# SB-BLOCKOOL.RC # # Recipes to check for spam from otherwise legitimate companies # that spam, spamming ESPs and ISPs with severe spam problems # or spam tolerant practices. # # AQuantive # # Last reported spam: 7/16/05 # Data files last updated: 3/10/05 # # Other Relevant Info: # # SBL: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20705 # # 3/10/05: # Hosts web bugs and tracking systems for spammers. # Unfortunately, also used by MSN Hotmail and other legitimate # businesses, but should *NOT* be. # # Status: Active Spammer # :0 * FROMDOMAIN ?? ^hotmail\.com$ { LOCALIPREGEXP=${FIRSTEXIPREGEXP} LT2=no TESTCIDR=${SBDIR}/info/hotmail-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? no * ! OPTOUT ?? NONE { TESTNAME='AQuantive' TESTDOMAINS=${SBDIR}/optout/aquantive-domains.txt TESTCIDR=${SBDIR}/optout/aquantive-ips.cidr TESTPATTERNS=${SBDIR}/optout/aquantive-patterns.rc TESTLAST=20050716 TESTUPDATED=20050310 TESTTYPE=ALL :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Bill Keller Ministries # # Last reported spam: 11/03/05 # Data files last updated: 8/27/05 # # Other Relevant Info: # # 8/27/05: # Religious spammer who either scrapes web sites or # accepts completely unconfirmed subscriptions for # role accounts, the like. Has been spamming webmaster, # autoresponders, info@, etc. # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='Bill Keller Ministries' TESTDOMAINS=${SBDIR}/mainsleaze/billkeller-domains.txt TESTCIDR=${SBDIR}/mainsleaze/billkeller-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/billkeller-patterns.rc TESTLAST=20051103 TESTUPDATED=20050827 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Commission Junction # # Last reported spam: 8/25/05 # Data files last updated: 8/25/05 # # Other Relevant Info: # # 6/19/05: # Reactivated -- hosting domains at qksrv.net that are # being advertized via spam. # # Status: Active Spammer # :0 * ! OPTOUT ?? NONE { TESTNAME='Commission Junction' TESTDOMAINS=${SBDIR}/optout/commissionjunction-domains.txt TESTCIDR=${SBDIR}/optout/commissionjunction-ips.cidr TESTPATTERNS=${SBDIR}/optout/commissionjunction-patterns.rc TESTLAST=20050825 TESTUPDATED=20050825 TESTTYPE=ALL :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Conru, Andrew ("Friendfinder") # # Last reported spam: 11/07/05 # Data files last updated: 11/07/05 # # Other Relevant Info: # # 2/20/03: # New burst of spam to mailing lists and Usenet. :/ # # 1/13/05: # Evidence that Andrew Conru has quit spamming and # deliberately turned to legitimate marketing methods. # Cool! :) I hope this turns out to be true. # # 3/10/05: # Chinese language FriendFinder spam sent to role # addresses. :/ # # 6/19/05: # Chinese spam still being sent to role addresses # and spamtraps. # # Status: Active Spammer # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='Andrew Conru' TESTDOMAINS=${SBDIR}/mainsleaze/friendfinder-domains.txt TESTCIDR=${SBDIR}/mainsleaze/friendfinder-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/friendfinder-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20051107 TESTUPDATED=20051107 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Dartmail (Doubleclick/Flowgo) # # Last reported spam: 3/03/05 # Data files last updated: 7/15/05 # # Other Relevant Info: # # 6/12/00: # Spammers-for-hire for mainsleaze companies, most recently Barnes & Noble # # 10/05/02: # Still spamming for B&N, and now for AOL as well. # Media Synergy apparently has hooked up with Doubleclick # and dartmail.net, theyre all one spamhaus now. :( # # 11/07/02: # Spamming for a presumably New York-based bookstore for an event # with Rudolph Guiliani. # # 12/06/02: # Spamming for a week or so for chapters.ca, aka chapters.indigo.ca. # # 12/11/03: # Continuing to spam for Barnes & Noble, WebMD, and others. # # 7/15/05: # Apparently mistaken for another spammer, flogo.com, but definitely # still spamming in their own right. # # Status: Active Spammers # :0 * ! OPTOUT ?? NONE { TESTNAME='Dartmail' TESTDOMAINS=${SBDIR}/optout/doubleclick-domains.txt TESTCIDR=${SBDIR}/optout/doubleclick-ips.cidr TESTPATTERNS=${SBDIR}/optout/doubleclick-patterns.rc TESTLAST=20050303 TESTUPDATED=20050715 TESTTYPE=HEADER :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # E-Dialog # # Last reported spam: 11/01/05 # Data files last updated: 8/18/05 # # Other Relevant Info: # # 11/13/02: # Spammer for hire for Hasbro. :/ # # 12/11/03: # Spamming "Daily Health News" from "Bottom Line Secrets", etc. # # 6/30/04: # New IP block, cannot determine exact extent since its within the # old Exodus/currently Savvis netblocks and Savvis has taken down # the old rwhois.exodus.net IP DNS server. :/ Looks like Savvis # is becoming spam-friendly. A pity. # # 6/22/05: # Spammed for Microsoft overnight. :( # # Status: Active Spammer # :0 * ! OPTOUT ?? NONE { TESTNAME='E-Dialog' TESTDOMAINS=${SBDIR}/optout/edialog-domains.txt TESTCIDR=${SBDIR}/optout/edialog-ips.cidr TESTPATTERNS=${SBDIR}/optout/edialog-patterns.rc TESTLAST=20051101 TESTUPDATED=20050818 TESTTYPE=ALL :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # getactive.com # # Last reported spam: 11/03/05 # Data files last updated: 5/06/05 # # Other Relevant Info: # # 11/08/01 -- offering marketing services to non-profits. Another # UnityMail spammer. :/ # # 8/17/02 -- moved to Inflow netspace. Figures. :/ # # 10/07/03 -- Still spamming. # # 3/03/05 -- *Still* spamming. # # Status: Active Spammer # :0 * ! OPTOUT ?? NONE { TESTNAME='GetActive' TESTDOMAINS=${SBDIR}/optout/getactive-domains.txt TESTCIDR=${SBDIR}/optout/getactive-ips.cidr TESTPATTERNS=${SBDIR}/optout/getactive-patterns.rc TESTLAST=20051103 TESTUPDATED=20050506 TESTTYPE=HEADER :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Gevalia # # Last reported spam: 1/18/06 # Data files last updated: 11/06/05 # # Other Relevant Info: # # 8/16/03: # Swedish coffee company that has been hiring spam-for-hire # outfits to spam on their behalf for years. Its time the # spamming nitwits got complaints themselves about their # despicable behavior. # # 7/29/04: # Hired Scott Richter to spam on their behalf. # # 8/22/04: # Hired Josh Baer to spam on their behalf. # # 5/11/05: # Now hiring Eddie Marin to spam on their behalf. They # appear to going the rounds of the big spammers.... # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='Gevalia' TESTDOMAINS=${SBDIR}/mainsleaze/gevalia-domains.txt TESTCIDR=${SBDIR}/mainsleaze/gevalia-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/gevalia-patterns.rc TESTLAST=20051106 TESTUPDATED=20051106 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Messagereach.com # # Last reported spam: 8/25/05 # Data files last updated: 8/25/05 # # Other Relevant Info: # # 3/17/00 -- another "direct marketing" bulk email opt-out spamhaus. # 11/08/01 -- spamming for Looksmart, and found xpedite.com. :) # # Status: Active Spammers # :0 * ! OPTOUT ?? NONE { TESTNAME='MessageReach' TESTDOMAINS=${SBDIR}/optout/messagereach-domains.txt TESTCIDR=${SBDIR}/optout/messagereach-ips.cidr TESTPATTERNS=${SBDIR}/optout/messagereach-patterns.rc TESTLAST=20050825 TESTUPDATED=20050825 TESTTYPE=HEADER :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Microsoft bCentral # # Last reported spam: 8/05/05 # Data files last updated: 2/12/04 # # Other Relevant Info: # 10/26/00 -- Microsoft appears to be spamming a list of former LinkExchange users. :( # One report indicated that the recipient of their spam has never used Windows and # his company is Unix-only. Stupid marketer somewhere in Microsofts organization, # probably, since other parts of MS are death on spam. Filter written to catch # only this stuff. # # 6/25/02 -- Unfortunately, bcentral.com has turned into a spam support services # outfit supporting small businesses, many with no clue what is acceptable on # the Internet. :/ There are occasional legitimate users, but not enough to # justify treating this as a legitimate service. # # 2/09/04: # Still spamming, still getting reports of spam that violates even the # nearly nonexistent standards of CAN*SPAM. # # 6/30/04: # Still spamming. :/ Among the spam is a list by a Sufi Islamic organization that # claims to be affiliated with the Naqshbandi Sufis, dont know whether thats true # or not. They spammed administration addresses for soc.religion.isam, but then # started spamming stealth spamtraps of mine as well. bCentral simply doesnt # care what its users do. # # Status: *DIRTY* OOL provider # :0 * ! OPTOUT ?? NONE { TESTNAME='bCentral' TESTDOMAINS=${SBDIR}/optout/bcentral-domains.txt TESTCIDR=${SBDIR}/optout/bcentral-ips.cidr TESTPATTERNS=${SBDIR}/optout/bcentral-patterns.rc TESTLAST=20050805 TESTUPDATED=20040212 TESTTYPE=HEADER :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # National Council of Churches # # Last reported spam: 7/22/05 # Data files last updated: 7/22/05 # # Other Relevant Info: # # 7/22/05: # Have repeatedly spammed multiple addresses at various # domains I own/manage, including the long-defunct email # address for a former parish priest. :/ None of these # emails was requested; none of the people receiving # them asked to get them. # # About a year ago, the second time I saw a bunch of spam # from the NCC, I phoned up their headquarters and had a # long talk with two different people about how they were # mismanaging their mailing lists, and that they were # bringing themselves into disrepute because of it. They # didnt listen. Apparently they think that, if the cause # is good, its okay to spam. # # But it isnt. And since they are clearly determined NOT # to learn from their previous mistakes, theyve now got # a listing in the SpamBouncer. # # Status: Active Spammer # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='NCCUSA' TESTDOMAINS=${SBDIR}/mainsleaze/nccusa-domains.txt TESTCIDR=${SBDIR}/mainsleaze/nccusa-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/nccusa-patterns.rc TESTLAST=20050722 TESTUPDATED=20050722 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Real Networks (real.com/realaudio.com/real-net.net) # # Last reported spam: 3/02/05 # Data files last updated: 2/04/04 # # Other Relevant Info: # Yet another "legitimate" company which sends lots of unsolicited # and unwanted email, usually to people who download their # "RealAudio" player. # # 1/23/04: # Just spammed nonexistent address at SpamBouncer.org. :/ # *REAL* intelligent, although it probably is an address # an annoyed user entered when "registering" RealPlayer. # However, what do you bet it gets spammed for years? # # # 2/05/04: # Just spammed another, different nonexistent address, this # one at spambouncer.net. :/ Ive got to wonder if some # antispammer is trying to get Real into trouble, but the # pattern of the spammed name looks exactly like disposable # email addresses at SpamGourmet do. Perhaps others have # adopted that same addressing convention for disposable # addresses.... Real spams, no doubt about that, but would # they spam made-up addresses on purpose? # # 2/19/04: # And now spammed at yet another, different nonexistent address, # this time at spambouncer.com. :/ # # Status: They exist, and they're still spamming, but not via # their own IPs. They also host a significant chunk of # legitimate business. It is causing too many FPs to # list them for the amount of spam caught. # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='Real Networks' TESTDOMAINS=${SBDIR}/mainsleaze/real-domains.txt TESTCIDR=${SBDIR}/mainsleaze/real-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/real-patterns.rc TESTLAST=20050302 TESTUPDATED=20040204 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Republican National Committee # # Last reported spam: 10/15/05 # Data files last updated: 10/15/05 # # Other Relevant Info: # It appears that the Republican National Committee is spamming. :( # Despite the exemptions Congress is proposing to make in its # anti-spam legislation, spam is spam regardless of the intent # or subject matter. # Status: Unknown # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='RNC' TESTDOMAINS=${SBDIR}/mainsleaze/rnc-domains.txt TESTCIDR=${SBDIR}/mainsleaze/rnc-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/rnc-patterns.rc TESTLAST=20051015 TESTUPDATED=20051015 TESTTYPE=HEADERS :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # University of Phoenix # # Last reported spam: 10/30/05 # Data files last updated: 10/30/05 # # Other Relevant Info: # # 10/30/05: # Long-time haven spammers who have hired multiple ROKSO-listed # spammers to spam on their behalf, and who lie through their # teeth when you phone them and ask why. :/ It's a pity, because # as an educational institution this one is interesting and # definitely legitimate. But spamming isn't okay no matter who # does it. # # Status: Unknown # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='University of Phoenix' TESTDOMAINS=${SBDIR}/mainsleaze/uop-domains.txt TESTCIDR=${SBDIR}/mainsleaze/uop-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/uop-patterns.rc TESTLAST=20051030 TESTUPDATED=20051030 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Verisign # # Last reported spam: 1/01/05 # Data files last updated: 8/21/05 # # Other Relevant Info: # # 7/13/99: # Network Solutions has started a new "mailing list" to which it has # apparently subscribed the listed technical contacts in its huge # database without asking them, requiring them to unsubscribe # themselves. This is opt-out bulk email, which is spam, plain # and simple. I am therefore including the Network Solutions # spamming machine here. I am not blacklisting the whole domain # because that could pose a problem for people with domains # registered through this monopoly. :( The *ssholes are # taking advantage of their monopoly to force a situation on # their customers which most of the customers would reject totally # if asked. # # 9/24/99: A few days ago NSI spammed every email address they had, # administrative and billing contacts as well as technical # contacts, through a third-party company as well, apparently to # avoid spam blocks. :( These are slimeballs. Ive blocked them # entirely -- Id suggest you inform them that they are to # communicate with you about your domain via postal mail only. # # 6/10/00: Contacted me via phone a few weeks ago to "follow up on my # recent request to opt-out of the .COM directory with a domain". That # request/demand was sent last fall. A few weeks later, got spammed by # them asking me to update my "incomplete" registration information for # that specific domain. These jerks simply DO NOT GET IT. # # 6/20/00: Yet another spam from these unbelievable slimeballs.... # # 11/01/01: Now theyre spamming on behalf of Verisign, a company # they own, via yet another spamhaus.... # # 4/30/02: They hired a small spamhaus to spam on their behalf, apparently # got tired of fielding their own complaints. :/ # # 9/06/02: New domain, nsi-direct.com, being used to spam now. They are # spamming people about domains that are not due to expire til next # year, urging them to sign on for a three-year contract. Desperate, # perhaps, because ICANN is threatening to deregister them? # # 10/01/03: SiteFinder. And more spam on its behalf. # # 6/30/04: Bunches of spam coming up with domains hosted by Network Solutions # itself, within its own name space. :/ # # 8/02/04: Enough people depend on Network Solutions that I cant simply # throw away their email, although they deserve it. Moved to # OOL, under protest. # # 8/19/05: Ugly history, but little recent evidence of spamming. # Massive update of files to separate Verisign and Network Solutions # listings, since companies are now separate. # # Status: Active Spammer # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='Verisign' TESTDOMAINS=${SBDIR}/mainsleaze/verisign-domains.txt TESTCIDR=${SBDIR}/mainsleaze/${SBDIR}/grey/verisign-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/${SBDIR}/grey/verisign-patterns.rc TESTLAST=20050101 TESTUPDATED=20050821 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # Vertical Response # # Last reported spam: 8/11/05 # Data files last updated: 8/11/05 # # Other Relevant Info: # # Status: Active Spammer # :0 * ! OPTOUT ?? NONE { TESTNAME='Vertical Response' TESTDOMAINS=${SBDIR}/optout/vresp-domains.txt TESTCIDR=${SBDIR}/optout/vresp-ips.cidr TESTPATTERNS=${SBDIR}/optout/vresp-patterns.rc TESTLAST=20050811 TESTUPDATED=20050811 TESTTYPE=HEADER :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # WalMart # # Last reported spam: 10/28/05 # Data files last updated: 10/30/05 # # Other Relevant Info: # # 10/30/05: # Unfortunately Walmart doesn't even pretend that their # email is opt-in, from what I've been able to find out. # That kind of attitude by a 2-ton gorilla like Walmart # is frightening. # :0 * ! MAINSLEAZE ?? NONE { TESTNAME='Wal-Mart' TESTDOMAINS=${SBDIR}/mainsleaze/walmart-domains.txt TESTCIDR=${SBDIR}/mainsleaze/walmart-ips.cidr TESTPATTERNS=${SBDIR}/mainsleaze/walmart-patterns.rc TESTLAST=20051028 TESTUPDATED=20051030 TESTTYPE=ALL :0 * MAINSLEAZE ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * MAINSLEAZE ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc } # What Counts, Inc. # # Last reported spam: 6/15/05 # Data files last updated: 7/06/04 # # Other Relevant Info: # # 8/02/2004: # Bulk email sending provider that focuses on political and activist # concerns. Over the years, Ive gotten onto a *bunch* of their # lists without in any way requesting to be added. :/ I assumed # they were a spamhaus, but after a false positive report found out # that theyre not spammers, just an ESP with some customers that # arent careful about who they put on their email lists. # # Status: Active Spammer # :0 * ! OPTOUT ?? NONE { TESTNAME='What Counts' TESTDOMAINS=${SBDIR}/optout/whatcounts-domains.txt TESTCIDR=${SBDIR}/optout/whatcounts-ips.cidr TESTPATTERNS=${SBDIR}/optout/whatcounts-patterns.rc TESTLAST=20050615 TESTUPDATED=20040706 TESTTYPE=HEADER :0 * OPTOUT ?? BLOCK { TESTSCORE=${BLOCKLEVEL} } :0 * OPTOUT ?? SPAM { TESTSCORE=${SPAMLEVEL} } INCLUDERC=${SBDIR}/functions/identify-spammer.rc }