Thanks! I need to investigate these further before writing them off as a FP.
QQQQ ----- Original Message ----- From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Chris Santerre" <[EMAIL PROTECTED]> Cc: "'qqqq'" <[EMAIL PROTECTED]>; <users@spamassassin.apache.org> Sent: Tuesday, May 09, 2006 1:51 PM Subject: Re: My only problem with URIBL_BLACK | Chris Santerre wrote: | > | > | >> -----Original Message----- | >> From: qqqq [mailto:[EMAIL PROTECTED] | >> Sent: Tuesday, May 09, 2006 3:12 PM | >> To: Chris Santerre; 'Matt Kettler' | >> Cc: users@spamassassin.apache.org | >> Subject: Re: My only problem with URIBL_BLACK | >> | >> | >> RE: My only problem with URIBL_BLACKHere's one that just got | >> captured. The mailing was from | >> Monster.com and the customer is livid :-( | >> | >> X-Spam-Report: | >> * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | >> * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist | >> * [URIs: uhmcargo_MUNGED.net] | >> * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist | >> * [URIs: uhmcargo_MUNGED.net] | >> * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL | >> blocklist | >> * [URIs: uhmcargo_MUNGED.net] | >> | >> I had to _MUNGED the domain because the mailing hit 13.5 and bounced | >> | >> The threshold is 5.5 | >> | >> | >> Here is from my original stats post: | >> 1 URIBL_BLACK 163397 7.09 29.11 | >> 78.05 0.50 | >> 5 URIBL_JP_SURBL 118251 5.13 21.07 | >> 56.48 0.09 | >> | >> What are your thoughts guys? Lower the score for URI_BLACK and JP? | > | > Its not an FP. | > | > http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb | > <http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa 3/fc75be5ae3052cbb?lnk=st&q=uhmcargo.net&rnum=1&hl=en#fc75be5ae3052cbb> | > | | I do tend to agree, this site appears to be a scam. | | qqqq, feel free to pass all of this on to your user. | | | I find the domain's registration info rather interesting: | ----------------------------- | Registrant / Admin Contact : | ORGANISATION | IBC int Laer (IIL2-BMN-ORG) | | RR #3 Box 1122 | | 17059 Mifflintown | UNITED STATES | | Contact | Jo FOLTZ | phone : +56 7432674623 | fax : | e-mail : [EMAIL PROTECTED] | | <snip> | | Created on 05/06/2006 01:08:40 | ---------------------------- | | Hmm.. they're from the United States, yet their phone number is in Chile | (dialing code +56)??? | | They left out the state, and put things in the wrong order, but 17059 is the zip | code for Mifflintown, PA. | | Fixing the address: | IBC int Laer | RR #3 Box 1122 | Mifflintown, PA 17059 | UNITED STATES | | | Also, the company name contains "int laer", which appears to be Belgian | language. A web search for this phrase turns up 2 pages in a language I don't | understand hosted out of .be. | | So we have a company registered with a Rural-Route address in Pennsylvania, with | a Chilean phone number, a Belgian name, and a yahoo email address... And the | record was created 3 days ago.. Hmmm... | | | Let's look at their IPs they are hosting their domain from: | ----------- | $ host uhmcargo*MUNGED*.com | uhmcargo*MUNGED*.com has address 82.155.56.150 | uhmcargo*MUNGED*.com has address 83.99.128.137 | uhmcargo*MUNGED*.com has address 83.213.63.213 | | $ host 82.155.56.150 | 150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt. | $ host 83.99.128.137 | 137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv. | $ host 83.213.63.213 | 213.63.213.83.in-addr.arpa domain name pointer eu83-213-63-213.clientes.euskaltel.es | ------------ | | | Hmm, so they are hosting their website at a lot of different places. A DSL node | in Portugal, Another site in Latvia, and yet one more in Spain? | | So this is a company located in Rural PA, with a phone number in Chile, a yahoo | email address, a Belgian name, and web hosting spread across Portugal, Spain and | Latvia... | | Looks like your irate customer was saved from receiving a blatant scam. | | I wonder what kind of "start up" fees you need to pay to accept this job.... | | | |