ignorant.org domain back in full service
> 
> http://www.rfc-ignorant.de/ 
> 

Sorry, still don't get it.   Seems to still rely on a "guess" on the part of 
the sender.

How can you tell, as a sender of abuse reports, that the recipient reads an 
email?

Or has any intention of acting upon it?

What is to stop the recipient from simply accepting and trashing, or just 
dropping
the reports they receive?  

"bad guys" just won't care, or actively subvert.

Seems this horse, even if persuaded to get up, will not pull a wagon very far.

joe a.

Re: .pw / Palau URL domains in spam

2013-05-07 Thread Karsten Bräckelmann 
On Sun, 2013-05-05 at 22:49 +0200, Benny Pedersen wrote:
> John Hardin skrev den 2013-05-05 22:44:

> > > > We request you to report the domain names at abuse.alert @registry.pw 
> > > > and
> > > > also cc the same mail to abuse.alert @directi.com.
> > > 
> > > why does abuse @any-sender-domain.pw not work ?
> > 
> > Because that's the responsibility of the domain owner, not the registrar.

Indeed. Though it seems, participants in the following sub-thread forgot
what this is about.

The working assumption is reporting (sender) domains as spamming.

Reporting abuse of a domain specifically registered with the clear
intention to spam, to the very domain's abuse@ address, is pointless.
It's like letting the spammers know you've read it...


> abuse-alert on any domain is not rfc compliant

The whole point of this is providing an address to report abuse to
someone who cares and can stop further abuse.

FWIW, there is no relevant RFC, and the provided addresses are *not* at
"any domain".


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: .pw / Palau URL domains in spam

2013-05-07 Thread Steve Prior 

On 5/7/2013 1:44 AM, Benny Pedersen wrote:

Chris Santerre skrev den 2013-05-06 17:27:

10 days and still being abused badly. Recommending for everyone to
just refuse any .pw


time for spamhaus ? :=)


for those wanting an SA rule, here:

header PW_IS_BAD_TLD From =~ /.pwb/
describe PW_IS_BAD_TLD PW TLD ABUSE
score PW_IS_BAD_TLD 3


here i would like to use -3


Change score to whatever you want. Enjoy.


thats the point of opensource imho :)

hopefully the good pw domains start using opendkim, and then let the world
repute it from there



I blocked everything from TLD pw at the Postfix level so the email gets rejected 
without ever hitting spamassassin.


I created /etc/postfix/sender_access with the contents:
pw  REJECT

ran postmap sender_access

and then added
check_sender_access hash:/etc/postfix/sender_access
to smtpd_recipient_restrictions

Problem went away completely, sorry Palau.

Steve

RE: .pw / Palau URL domains in spam

2013-05-08 Thread Chris Santerre 
Hypothetically if one were running a reputation system and didn't want to
block all of a TLD like .pw, one could:

Locally cache whois info
create a local rbl
check against a sending domain on the whois info based on both the registrar
and the creation date

Created On:08-May-2013 05:24:04 UTC
Name Server:DNS1.REGISTRAR-SERVERS.COM

Anything created in the last 3 days and by that registrar could be blocked
locally. 

Hypothetically :) 

--Chris
(My top posts smell like strawberries)

> -Original Message-
> From: Steve Prior [mailto:spr...@geekster.com]
> Sent: 2013-05-07 23:02
> To: users@spamassassin.apache.org
> Subject: Re: .pw / Palau URL domains in spam
> 
*snip*

> 
> I blocked everything from TLD pw at the Postfix level so the 
> email gets rejected 
> without ever hitting spamassassin.
*snip*

> Problem went away completely, sorry Palau.
> 
> Steve
>

Re: .pw / Palau URL domains in spam

2013-05-08 Thread Bowie Bailey 

On 5/7/2013 7:03 PM, Karsten Bräckelmann wrote:

On Sun, 2013-05-05 at 22:49 +0200, Benny Pedersen wrote:

John Hardin skrev den 2013-05-05 22:44:

We request you to report the domain names at abuse.alert @registry.pw and
also cc the same mail to abuse.alert @directi.com.

why does abuse @any-sender-domain.pw not work ?

Because that's the responsibility of the domain owner, not the registrar.

Indeed. Though it seems, participants in the following sub-thread forgot
what this is about.

The working assumption is reporting (sender) domains as spamming.

Reporting abuse of a domain specifically registered with the clear
intention to spam, to the very domain's abuse@ address, is pointless.
It's like letting the spammers know you've read it...


And, for what it's worth, they are responding to spam reports.  I have 
been reporting all of the .pw domains I see in spams to the addresses 
they provided and they have been taking down the domains.


--
Bowie

Re: .pw / Palau URL domains in spam

2013-05-08 Thread Michael Orlitzky 
(replying randomly in the thread)

We've been getting complaints about these, so while I don't like to
target a TLD indiscriminately, I think I'd like to add a few points to
mail from *.pw for a couple of months until things clear up.

What's the correct way to do this? A regexp on the from/return-path
headers? Or is something built-in?

RE: .pw / Palau URL domains in spam

2013-05-08 Thread Chris Santerre 
I posted this yesterday

for those wanting an SA rule, here:
 
header PW_IS_BAD_TLDFrom =~ /\.pw\b/
describe PW_IS_BAD_TLDPW TLD ABUSE
score PW_IS_BAD_TLD3
 
Change score to whatever you want.  Enjoy. 

--Chris


> -Original Message-
> From: Michael Orlitzky [mailto:mich...@orlitzky.com]
> Sent: 2013-05-08 11:24
> To: users@spamassassin.apache.org
> Subject: Re: .pw / Palau URL domains in spam
> 
> 
> (replying randomly in the thread)
> 
> We've been getting complaints about these, so while I don't like to
> target a TLD indiscriminately, I think I'd like to add a few points to
> mail from *.pw for a couple of months until things clear up.
> 
> What's the correct way to do this? A regexp on the from/return-path
> headers? Or is something built-in?
>

Re: .pw / Palau URL domains in spam

2013-05-08 Thread Richard Doyle 
Hypotheticians might want to look at jwhois, which  is a caching whois
client. Cache expiration time is configurable ...

On 05/08/2013 06:45 AM, Chris Santerre wrote:
> RE: .pw / Palau URL domains in spam
>
> Hypothetically if one were running a reputation system and didn't want
> to block all of a TLD like .pw, one could:
>
> Locally cache whois info
> create a local rbl
> check against a sending domain on the whois info based on both the
> registrar and the creation date
>
> Created On:08-May-2013 05:24:04 UTC
> Name Server:DNS1.REGISTRAR-SERVERS.COM
>
> Anything created in the last 3 days and by that registrar could be
> blocked locally.
>
> Hypothetically :)
>
> --Chris
> (My top posts smell like strawberries)
>
> > -Original Message-
> > From: Steve Prior [mailto:spr...@geekster.com]
> > Sent: 2013-05-07 23:02
> > To: users@spamassassin.apache.org
> > Subject: Re: .pw / Palau URL domains in spam
> >
> *snip*
>
> >
> > I blocked everything from TLD pw at the Postfix level so the
> > email gets rejected
> > without ever hitting spamassassin.
> *snip*
>
> > Problem went away completely, sorry Palau.
> >
> > Steve
> >
>

Re: .pw / Palau URL domains in spam

2013-05-08 Thread Benny Pedersen 

Steve Prior skrev den 2013-05-08 05:02:


Problem went away completely, sorry Palau.


postmap -q localpw.org hash:/path/to/map

it should not reject that one :)

bind9 rpz zone will be better solution, *.pw.rpz.localhost cname .

and then follow it with bind9 guide on setup the rpz in bind

its not very memory hungry either :)

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-08 Thread Benny Pedersen 

Karsten Bräckelmann skrev den 2013-05-08 01:03:


Reporting abuse of a domain specifically registered with the clear
intention to spam, to the very domain's abuse@ address, is pointless.
It's like letting the spammers know you've read it...


that is correct if pw domains using there own mailserver, and abuse@ 
does not is aliases to mailserver admin for the server networking, then 
it would be telling spamming domain its monitored for spamming, it will 
still be good to see if spamming stops after complaining


rfc-ignorant was right, send a "spam" mail to abuse@ and there with a 
link to unlist in rfci, if that link was not readed and handled continue 
to list at rfci


but this is maybe long time dropped ? :=)


abuse-alert on any domain is not rfc compliant


The whole point of this is providing an address to report abuse to
someone who cares and can stop further abuse.


you asume that abuse@ goes to the spammers ?

FWIW, there is no relevant RFC, and the provided addresses are *not* 
at

"any domain".


+1 then it will be blocked

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-08 Thread Benny Pedersen 

Michael Orlitzky skrev den 2013-05-08 17:24:

(replying randomly in the thread)

We've been getting complaints about these, so while I don't like to
target a TLD indiscriminately, I think I'd like to add a few points 
to

mail from *.pw for a couple of months until things clear up.

What's the correct way to do this? A regexp on the from/return-path
headers? Or is something built-in?


add *.pw to freemail_domains in local.cf

or to blacklist_from *.pw or maybe also to blacklist_to *.pw

hope its not needed to do same with urls

--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-09 Thread Jason Haar 
On 09/05/13 17:38, Benny Pedersen wrote:
>
> hope its not needed to do same with urls
>

We're received spam with non-.pw headers but .pw urls. I'm blocking (ie
scoring high) anything with .pw/ urls at the moment - it's so bad :-(

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: .pw / Palau URL domains in spam

2013-05-09 Thread Benny Pedersen 

Jason Haar skrev den 2013-05-09 09:43:

On 09/05/13 17:38, Benny Pedersen wrote:

hope its not needed to do same with urls
We're received spam with non-.pw headers but .pw urls. I'm blocking 
(ie

scoring high) anything with .pw/ urls at the moment - it's so bad :-(


sorry i did not see this before now, subject says url, but i have just 
fokus on sender addresses, well i would then make sense to meta sender 
and url to be from same domain to not be scored badly, spammers is so 
geek :)


urls scanning imho includes sender domain match, it is imho a bug that 
is better to not resolve


--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Re: .pw / Palau URL domains in spam

2013-05-25 Thread Ben Johnson 


On 5/7/2013 11:02 PM, Steve Prior wrote:
> On 5/7/2013 1:44 AM, Benny Pedersen wrote:
>> Chris Santerre skrev den 2013-05-06 17:27:
>>> 10 days and still being abused badly. Recommending for everyone to
>>> just refuse any .pw
>>
>> time for spamhaus ? :=)
>>
>>> for those wanting an SA rule, here:
>>>
>>> header PW_IS_BAD_TLD From =~ /.pwb/
>>> describe PW_IS_BAD_TLD PW TLD ABUSE
>>> score PW_IS_BAD_TLD 3
>>
>> here i would like to use -3
>>
>>> Change score to whatever you want. Enjoy.
>>
>> thats the point of opensource imho :)
>>
>> hopefully the good pw domains start using opendkim, and then let the
>> world
>> repute it from there
>>
> 
> I blocked everything from TLD pw at the Postfix level so the email gets
> rejected without ever hitting spamassassin.
> 
> I created /etc/postfix/sender_access with the contents:
> pwREJECT
> 
> ran postmap sender_access
> 
> and then added
> check_sender_access hash:/etc/postfix/sender_access
> to smtpd_recipient_restrictions
> 
> Problem went away completely, sorry Palau.
> 
> Steve
> 

Steve, just wanted to thank you for providing an elegant solution to
this problem. It seems far more preferable to block this nonsense right
at the MTA level (for now). Your instructions worked for me and I now
see the following in my mail log for any .pw sender:

postfix/smtpd[10660]: NOQUEUE: reject: RCPT from
unknown[173.213.124.203]: 554 5.7.1 : Sender
address rejected: Access denied

Much appreciated!

-Ben

Re: .pw / Palau URL domains in spam

2013-05-25 Thread hamann . w 
>> 
>> 
>> On 5/7/2013 11:02 PM, Steve Prior wrote:
>> > On 5/7/2013 1:44 AM, Benny Pedersen wrote:
>> >> Chris Santerre skrev den 2013-05-06 17:27:
>> >>> 10 days and still being abused badly. Recommending for everyone to
>> >>> just refuse any .pw
>> >>
>> >> time for spamhaus ? :=)
>> >>
>> >>> for those wanting an SA rule, here:
>> >>>
>> >>> header PW_IS_BAD_TLD From =~ /.pwb/
>> >>> describe PW_IS_BAD_TLD PW TLD ABUSE
>> >>> score PW_IS_BAD_TLD 3
>> >>
>> >> here i would like to use -3
>> >>
>> >>> Change score to whatever you want. Enjoy.
>> >>
>> >> thats the point of opensource imho :)
>> >>
>> >> hopefully the good pw domains start using opendkim, and then let the
>> >> world
>> >> repute it from there
>> >>
>> > 
>> > I blocked everything from TLD pw at the Postfix level so the email gets
>> > rejected without ever hitting spamassassin.
>> > 
>> > I created /etc/postfix/sender_access with the contents:
>> > pwREJECT
>> > 
>> > ran postmap sender_access
>> > 
>> > and then added
>> > check_sender_access hash:/etc/postfix/sender_access
>> > to smtpd_recipient_restrictions
>> > 
>> > Problem went away completely, sorry Palau.
>> > 
>> > Steve
>> > 
>> 
>> Steve, just wanted to thank you for providing an elegant solution to
>> this problem. It seems far more preferable to block this nonsense right
>> at the MTA level (for now). Your instructions worked for me and I now
>> see the following in my mail log for any .pw sender:
>> 
>> postfix/smtpd[10660]: NOQUEUE: reject: RCPT from
>> unknown[173.213.124.203]: 554 5.7.1 : Sender
>> address rejected: Access denied
>> 
>> Much appreciated!
>> 
>> -Ben

Hi,

well, I do not know anybody at Palau and so have no real need to exchange 
mails, but I
feel that this attitude seems somewhat drastic.
Some companies might do the same for bigger countries, also on the reasoning
that they (the companies operating the server) do not expect their users to 
communicate
with these places.
I know for sure that, a few years back, roadrunner decided to block former 
state telecom
in germany - which served an estimated 25% or so of private email addresses 
here at that time.

Regards
Wolfgang Hamann

Re: .pw / Palau URL domains in spam

2013-05-26 Thread John Levine 
>well, I do not know anybody at Palau and so have no real need to exchange 
>mails, but I
>feel that this attitude seems somewhat drastic.

The .PW domain isn't really a country domain.  It's being sold as a
fake generic domain by Directi, an Indian registrar who has never been
able to manage abuse by their registrants.

Palau itself is a tiny US protectorate of 20,000 people whose few real
web sites are in other domains.  You can safely block all traffic
mentioning .PW with close to zero chance of losing anything real.

See my blog at http://jl.ly for a few more comments on the topic.

Re: .pw / Palau URL domains in spam

2013-06-14 Thread doneshlaher 
Hello All,

Firstly, I would like to thank you all for helping us fight against this
massive spam outbreak. Let me give you a quick feedback about this issue and
our mitigation policies to curb the spam outbreak.

Ever since the spam outbreak on .pw, we as the Registry have spent the past
month and a half by undertaking a massive cleanup initiative. We have not
waited for the Registrars to investigate and respond to complaints; rather
we have ourselves taken down domain names which have proven to be abusive.

Our abuse desk has been kept busy with large volumes of complaints against
.pw domains, each being responded within the time frame of 24 hours (and in
most cases within a matter of few hours). The team has successfully traced
the source of these spammy domains to customers under a single Registrar
account. This means that more than pricing, this attack manifests itself as
an activity carried out by an organized group of spammers targeting one
particular Registrar portfolio. To curb this abuse, we have considered to
respond and taken down reported domain names belonging to this Registrar.

In order to control this incident, we have tightened the nooze around other
Registrars as well, thus implying the repercussions of our AUP violation
(which we have been very particular about).

We have also been eliminating abusive domains name proactively at the
registration phase by using pattern matching and anomaly based methods. This
approach has proven to be very effective and has successfully eliminated
20-30% of domain names which are likely to be used for illicit activities.

In addition, to responding to complaints from individual internet users, the
.pw Registry has been working closing with anti-abuse entities such as
Symantec ,Spamhaus and SURBL. We have also tied up with NameSentry to beef
up our abuse monitoring process. Being a Registry, we have access to very
limited information as compared to a Registrar. Yet we have managed to weed
out and terminate abusive domain names more proactively, compared to other
Registries out there.

Last but not the least, we would like to thank each and everyone who have
criticized, appreciated or raised concerns in our effort to curb the abuse.
In order to assist us with our efforts, we request you to update us with
your complaints at ab...@registry.pw.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/pw-Palau-URL-domains-in-spam-tp104383p105244.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.