>...
>On Sat, 2005-11-12 at 10:56 -0500, Pierre Thomson wrote:
>> A slightly more compact way to treat the final digit:
>>
>> > > body PROLO_LEO1 /85\,45|1\,2[12]/
>> > > body PROLO_LEO2 /69\,95|3\,3[23]/
>
>New uri showed up today, so the updated rule I use is now:
>
>body PROLO_LEO1 /85\,45|1\,2[12]/
>body PROLO_LEO2 /69\,95|3\,3[23]/
>body PROLO_LEO3 /99\,95|3\,75/
>uri PROLO_LEO4 /http:\/\/.*\.(tripod\.com|motoroder\.info)/
>
> -Bill
>
The listing for motoroder.info-MUNG should be unneeded; It is
directly one of Leo's domains and should be blacklisted in the normal
fashion(s) (i.e. unlike tripod or geocities, it shouldn't be on anyone's
whitelist).
Name server pair:
reekanoma.com-MUNG at RGNames, no authoritative name servers
homanomin.com-MUNG at YesNIC, no name servers
Current IPs, 222.122.63.61, 58.20.160.80 and 221.7.209.83.
Notes: 221.7.209.83 matches SBL34606 - the same as the tripod spam NSs.
222.122.63.61 matches SBL34438 - a "dirty" block
58.20.160.80 matches SBL34298 - a bunch of RX sites
and SBL29600 - which is a block of Leo's porn sites
Same registrant data for both name server domains (partial address
only at YesNIC - probably some innocent party chosen from a telephone book):
Leon Schneider
5877 N Jack Rd,
Midland, Michigan 48642
US
(989) 689-0938
Also, the domain motoroder.info-MUNG has already been listed on the
SURBL [ab][jp][sc] lists and at URIBL [black], as well as triggering the SBL
rule for the name servers (i.e. already more than enough points for anyone
running net tests). It just demonstrates that he uses the same spam templates
for his "free" hosted domains as for his BP hosted ones. You could submit
a sample and get it onto SURBL [ws] also (I would, but haven't seen one).
Paul Shupak
[EMAIL PROTECTED]
