RE: My only problem with URIBL_BLACK

Tue, 09 May 2006 16:36:47 -0700 

>...
>> What are your thoughts guys?  Lower the score for URI_BLACK and JP?
>> 
>
>seriously?  the domains is 3 days old and is unreachable, and uses
>outfitter.net NS's which appear to have an identity crisis.
>
>April 25th, 
>ns1.outfiter.net  206.173.156.105  
>ns2.outfiter.net  24.98.13.40
>       
>April 27th, 
>ns1.outfiter.net  24.182.165.233
>ns2.outfiter.net  67.64.112.94
>       
>May 4th,
>ns1.outfiter.net  24.247.114.91
>ns2.outfiter.net  68.36.53.205
>
>May 8th,
>ns1.outfiter.net  24.168.96.193
>ns2.outfiter.net  24.247.114.91
>       
>Right Now,
>ns1.outfitter.net  66.199.187.181
>ns2.outfitter.net  66.199.187.181
>
>...
>
>dallas

        Are you just giving a sample?  How about the some more of the IP
jumps in the past nine days:

ns1.outfiter.net
2006-May-04 21:05:53    24.168.96.193
2006-May-01 21:05:13    68.36.53.205
2006-May-01 15:05:55    24.24.83.45
2006-Apr-30 22:04:80    24.182.165.233
2006-Apr-30 14:04:419   71.241.106.238

        Hosted on cable modem and DSL zombies, registered using the
reseller Regtime.net/webnames.ru at OnlineNIC, using a real address
but the name of an unregistered/unlicensed corporation in Missouri
with a telephone number in Montana.  (No Barnwell Inc. exists, but
a "BARNWELL & HAYS, INC." is an inactive business, shutdown in 2000).

        Or the rest of a current snapshot (all zombies)

% dig outfiter.net @68.36.53.205
...
;; ANSWER SECTION:
outfiter.net.           300     IN      A       65.75.90.172
outfiter.net.           300     IN      A       194.208.180.242
outfiter.net.           300     IN      A       24.182.165.233

;; AUTHORITY SECTION:
outfiter.net.           300     IN      NS      ns1.outfiter.net.
outfiter.net.           300     IN      NS      ns2.outfiter.net.

;; ADDITIONAL SECTION:
ns1.outfiter.net.       300     IN      A       68.36.53.205
ns2.outfiter.net.       300     IN      A       68.111.102.17
...

        Plus the original domain, uhmcargo-M.net, has already been
suspended (though if you force it to be resolved, you can see it is
also up and hosted on zombies).

% whois uhmcargo-M.net | fgrep Status
   Status: REGISTRAR-HOLD
   EPP Status: clientHold
   EPP Status: clientDeleteProhibited
   EPP Status: clientUpdateProhibited
   EPP Status: clientTransferProhibited

% dig uhmcargo-M.net @67.167.254.42
...
;; ANSWER SECTION:
uhmcargo-M.net.         300     IN      A       212.183.251.114
uhmcargo-M.net.         300     IN      A       66.31.52.46
uhmcargo-M.net.         300     IN      A       172.201.36.111
uhmcargo-M.net.         300     IN      A       24.205.215.159
...

        Tell the recipient that this message either did not come from
monster.com, or (quite unlikely) someone has turned black-hat.

        Paul Shupak
        [EMAIL PROTECTED]

Reply via email to