Re: My only problem with URIBL_BLACK
RE: My only problem with URIBL_BLACK|On a side note, to anyone watching this seemingly incredible long discusion about one FP: |This is typically what URIBL member do. We take every FP and delist request seriously. We do deep research on |each one. Much deeper then anything you have seen here in this thread. Its not the first time someone has told us |about an FP that has turned out to be false. Won't be the last. |We've had spammers request delistings, which of course sets our magic elves into a firey rage or research. This |only backfires on the spammers, and not only doesn't get his spam domain delisted, but gets a lot more of them |found in research listed. |A lot of people on other spam lists have said how "Soul Grinding" running an RBL is. Well we can now attest to that |fact. Threads like this happen in private very often. Lots of work. One can often do hours of research to add 100+ |domains, only to find another member has already done it! Bastards! :) |All of this would not be possible without some very incredible people. I can't thank the members of URIBL enough. |The people who support us with mirrors. The anonymous non-members who email us privately with lots of helpful |info. Hosts for the bandwidth. Jeff Chan and W.Stearns, for that very first conference call. The SA devs for putting up |with us,ok, me. And of course.the magic elves. Thanks to all. |(Might as well add, all of the above also goes for the incredible work of the SARE team!) |--Chris Chris, I brought the issue up as I had a few messages of what my customers believed were FP's. I only posted 2 examples but there are many. In my case, I have 1 out of 1000's how will want the mailing. I think what I got out of this whole discussion was that I need to implement per user whitelisting. I will be working on that this weekend. I support URIBL 100%. In fact, if you check, you will see that I am a mirror and have made donations for the cause in the past ;-)
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK On a side note, to anyone watching this seemingly incredible long discusion about one FP: This is typically what URIBL member do. We take every FP and delist request seriously. We do deep research on each one. Much deeper then anything you have seen here in this thread. Its not the first time someone has told us about an FP that has turned out to be false. Won't be the last. We've had spammers request delistings, which of course sets our magic elves into a firey rage or research. This only backfires on the spammers, and not only doesn't get his spam domain delisted, but gets a lot more of them found in research listed. A lot of people on other spam lists have said how "Soul Grinding" running an RBL is. Well we can now attest to that fact. Threads like this happen in private very often. Lots of work. One can often do hours of research to add 100+ domains, only to find another member has already done it! Bastards! :) All of this would not be possible without some very incredible people. I can't thank the members of URIBL enough. The people who support us with mirrors. The anonymous non-members who email us privately with lots of helpful info. Hosts for the bandwidth. Jeff Chan and W.Stearns, for that very first conference call. The SA devs for putting up with us,ok, me. And of course.the magic elves. Thanks to all. (Might as well add, all of the above also goes for the incredible work of the SARE team!) --Chris (Holy crap! Did I just post a serious messege to the list? WTF is wrong with me?) (Double holy crap! I said something nice about Jeff again! He won't believe it!)
Re: My only problem with URIBL_BLACK
jdow wrote: > From: "Matt Kettler" <[EMAIL PROTECTED]> >> Let's look at their IPs they are hosting their domain from: >> $ host uhmcargo*MUNGED*.com > > Fascinating - even the whois registration seems to have MPD, er Multiple > Personality Disorder. This is what I got in part: > ===8<--- > Registrant: > Amber Furlong [EMAIL PROTECTED] +1.6785283829 > Private person > 20222 shadowood parkway > Atlanta,GA,UNITED STATES 30339 > > > Domain Name:uhmcargo.net-M Yeah, I screwed up and use .com instead of .net. When I query the .net I get the same results as you.
Re: My only problem with URIBL_BLACK
From: "Matt Kettler" <[EMAIL PROTECTED]>
Chris Santerre wrote:
-Original Message-
From: [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 3:12 PM
To: Chris Santerre; 'Matt Kettler'
Cc: users@spamassassin.apache.org
Subject: Re: My only problem with URIBL_BLACK
RE: My only problem with URIBL_BLACKHere's one that just got
captured. The mailing was from
Monster.com and the customer is livid :-(
X-Spam-Report:
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: uhmcargo_MUNGED.net]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: uhmcargo_MUNGED.net]
* 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
* [URIs: uhmcargo_MUNGED.net]
I had to _MUNGED the domain because the mailing hit 13.5 and bounced
The threshold is 5.5
Here is from my original stats post:
1URIBL_BLACK 1633977.09 29.11
78.050.50
5URIBL_JP_SURBL 1182515.13 21.07
56.480.09
What are your thoughts guys? Lower the score for URI_BLACK and JP?
Its not an FP.
http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb
<http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb>
I do tend to agree, this site appears to be a scam.
, feel free to pass all of this on to your user.
I find the domain's registration info rather interesting:
-
Registrant / Admin Contact :
ORGANISATION
IBC int Laer (IIL2-BMN-ORG)
RR #3 Box 1122
17059 Mifflintown
UNITED STATES
Contact
Jo FOLTZ
phone : +56 7432674623
fax:
e-mail : [EMAIL PROTECTED]
Created on 05/06/2006 01:08:40
Hmm.. they're from the United States, yet their phone number is in Chile
(dialing code +56)???
They left out the state, and put things in the wrong order, but 17059 is the zip
code for Mifflintown, PA.
Fixing the address:
IBC int Laer
RR #3 Box 1122
Mifflintown, PA 17059
UNITED STATES
Also, the company name contains "int laer", which appears to be Belgian
language. A web search for this phrase turns up 2 pages in a language I don't
understand hosted out of .be.
So we have a company registered with a Rural-Route address in Pennsylvania, with
a Chilean phone number, a Belgian name, and a yahoo email address... And the
record was created 3 days ago.. Hmmm...
Let's look at their IPs they are hosting their domain from:
---
$ host uhmcargo*MUNGED*.com
uhmcargo*MUNGED*.com has address 82.155.56.150
uhmcargo*MUNGED*.com has address 83.99.128.137
uhmcargo*MUNGED*.com has address 83.213.63.213
$ host 82.155.56.150
150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt.
$ host 83.99.128.137
137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv.
$ host 83.213.63.213
213.63.213.83.in-addr.arpa domain name pointer
eu83-213-63-213.clientes.euskaltel.es
Hmm, so they are hosting their website at a lot of different places. A DSL node
in Portugal, Another site in Latvia, and yet one more in Spain?
So this is a company located in Rural PA, with a phone number in Chile, a yahoo
email address, a Belgian name, and web hosting spread across Portugal, Spain and
Latvia...
Looks like your irate customer was saved from receiving a blatant scam.
I wonder what kind of "start up" fees you need to pay to accept this job
Fascinating - even the whois registration seems to have MPD, er Multiple
Personality Disorder. This is what I got in part:
===8<---
Registrant:
Amber Furlong [EMAIL PROTECTED] +1.6785283829
Private person
20222 shadowood parkway
Atlanta,GA,UNITED STATES 30339
Domain Name:uhmcargo.net-M
Record last updated at 2006-05-05 18:11:50
Record created on 2006/5/5
Record expired on 2007/5/5
Domain servers in listed order:
ns1.narrowtok.net-M ns2.narrowtok.net-M
Administrator:
20222 shadowood parkway
Atlanta
GA,
UNITED STATES
30339
===8<---
It might have been hijacked recently. But then, for a brandy spanky new
registration that seems unlikely
{^_^}
Re: My only problem with URIBL_BLACK
From: "Chris Santerre" <[EMAIL PROTECTED]>
-Original Message-
From: [mailto:[EMAIL PROTECTED]
RE: My only problem with URIBL_BLACKHere's one that just got
captured. The mailing was from
Monster.com and the customer is livid :-(
X-Spam-Report:
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: uhmcargo_MUNGED.net]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: uhmcargo_MUNGED.net]
* 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
* [URIs: uhmcargo_MUNGED.net]
I had to _MUNGED the domain because the mailing hit 13.5 and bounced
The threshold is 5.5
Here is from my original stats post:
1URIBL_BLACK 1633977.09 29.11
78.050.50
5URIBL_JP_SURBL 1182515.13 21.07
56.480.09
What are your thoughts guys? Lower the score for URI_BLACK and JP?
Its not an FP.
http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm
/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en
#fc75be5ae3052cbb
And the registrant is a single person with, it appears, one single
network address. For the 6th largest shipper that is a pathetic
web presence.
{^_-}
RE: My only problem with URIBL_BLACK
> -Original Message- > From: List Mail User [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 09, 2006 6:36 PM > To: Dallas L. Engelken; users@spamassassin.apache.org > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: My only problem with URIBL_BLACK > > >... > >> What are your thoughts guys? Lower the score for URI_BLACK and JP? > >> > > > >seriously? the domains is 3 days old and is unreachable, and uses > >outfitter.net NS's which appear to have an identity crisis. > > > >April 25th, > >ns1.outfiter.net 206.173.156.105 > >ns2.outfiter.net 24.98.13.40 > > > >April 27th, > >ns1.outfiter.net 24.182.165.233 > >ns2.outfiter.net 67.64.112.94 > > > >May 4th, > >ns1.outfiter.net 24.247.114.91 > >ns2.outfiter.net 68.36.53.205 > > > >May 8th, > >ns1.outfiter.net 24.168.96.193 > >ns2.outfiter.net 24.247.114.91 > > > >Right Now, > >ns1.outfitter.net 66.199.187.181 > >ns2.outfitter.net 66.199.187.181 > > > >... > > > >dallas > > Are you just giving a sample? How about the some more > of the IP jumps in the past nine days: > Just enough to show we have sufficient evidence to autolist without human review :) I see a couple of their bogus sites are still online. I'm sure there are more. euro-rental .net l-f-union .com
RE: My only problem with URIBL_BLACK
>... >> What are your thoughts guys? Lower the score for URI_BLACK and JP? >> > >seriously? the domains is 3 days old and is unreachable, and uses >outfitter.net NS's which appear to have an identity crisis. > >April 25th, >ns1.outfiter.net 206.173.156.105 >ns2.outfiter.net 24.98.13.40 > >April 27th, >ns1.outfiter.net 24.182.165.233 >ns2.outfiter.net 67.64.112.94 > >May 4th, >ns1.outfiter.net 24.247.114.91 >ns2.outfiter.net 68.36.53.205 > >May 8th, >ns1.outfiter.net 24.168.96.193 >ns2.outfiter.net 24.247.114.91 > >Right Now, >ns1.outfitter.net 66.199.187.181 >ns2.outfitter.net 66.199.187.181 > >... > >dallas Are you just giving a sample? How about the some more of the IP jumps in the past nine days: ns1.outfiter.net 2006-May-04 21:05:5324.168.96.193 2006-May-01 21:05:1368.36.53.205 2006-May-01 15:05:5524.24.83.45 2006-Apr-30 22:04:8024.182.165.233 2006-Apr-30 14:04:419 71.241.106.238 Hosted on cable modem and DSL zombies, registered using the reseller Regtime.net/webnames.ru at OnlineNIC, using a real address but the name of an unregistered/unlicensed corporation in Missouri with a telephone number in Montana. (No Barnwell Inc. exists, but a "BARNWELL & HAYS, INC." is an inactive business, shutdown in 2000). Or the rest of a current snapshot (all zombies) % dig outfiter.net @68.36.53.205 ... ;; ANSWER SECTION: outfiter.net. 300 IN A 65.75.90.172 outfiter.net. 300 IN A 194.208.180.242 outfiter.net. 300 IN A 24.182.165.233 ;; AUTHORITY SECTION: outfiter.net. 300 IN NS ns1.outfiter.net. outfiter.net. 300 IN NS ns2.outfiter.net. ;; ADDITIONAL SECTION: ns1.outfiter.net. 300 IN A 68.36.53.205 ns2.outfiter.net. 300 IN A 68.111.102.17 ... Plus the original domain, uhmcargo-M.net, has already been suspended (though if you force it to be resolved, you can see it is also up and hosted on zombies). % whois uhmcargo-M.net | fgrep Status Status: REGISTRAR-HOLD EPP Status: clientHold EPP Status: clientDeleteProhibited EPP Status: clientUpdateProhibited EPP Status: clientTransferProhibited % dig uhmcargo-M.net @67.167.254.42 ... ;; ANSWER SECTION: uhmcargo-M.net. 300 IN A 212.183.251.114 uhmcargo-M.net. 300 IN A 66.31.52.46 uhmcargo-M.net. 300 IN A 172.201.36.111 uhmcargo-M.net. 300 IN A 24.205.215.159 ... Tell the recipient that this message either did not come from monster.com, or (quite unlikely) someone has turned black-hat. Paul Shupak [EMAIL PROTECTED]
Re: My only problem with URIBL_BLACK
Dallas L. Engelken wrote: >> >> http://www.joewein.net/fraud/fraud-job-2006-04.htm >> >> > > i posted that, and reposted it due to list reject, about 30 min ago. > did it not come through? It depends upon how you define "came through"... Posted to the list - [OK] Delivered from list to my server - [OK] Delivered from my server to my mailbox - [OK] Marked as read in my mail client - [OK] Actually entered my long-term memory - [FAILED]
RE: My only problem with URIBL_BLACK
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 09, 2006 15:29 > To: Dallas L. Engelken > Cc: users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > Dallas L. Engelken wrote: > > resend again because SA is bouncing them.. > > > >> -Original Message- > >> From: Matt Kettler [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, May 09, 2006 14:51 > >> To: Chris Santerre > >> Cc: 'qqqq'; users@spamassassin.apache.org > >> Subject: Re: My only problem with URIBL_BLACK > >> > >> Chris Santerre wrote: > >>> > >> > >> Let's look at their IPs they are hosting their domain from: > >> --- > >> $ host uhmcargo*MUNGED*.com > >> uhmcargo*MUNGED*.com has address 82.155.56.150 > uhmcargo*MUNGED*.com > >> has address 83.99.128.137 uhmcargo*MUNGED*.com has address > >> 83.213.63.213 > >> > > > > FWIW, you just did all the work on the .com, and his email states > > .net > > ;) appears .com is also bogus, and probably related. webhost also > > appears to agree. > > > You're right.. > > > Using the .net: > Administrator: > name: Amber Furlong > mail: [EMAIL PROTECTED] tel: +1.6785283829 > org: Private person > > address: 20222 shadowood parkway > city: Atlanta > ,province: GA > ,country: UNITED STATES > postcode: 30339 > > Phone number, and address are consistent (678 is in Georgia) > > However, if you do a search on "20222 shadowood parkway" > Atlanta you'll find that this address is a known-offender of > money-transfer scams: > > http://www.joewein.net/fraud/fraud-job-2006-04.htm > > i posted that, and reposted it due to list reject, about 30 min ago. did it not come through?
Re: My only problem with URIBL_BLACK
Dallas L. Engelken wrote: > resend again because SA is bouncing them.. > >> -Original Message- >> From: Matt Kettler [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 09, 2006 14:51 >> To: Chris Santerre >> Cc: ''; users@spamassassin.apache.org >> Subject: Re: My only problem with URIBL_BLACK >> >> Chris Santerre wrote: >>> >> >> Let's look at their IPs they are hosting their domain from: >> --- >> $ host uhmcargo*MUNGED*.com >> uhmcargo*MUNGED*.com has address 82.155.56.150 >> uhmcargo*MUNGED*.com has address 83.99.128.137 >> uhmcargo*MUNGED*.com has address 83.213.63.213 >> > > FWIW, you just did all the work on the .com, and his email states .net > ;) appears .com is also bogus, and probably related. webhost also > appears to agree. You're right.. Using the .net: Administrator: name: Amber Furlong mail: [EMAIL PROTECTED] tel: +1.6785283829 org: Private person address: 20222 shadowood parkway city: Atlanta ,province: GA ,country: UNITED STATES postcode: 30339 Phone number, and address are consistent (678 is in Georgia) However, if you do a search on "20222 shadowood parkway" Atlanta you'll find that this address is a known-offender of money-transfer scams: http://www.joewein.net/fraud/fraud-job-2006-04.htm
Re: My only problem with URIBL_BLACK
On Dienstag, 9. Mai 2006 17:37 wrote: > Easier said than done when you have a paying customer who wants this > specific mailing. He should just filter back those mails from the SPAM folder. You do send all SPAM to him anyway, just marked, don't you? So he has it. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: "lynx -source http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpnsXKz5Xy9l.pgp Description: PGP signature
RE: My only problem with URIBL_BLACK
resend again because SA is bouncing them.. > -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 09, 2006 14:51 > To: Chris Santerre > Cc: ''; users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > Chris Santerre wrote: > > > > > > > Let's look at their IPs they are hosting their domain from: > --- > $ host uhmcargo*MUNGED*.com > uhmcargo*MUNGED*.com has address 82.155.56.150 > uhmcargo*MUNGED*.com has address 83.99.128.137 > uhmcargo*MUNGED*.com has address 83.213.63.213 > FWIW, you just did all the work on the .com, and his email states .net ;) appears .com is also bogus, and probably related. webhost also appears to agree. "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." anyways, just thought you should know. d
RE: My only problem with URIBL_BLACK
ERRR... SA is rejecting this. this is getting better... notice the whois registration address "20222 shadowood parkway" matches those found here.. http://www.joewein.net/fraud/fraud-job-2006-04.htm (thanks joe) anyone looking for a job from these places is in for a suprise.. see, now you can go to your client and tell them you saved them money and maybe their identity! ;) looks like its going through another change right now. # host -tNS uhmcargo_MUNGED.net Host uhmcargo_MUNGED.net not found: 3(NXDOMAIN) whois now lists the following ns. ns1.narrowtok.net ns2.narrowtok.net # host -tNS uhmcargo_MUNGED.net ns1.narrowtok.net Using domain server: Name: ns1.narrowtok.net Address: 67.167.254.42#53 Aliases: uhmcargo_MUNGED.net name server ns1.narrowtok.net. uhmcargo_MUNGED.net name server ns2.narrowtok.net. # host -tA uhmcargo_MUNGED.net ns1.narrowtok.net Using domain server: Name: ns1.narrowtok.net Address: 67.167.254.42#53 Aliases: uhmcargo_MUNGED.net has address 85.53.1.76 uhmcargo_MUNGED.net has address 213.37.6.147 uhmcargo_MUNGED.net has address 172.201.36.111 uhmcargo_MUNGED.net has address 24.205.215.159 > -Original Message- > From: [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 09, 2006 14:42 > To: Dallas L. Engelken; users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > Chris and Dallas, > > Thank you for pointing this out. I will convey this back to > the customer. > > > > > > - Original Message - > From: "Dallas L. Engelken" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, May 09, 2006 1:20 PM > Subject: RE: My only problem with URIBL_BLACK > > > | > -Original Message- > | > From: [mailto:[EMAIL PROTECTED] > | > Sent: Tuesday, May 09, 2006 14:12 > | > To: Chris Santerre; 'Matt Kettler' > | > Cc: users@spamassassin.apache.org > | > Subject: Re: My only problem with URIBL_BLACK > | > > | > RE: My only problem with URIBL_BLACKHere's one that just got > | > captured. The mailing was from Monster.com and the customer > | > is livid :-( > | > > | > X-Spam-Report: > | > * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > | > * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist > | > * [URIs: uhmcargo_MUNGED.net] > | > * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist > | > * [URIs: uhmcargo_MUNGED.net] > | > * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL > | > blocklist > | > * [URIs: uhmcargo_MUNGED.net] > | > > | > I had to _MUNGED the domain because the mailing hit 13.5 > and bounced > | > > | > The threshold is 5.5 > | > > | > > | > Here is from my original stats post: > | > 1URIBL_BLACK 1633977.09 29.11 > | > 78.050.50 > | > 5URIBL_JP_SURBL 1182515.13 21.07 > | > 56.480.09 > | > > | > What are your thoughts guys? Lower the score for > URI_BLACK and JP? > | > > | > | seriously? the domains is 3 days old and is unreachable, and uses > | outfitter.net NS's which appear to have an identity crisis. > | > | April 25th, > | ns1.outfiter.net 206.173.156.105 > | ns2.outfiter.net 24.98.13.40 > | > | April 27th, > | ns1.outfiter.net 24.182.165.233 > | ns2.outfiter.net 67.64.112.94 > | > | May 4th, > | ns1.outfiter.net 24.247.114.91 > | ns2.outfiter.net 68.36.53.205 > | > | May 8th, > | ns1.outfiter.net 24.168.96.193 > | ns2.outfiter.net 24.247.114.91 > | > | Right Now, > | ns1.outfitter.net 66.199.187.181 > | ns2.outfitter.net 66.199.187.181 > | > | > | > | > | > | > | > | dallas > | > | > | >
Re: My only problem with URIBL_BLACK
Thanks! I need to investigate these further before writing them off as a FP. - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Chris Santerre" <[EMAIL PROTECTED]> Cc: "''" <[EMAIL PROTECTED]>; Sent: Tuesday, May 09, 2006 1:51 PM Subject: Re: My only problem with URIBL_BLACK | Chris Santerre wrote: | > | > | >> -Original Message- | >> From: [mailto:[EMAIL PROTECTED] | >> Sent: Tuesday, May 09, 2006 3:12 PM | >> To: Chris Santerre; 'Matt Kettler' | >> Cc: users@spamassassin.apache.org | >> Subject: Re: My only problem with URIBL_BLACK | >> | >> | >> RE: My only problem with URIBL_BLACKHere's one that just got | >> captured. The mailing was from | >> Monster.com and the customer is livid :-( | >> | >> X-Spam-Report: | >> * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | >> * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist | >> * [URIs: uhmcargo_MUNGED.net] | >> * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist | >> * [URIs: uhmcargo_MUNGED.net] | >> * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL | >> blocklist | >> * [URIs: uhmcargo_MUNGED.net] | >> | >> I had to _MUNGED the domain because the mailing hit 13.5 and bounced | >> | >> The threshold is 5.5 | >> | >> | >> Here is from my original stats post: | >> 1URIBL_BLACK 1633977.09 29.11 | >> 78.050.50 | >> 5URIBL_JP_SURBL 1182515.13 21.07 | >> 56.480.09 | >> | >> What are your thoughts guys? Lower the score for URI_BLACK and JP? | > | > Its not an FP. | > | > http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb | > <http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa 3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb> | > | | I do tend to agree, this site appears to be a scam. | | , feel free to pass all of this on to your user. | | | I find the domain's registration info rather interesting: | - | Registrant / Admin Contact : | ORGANISATION | IBC int Laer (IIL2-BMN-ORG) | | RR #3 Box 1122 | | 17059 Mifflintown | UNITED STATES | |Contact | Jo FOLTZ | phone : +56 7432674623 | fax: | e-mail : [EMAIL PROTECTED] | | | | Created on 05/06/2006 01:08:40 | | | Hmm.. they're from the United States, yet their phone number is in Chile | (dialing code +56)??? | | They left out the state, and put things in the wrong order, but 17059 is the zip | code for Mifflintown, PA. | | Fixing the address: | IBC int Laer | RR #3 Box 1122 | Mifflintown, PA 17059 | UNITED STATES | | | Also, the company name contains "int laer", which appears to be Belgian | language. A web search for this phrase turns up 2 pages in a language I don't | understand hosted out of .be. | | So we have a company registered with a Rural-Route address in Pennsylvania, with | a Chilean phone number, a Belgian name, and a yahoo email address... And the | record was created 3 days ago.. Hmmm... | | | Let's look at their IPs they are hosting their domain from: | --- | $ host uhmcargo*MUNGED*.com | uhmcargo*MUNGED*.com has address 82.155.56.150 | uhmcargo*MUNGED*.com has address 83.99.128.137 | uhmcargo*MUNGED*.com has address 83.213.63.213 | | $ host 82.155.56.150 | 150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt. | $ host 83.99.128.137 | 137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv. | $ host 83.213.63.213 | 213.63.213.83.in-addr.arpa domain name pointer eu83-213-63-213.clientes.euskaltel.es | | | | Hmm, so they are hosting their website at a lot of different places. A DSL node | in Portugal, Another site in Latvia, and yet one more in Spain? | | So this is a company located in Rural PA, with a phone number in Chile, a yahoo | email address, a Belgian name, and web hosting spread across Portugal, Spain and | Latvia... | | Looks like your irate customer was saved from receiving a blatant scam. | | I wonder what kind of "start up" fees you need to pay to accept this job | | | |
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: > > >> -Original Message- >> From: [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 09, 2006 3:12 PM >> To: Chris Santerre; 'Matt Kettler' >> Cc: users@spamassassin.apache.org >> Subject: Re: My only problem with URIBL_BLACK >> >> >> RE: My only problem with URIBL_BLACKHere's one that just got >> captured. The mailing was from >> Monster.com and the customer is livid :-( >> >> X-Spam-Report: >> * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist >> * [URIs: uhmcargo_MUNGED.net] >> * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist >> * [URIs: uhmcargo_MUNGED.net] >> * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL >> blocklist >> * [URIs: uhmcargo_MUNGED.net] >> >> I had to _MUNGED the domain because the mailing hit 13.5 and bounced >> >> The threshold is 5.5 >> >> >> Here is from my original stats post: >> 1URIBL_BLACK 1633977.09 29.11 >> 78.050.50 >> 5URIBL_JP_SURBL 1182515.13 21.07 >> 56.480.09 >> >> What are your thoughts guys? Lower the score for URI_BLACK and JP? > > Its not an FP. > > http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb > <http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb> > I do tend to agree, this site appears to be a scam. , feel free to pass all of this on to your user. I find the domain's registration info rather interesting: - Registrant / Admin Contact : ORGANISATION IBC int Laer (IIL2-BMN-ORG) RR #3 Box 1122 17059 Mifflintown UNITED STATES Contact Jo FOLTZ phone : +56 7432674623 fax: e-mail : [EMAIL PROTECTED] Created on 05/06/2006 01:08:40 Hmm.. they're from the United States, yet their phone number is in Chile (dialing code +56)??? They left out the state, and put things in the wrong order, but 17059 is the zip code for Mifflintown, PA. Fixing the address: IBC int Laer RR #3 Box 1122 Mifflintown, PA 17059 UNITED STATES Also, the company name contains "int laer", which appears to be Belgian language. A web search for this phrase turns up 2 pages in a language I don't understand hosted out of .be. So we have a company registered with a Rural-Route address in Pennsylvania, with a Chilean phone number, a Belgian name, and a yahoo email address... And the record was created 3 days ago.. Hmmm... Let's look at their IPs they are hosting their domain from: --- $ host uhmcargo*MUNGED*.com uhmcargo*MUNGED*.com has address 82.155.56.150 uhmcargo*MUNGED*.com has address 83.99.128.137 uhmcargo*MUNGED*.com has address 83.213.63.213 $ host 82.155.56.150 150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt. $ host 83.99.128.137 137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv. $ host 83.213.63.213 213.63.213.83.in-addr.arpa domain name pointer eu83-213-63-213.clientes.euskaltel.es Hmm, so they are hosting their website at a lot of different places. A DSL node in Portugal, Another site in Latvia, and yet one more in Spain? So this is a company located in Rural PA, with a phone number in Chile, a yahoo email address, a Belgian name, and web hosting spread across Portugal, Spain and Latvia... Looks like your irate customer was saved from receiving a blatant scam. I wonder what kind of "start up" fees you need to pay to accept this job
Re: My only problem with URIBL_BLACK
Chris and Dallas, Thank you for pointing this out. I will convey this back to the customer. - Original Message - From: "Dallas L. Engelken" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 09, 2006 1:20 PM Subject: RE: My only problem with URIBL_BLACK | > -Original Message- | > From: [mailto:[EMAIL PROTECTED] | > Sent: Tuesday, May 09, 2006 14:12 | > To: Chris Santerre; 'Matt Kettler' | > Cc: users@spamassassin.apache.org | > Subject: Re: My only problem with URIBL_BLACK | > | > RE: My only problem with URIBL_BLACKHere's one that just got | > captured. The mailing was from Monster.com and the customer | > is livid :-( | > | > X-Spam-Report: | > * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | > * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist | > * [URIs: uhmcargo_MUNGED.net] | > * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist | > * [URIs: uhmcargo_MUNGED.net] | > * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL | > blocklist | > * [URIs: uhmcargo_MUNGED.net] | > | > I had to _MUNGED the domain because the mailing hit 13.5 and bounced | > | > The threshold is 5.5 | > | > | > Here is from my original stats post: | > 1URIBL_BLACK 1633977.09 29.11 | > 78.050.50 | > 5URIBL_JP_SURBL 1182515.13 21.07 | > 56.480.09 | > | > What are your thoughts guys? Lower the score for URI_BLACK and JP? | > | | seriously? the domains is 3 days old and is unreachable, and uses | outfitter.net NS's which appear to have an identity crisis. | | April 25th, | ns1.outfiter.net 206.173.156.105 | ns2.outfiter.net 24.98.13.40 | | April 27th, | ns1.outfiter.net 24.182.165.233 | ns2.outfiter.net 67.64.112.94 | | May 4th, | ns1.outfiter.net 24.247.114.91 | ns2.outfiter.net 68.36.53.205 | | May 8th, | ns1.outfiter.net 24.168.96.193 | ns2.outfiter.net 24.247.114.91 | | Right Now, | ns1.outfitter.net 66.199.187.181 | ns2.outfitter.net 66.199.187.181 | | | | | | | | dallas | | |
RE: My only problem with URIBL_BLACK
> -Original Message- > From: [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 09, 2006 14:12 > To: Chris Santerre; 'Matt Kettler' > Cc: users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > RE: My only problem with URIBL_BLACKHere's one that just got > captured. The mailing was from Monster.com and the customer > is livid :-( > > X-Spam-Report: > * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist > * [URIs: uhmcargo_MUNGED.net] > * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist > * [URIs: uhmcargo_MUNGED.net] > * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL > blocklist > * [URIs: uhmcargo_MUNGED.net] > > I had to _MUNGED the domain because the mailing hit 13.5 and bounced > > The threshold is 5.5 > > > Here is from my original stats post: > 1URIBL_BLACK 1633977.09 29.11 > 78.050.50 > 5URIBL_JP_SURBL 1182515.13 21.07 > 56.480.09 > > What are your thoughts guys? Lower the score for URI_BLACK and JP? > seriously? the domains is 3 days old and is unreachable, and uses outfitter.net NS's which appear to have an identity crisis. April 25th, ns1.outfiter.net 206.173.156.105 ns2.outfiter.net 24.98.13.40 April 27th, ns1.outfiter.net 24.182.165.233 ns2.outfiter.net 67.64.112.94 May 4th, ns1.outfiter.net 24.247.114.91 ns2.outfiter.net 68.36.53.205 May 8th, ns1.outfiter.net 24.168.96.193 ns2.outfiter.net 24.247.114.91 Right Now, ns1.outfitter.net 66.199.187.181 ns2.outfitter.net 66.199.187.181 dallas
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK > -Original Message- > From: [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 09, 2006 3:12 PM > To: Chris Santerre; 'Matt Kettler' > Cc: users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > > RE: My only problem with URIBL_BLACKHere's one that just got > captured. The mailing was from > Monster.com and the customer is livid :-( > > X-Spam-Report: > * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist > * [URIs: uhmcargo_MUNGED.net] > * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist > * [URIs: uhmcargo_MUNGED.net] > * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL > blocklist > * [URIs: uhmcargo_MUNGED.net] > > I had to _MUNGED the domain because the mailing hit 13.5 and bounced > > The threshold is 5.5 > > > Here is from my original stats post: > 1 URIBL_BLACK 163397 7.09 29.11 > 78.05 0.50 > 5 URIBL_JP_SURBL 118251 5.13 21.07 > 56.48 0.09 > > What are your thoughts guys? Lower the score for URI_BLACK and JP? Its not an FP. http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb --Chris
Re: My only problem with URIBL_BLACK
RE: My only problem with URIBL_BLACKHere's one that just got captured. The mailing was from Monster.com and the customer is livid :-( X-Spam-Report: * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: uhmcargo_MUNGED.net] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: uhmcargo_MUNGED.net] * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: uhmcargo_MUNGED.net] I had to _MUNGED the domain because the mailing hit 13.5 and bounced The threshold is 5.5 Here is from my original stats post: 1URIBL_BLACK 1633977.09 29.11 78.050.50 5URIBL_JP_SURBL 1182515.13 21.07 56.480.09 What are your thoughts guys? Lower the score for URI_BLACK and JP?
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK > -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 09, 2006 2:12 PM > To: Chris Santerre > Cc: users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > > Chris Santerre wrote: > > > >> > >> I've scored GREY at 0.1 as an informational rule. It's S/O is > >> so poor it is more > >> qualified to be a nonspam rule. ( 0.354 in the nightly > >> mass-check Theo posted) > > > > Thats actually perfect. Exactly what it was designed to be :) > > > > Had it been around .8xx I would have been worried. I don't > expect that > > to ever be over .55 at most. > > > > Then why is the suggested score on uribl.com 0.25 for this list? > > http://www.uribl.com/usage.shtml > > If you're expecting the S/O to be that low it should be very > near or below 0. > > (I'm going to revise my own config to 0.001 for this one) Cause if there are other rules that fire, then this might just be a SPAM that is using a greyhats URL. So adding that slight little bit to score, may be just the nudge it needed to get pushed over the score limit. But if it is a ham, and no other larger spam scores hit, then its score of .25 is insignifigant. I think of these rules as herbs and spices. Adds just a bit of flavor, but doesn't take away from the flavor of the key ingredient. Spam or Ham :) --Chris
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK > -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 09, 2006 1:32 PM > To: Chris Santerre > Cc: users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > > Chris Santerre wrote: > >> > >> Easier said than done when you have a paying customer who > >> wants this specific mailing. > > > > Voluntary Human Shileds. They should find another provider, > as the needs > > of the many outweight the needs of the few. > > > > Are you referring to 's customers, or anyone who's using > URIBL_BLACK? Just his customer. :) I'm not that crazy! --Chris
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: > >> >> I've scored GREY at 0.1 as an informational rule. It's S/O is >> so poor it is more >> qualified to be a nonspam rule. ( 0.354 in the nightly >> mass-check Theo posted) > > Thats actually perfect. Exactly what it was designed to be :) > > Had it been around .8xx I would have been worried. I don't expect that > to ever be over .55 at most. > Then why is the suggested score on uribl.com 0.25 for this list? http://www.uribl.com/usage.shtml If you're expecting the S/O to be that low it should be very near or below 0. (I'm going to revise my own config to 0.001 for this one)
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: >> Are you referring to 's customers, or anyone who's using >> URIBL_BLACK? > > Just his customer. :) > > I'm not that crazy! Are you sure? :) Oh, wait.. I forgot.. the first rule of the crazy sysadmins club is...
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: >> >> Easier said than done when you have a paying customer who >> wants this specific mailing. > > Voluntary Human Shileds. They should find another provider, as the needs > of the many outweight the needs of the few. > Are you referring to 's customers, or anyone who's using URIBL_BLACK? I personally have this problem too. The more severe issue is that once in a rare while some of the stuff that cross-hits URIBL_BLACK is actually business mail from a distributor who's referencing pdf's of sales flyers that are hosted on grey server. Removing the duplicates, I've submitted 11 delist or "demote to grey" requests to URIBL via the web-form so far this year. Two were business related (I used non-business samples in my submissions). There's also at least one that was submitted via email report only. Admittedly they all get handled well, but that's an awful lot, particularly considering these are just the FP's *I* happened to notice. In the same timeframe I've found no domains that needed adding. (my last add was 09/2005)
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK > > I've scored GREY at 0.1 as an informational rule. It's S/O is > so poor it is more > qualified to be a nonspam rule. ( 0.354 in the nightly > mass-check Theo posted) Thats actually perfect. Exactly what it was designed to be :) Had it been around .8xx I would have been worried. I don't expect that to ever be over .55 at most. --Chris
Re: My only problem with URIBL_BLACK
wrote:
> | >
> | > Easier said than done when you have a paying customer who wants this
> specific mailing.
> | >
> | Have you tried lowering the score of the spamassassin rules that are
> | getting hit?
> |
> | Jay
>
>
> I'll look at a couple of the examples and see what else is firing. I may
> have to tune URI_BLACK
> down a tad. I'll let you know.
For reference, here's my running config:
urirhssub URIBL_BLACK multi.uribl.com.A 2
bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 1.5
urirhssub URIBL_GREY multi.uribl.com.A 4
bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.1
#adjustment to SURBL lists to control FPs with double-hits
meta URIBL_BLACK_OVERLAP (URIBL_BLACK && (URIBL_AB_SURBL || URIBL_JP_SURBL ||
URIBL_OB_SURBL || URIBL_WS_SURBL || URIBL_SC_SURBL))
score URIBL_BLACK_OVERLAP -1.0
Reasons:
I've scored URIBL_BLACK at 1.5 due to it having the worst S/O of any URIBL other
than PH and GREY. (0.993 in the mass-check Theo posted)
I've scored GREY at 0.1 as an informational rule. It's S/O is so poor it is more
qualified to be a nonspam rule. ( 0.354 in the nightly mass-check Theo posted)
I've added the overlap deduction because the scores of all the other URIBL's
hosted by surbl.org are already balanced and tuned for accuracy without
URIBL_BLACK. Adding more rules offsets that balance, and this tries to
compensate.
The net effect of my configuration causes URIBL_BLACK to score 1.5 when it fires
alone, but drops it back to 0.5 when other SURBL lists fire.
RE: My only problem with URIBL_BLACK
> -Original Message- > From: [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 09, 2006 11:44 > To: Jay Lee > Cc: users@spamassassin.apache.org > Subject: Re: My only problem with URIBL_BLACK > > | > > | > Easier said than done when you have a paying customer who > wants this specific mailing. > | > > | Have you tried lowering the score of the spamassassin rules > that are > | getting hit? > | > | Jay > > > I'll look at a couple of the examples and see what else is > firing. I may have to tune URI_BLACK down a tad. I'll let you know. > if you could, please submit these. they may be good candidates for moving to grey if nothing else. d
Re: My only problem with URIBL_BLACK
| > | > Easier said than done when you have a paying customer who wants this specific mailing. | > | Have you tried lowering the score of the spamassassin rules that are | getting hit? | | Jay I'll look at a couple of the examples and see what else is firing. I may have to tune URI_BLACK down a tad. I'll let you know.
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK > | But. > | > | There are some spammers who run "subscribe to" mailing lists. > | > | I got spam at home the other day from ediets.co.uk, for example. > | > | I call this stuff "subscription spam" and would block most > of it anyway. > | > | Cheers, > | > | Phil > > Easier said than done when you have a paying customer who > wants this specific mailing. Voluntary Human Shileds. They should find another provider, as the needs of the many outweight the needs of the few. --Chris
Re: My only problem with URIBL_BLACK
wrote: | But. | | There are some spammers who run "subscribe to" mailing lists. | | I got spam at home the other day from ediets.co.uk, for example. | | I call this stuff "subscription spam" and would block most of it anyway. | | Cheers, | | Phil Easier said than done when you have a paying customer who wants this specific mailing. Have you tried lowering the score of the spamassassin rules that are getting hit? Jay
Re: My only problem with URIBL_BLACK
| But. | | There are some spammers who run "subscribe to" mailing lists. | | I got spam at home the other day from ediets.co.uk, for example. | | I call this stuff "subscription spam" and would block most of it anyway. | | Cheers, | | Phil Easier said than done when you have a paying customer who wants this specific mailing.
RE: My only problem with URIBL_BLACK
But. There are some spammers who run "subscribe to" mailing lists. I got spam at home the other day from ediets.co.uk, for example. I call this stuff "subscription spam" and would block most of it anyway. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: [mailto:[EMAIL PROTECTED] > Sent: 08 May 2006 22:38 > To: [EMAIL PROTECTED]; users@spamassassin.apache.org > Subject: My only problem with URIBL_BLACK > > I probably get a FP about once a week as somebody will opt in > a mailing list and a listed URL is in > the mailing. > > When I get these complaints, I exempt the mailing list from > the procmail rules so that the mailing > list doesn't get scanned by SA. > > Just my 2 cents. > > > > > | > This isn't to say that URIBL_BLACK isn't useful, or that you > | > guys aren't doing a good job. However, this is good evidence > | > you guys are doing great, but you do still have some areas > | > that could use improvement. > | > > | > | thanks, i think. ;) > | > | our fp ratio for ham has always been hanging at that level. > i think thats a > | good sign. it means the data in our zones that are causing > those ham hits > | have not changed, and no one has notified us that they need removal. > | doesnt worry me a bit. > | > | we welcome your delist requests if you actually find a FP > (that we can agree > | on) on black.uribl.com. :) > | > | d > | > | >
