Fake blacklists?

A customer had momentary trouble sending mail to someone. The first attempt failed, but the second went through. An examination of the logs revealed a couple of interesting things.

First, the recipient mail server sent a strange handshake. The Kerio mail server recorded this log entry:

(IP replaced with all 9's)
553 Bogus helo FRONT4.com. <http://unblock.secureserver.net/?ip=>

If you follow that, you come to a legitimate looking screen telling you that the address is blacklisted. However, it seems a little sparse for a real blacklist site - they usually give you more information. I also checked the client's IP on the more common blacklist sites: none of them have him listed.

If you try to find this "secureserver.net" in Google, there is no listing. An attempt to go there or to www.secureserver.net in a browser redirects to "http://www.securepaynet.net/gdshop/404error.asp". Suspicious: is this some sort of extortion scheme?

The domain is registered with GoDaddy - that's a little suspicious too just because GoDaddy is the registrar of a lot of bottom-feeders. It isn't very old, either: less than a year. They have an interesting DNS, too. Most of the pages are place-holders or redirect elsewhere. This just doesn't smell like a real outfit.

That "FRONT4.com" doesn't exist either.

I think this is some sort of scam. I definitely wouldn't plug in my email address there.

As to how they got to that server, I don't know - dns hijacking, perhaps..

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Fake blacklists?


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Fri Jul 7 16:38:05 2006: 2224   AndyArmstrong

More about them here:

They seem like a pretty rum bunch :)

Fri Jul 7 17:02:46 2006: 2225   TonyLawrence

Ayup.. thanks for that, Andy. I forgot to look in Groups.

Fri Jul 7 18:10:49 2006: 2226   dhart

secureserver.net is part of godaddy - their servers named secureserver seem to be all smtp and DNS servers. The comments I see in google groups seem to be, upon cursory inspection, ordinary run-of-the-mill stuff.

What we need to keep in mind is that godaddy's smtp servers are shared among many people, not all of whom behave as scrupulously as regular visitors to www.aplawrence.com.

In fact, if you follow back, you'll see it is assigned to IANA ( - and not to any other legitimate user - making it an ideal IP for spammers to use to mask their actual IP address. Sure Front4.com
might be the source of some spam, but if someone is going to the trouble of spoofing their IP address, they might as well hide behind someone elses domain name as well.

Further, if you were in the business of spamming certainly you would want to hide your name and address as well. Folks, really, there is nothing more nefarious going on here than someone passing spam. And godaddy, having figured this out has blocked that IP (note that godaddy's list doesn't seem to be a
public RBL), and is offering the legitimate owner of that domain or IP address a way to get off the list. Again, prety ordinary stuff.

Although their web pages are incredibly busy, I've always found godaddy to offer good value (read cheap) and good service (live tech support). When I've gone fishing for DNS providers I've found that Godaddy is a pretty good catch.

Fri Jul 7 18:18:31 2006: 2227   TonyLawrence

I think you need to do some more reading on GoDaddy :-)

Anyway, the ip wasn't 99 etc. I just overwrote his real address with that.

The suspicious point here is that the "unblock" site is the only one that seems to really work, other than the one that redirects. The combination of those two, plus the lack of anything else having to do with reporting or querying blacklists, still makes me think this is a scam - maybe an extortion attempt.

If I could find any legit reference to this domain as a blacklist site, I'd be happy to change my opinion.

This smells bad too :

Sun Jul 9 23:33:00 2006: 2229   dhart

Now who says that if you set up a server at unblock.secureserver.net you are also obliged to setup a server at www.secureserver.net?

You have failed to draw any rational connection between
(link) and extortion. In fact by making that assertion you've resorted to dismal wild-eyed arm-waving techno-tainment!

Further, you can't possibly expect us to take the random driveling at slashdot seriously. I'm convinced that no more than 1% of the posters at slashdot are qualified to comment on any little thing at all - in fact the only qualification required to post any opinion at slashdot is literacy. Pointing to a slashdot 'article' - someone elses opinion uninformed or otherwise -is NOT an authoritative argument.

We're not in high school anymore and you can't pass off your OPINION as authoratative and file it under 'security'. At least I did research and drew upon my direct experience at godaddy.


Sun Jul 9 23:50:47 2006: 2230   TonyLawrence

It's not that you HAVE to have anything but unblock.secureserver.net, but as that site is reprsenting itself as a blacklisting site, it is suspicious that there is apparently no place to go where one would subscribe to its lists or find out more about them. As noted, the fact that www redirects to what looks like a payment site is also suspicious.

As to godaddy, I remain with my opinion: it's full of bottom-feeders and has a bad reputation. That doesn't mean that everyone using godaddy is a bottom feeder, but when combined with the other points, it makes me more suspicious.

Please explain how "I think this is some sort of scam" is attempting to pass something of as authoritative :-)

Mon Jul 10 00:54:49 2006: 2231   BigDumbDinosaur

The domain is registered with GoDaddy - that's a little suspicious too just because GoDaddy is the registrar of a lot of bottom-feeders.

Ain't that the truth? <Grin> A lot of the mail that my server bounces seems to originate from within the GoDaddy netblock. If they were used car salesmen, they'd be peddling vehicles with cracked blocks, leaky transmissions and minimal brakes.

After looking at what Tony presented above as well as some other stuff (including some sites in the GoDaddy realm that I've blocked on my servers) I believe Tony's analysis is correct: this is a scam, not a legitimate blackhole list trying to stop spammers.

Mon Jul 10 01:07:20 2006: 2232   dhart

You have attempted to pass off this annoying article as authoritative when you posted it as such: /
Security /fake_blacklists.html. This has nothing to do with security. It is OPINION and uninformed and unqualified as is the so-called authority you cite; Slashdot, in my opinion, relies mainly upon anonymous high school freshmen for it's 'authority' - certainly the majority of it's contributors are sophomoric at best.

(link) does not refer to any sort of page requesting payment it's a 404 page . You've leapt to the conclusion that something sinister is going on here. As a resoning intelligent adult, you can't possibly value paranoid suspicion over fact .

Refile this article in the appropriate category: dark suspicion born of paranoia. It's still not authoritative simply because you've made a rebuttal citing an uninformed, unqualified source. In fact it's not authoritative regardless of how many times you say it is.

And repetition won't make your rebuttal more authoritative - don't even try that, it won't work either.

Mon Jul 10 09:32:20 2006: 2233   TonyLawrence

Oh poo.

You are confusing location with intent, and willfully ignoring the plain language of OPINION and supposition.

Can you present anything that shows this as a legitimate blacklisting service? Where does one sign up? Why does it cheerfully accept any ip and say that said ip is "a source of spam or virus email"? Other legitimate blacklist sites allow you to anonymously CHECK ip's - this doesn't appear to.

If it IS a legitimate blacklist site, it surely isn't run very well, is it?

Mon Jul 10 12:26:37 2006: 2234   dhart

Let me reiterate: "(note that godaddy's list doesn't seem to be a public RBL)".

The plain language of opinion and supposition is more useful in fiction, as I've shown.

Mon Jul 10 17:10:45 2006: 2236   BigDumbDinosaur

I'm not sure what Mr./Ms. Dhart's issue might be with what has been presented, but I detect a strong odor of obfuscation on his/her part. I do not believe that this secureserver.net thing is a legit RBL and I do believe it is a scam that is attempting to extort money from unsuspecting people. The Internet is just full of scammers and other assorted crooks, and this sure has the look and feel of that sort of thing. Perhaps Mr./Ms. Dhart might wish to follow up on this and conclusively prove that we are blowing smoke here.

Refile this article in the appropriate category: dark suspicion born of paranoia. It's still not authoritative simply because you've made a rebuttal citing an uninformed, unqualified source. In fact it's not authoritative regardless of how many times you say it is.

And repetition won't make your rebuttal more authoritative - don't even try that, it won't work either.

I don't recall reading anything in the article that gave the impression of being authoritative -- that word or anything like it was not used anywhere. I did read some statements that were given as opinion, not absolute fact, and others that are most likely fact. My own examination of the nature of the secureserver.net domain supports the conclusion that it is a scam site.

Aside from the fact that this is Tony's site and he is free to post whatever he thinks is appropriate -- fact or not -- his opinions carry a lot more weight with me than yours. I've yet to read anything here that wasn't substantially accurate, and when something was subsequently discovered to be at odds with the facts, a correction was usually posted in short order. As for the paranoia angle, you sound too much like certain "journalists" who simply can't agree with anything unless they wriote it.

BTW, do you own stock in GoDaddy? &lt;Smile&gt;

Mon Jul 10 19:02:04 2006: 2237   TonyLawrence

Part of the problem here may be simpl;e misunderstanding, which is surely my fault for not writing more plainly.

I'll try to rectify that.

First, the client's ip is not I obfuscated their actual IP with that pattern. Secondly, the MX's for the address they were attempting to send mail to do NOT include FRONT4.COM, yet that is the name used by the machine that emitted the referral to "unblock.securesever.net".

It just all looks fishy, but yes, Dirk, this is OPINION - as indicated by the use of words like "suspicious" and "I think".

If I'm reading you correctly, your main objection seems to be where I located the post - Security rather than Opinion. I'm afraid that your feeling about what I might put under what directory is misplaced: it's rather arbitrary. Yes, theis is an OPINION about a possible SECURITY issue - I could have located it either place, but chose the one that makes you appear to be angry.

Or perhaps you are angry because I have denigrated GoDaddy. I'm not backing down from that opinion, regardless of how much good luck you may have personally had with them. I pay probably 10 or 15 times as much to NS as you do to GoDaddy, and you may think me a fool for doing so, but there it is: I'd rather pay for quality. You may argue that the "quality" is only a figment of my imagination, but I've dealt with too many people with GoDaddy problems to agree.

Anyway.. I don't "refile" items unless it was real error, and this is not. It's deliberate, and I stand by the placement and my opinion.

Sorry to upset you. I'll buy an atonement lunch next time we cross paths.

Mon Jul 10 19:20:49 2006: 2238   dhart

All I've done is chase around the info Tony presented and found that the conclusions he came to are unfounded. I also object to the authorities Tony has cited as authoritative. BDD - you read too much into these comments.

Thu Jul 13 19:23:38 2006: 2251   TonyLawrence

Hey Dirk:

You were right :-)

Turns out the address they were sending to does mx to secureserver.net, so that was legit. I must have mistyped when I checked their mx or maybe they changed recently - whatever, it was properly directed to one of secureserver.net's mail machines, and it was that machine that invoked the blacklist.

See what happens when you can't type?

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Basic happened to be on a GE timesharing system that was done by Dartmouth, and when GE decided to franchise that, it started spreading Basic around just because it was there, not because it had any intrinsic merits whatsoever. (Alan Kay)

The danger of computers becoming like humans is not as great as the danger of humans becoming like computers. (Konrad Zuse)

This post tagged: