Vocus Pt. I, wherein PRWeb re-use a very old list

I figured they might have sent to their suppression list or re-used an old list ‘accidentally’ as seems to be happening a lot these days. Just ask the Direct Marketing Association.

For those of you playing along at home, here are the headers:

To: Neil Schwartzman <neil @ cauce.org>
Reply-to: PRWeb <reply@prweb.com>
Subject: IMPORTANT: New Account Security Information

Return-Path: <bounce@bounce.go.vocus.com>

Received: (qmail 93526 invoked by uid 1014); 6 Nov 2013 17:38:11 -0000
Received: (qmail 93521 invoked from network); 6 Nov 2013 17:38:10 -0000
Received: from mail04.prsoftware.vocus.com (mail04.prsoftware.vocus.com []) by smtp.abuse.net ([]) with ESMTP via TCP port 51514/25 id 542742305; 06 Nov 2013 17:38:08 -0000
Authentication-Results: iecc.com; spf=pass spf.mailfrom=bounce@bounce.go.vocus.com spf.helo=mail04.prsoftware.vocus.com; dkim=pass header.d=prweb.com header.b=”c+1DMr6P”; dmarc=pass header.from=prweb.com policy=none
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prweb.com; i=reply@prweb.com; q=dns/txt; s=dk1024-2012; t=1383759488; x=1415295488; h=message-id:mime-version:from:to:reply-to:date:subject; bh=YQxY71fBfkOrFXafFROyaBDX1fYpqgPIgu/sW01962g=; b=c+1DMr6P7FZQNE5RGq+CHJyehOo+AYkWhrxKB88Jvf41pP9xcrkoi/Dh 3jGTLwCpVspLQxFgEo2VT0xWMALdr0bbkqBwjKS1FXzjeWI/B0dMhgr2Z nOmFqgaRBvuit49hRRsB3Y5cbvnTQxVNqgf9WXJjflVTf2TmkvXjRTo0a k=;
Message-Id: <001d693da1e54c958a8deaf6df84feff@1321>
X-Binding: 1321
X-Elqpod: 0x04D4AA276AEFAC548AF4C2541180280C6E4E16410A533B620AAC2EC8FC2601D8
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=–boundary_710603_664a29b4-1459-41d9-a94f-6edd46c4e280

PRWeb uses Vocus in the range, specifically : Sent X mail04.prsoftware.vocus.com Sent X mail05.prsoftware.vocus.com Sent X mail06.prsoftware.vocus.com

This entire .24 is SWIPped to Eloqua, about whom we have heard recently.

MCI Communications Services, Inc. d/b/a Verizon Business UUNET-1-A (NET-204-92-0-0-1) –
Eloqua Corporation ELOQUAUU9 (NET-204-92-114-0-1) –

Interestingly, they are snowshoeing, but this may be because they didn’t leave space for expansion on the earlier range Sent X mail01.prsoftware.vocus.com Sent X mail02.prsoftware.vocus.com Sent X mail03.prsoftware.vocus.com

I can’t recommend blocking the entire /24, as there are many legitimate senders in there (human shields?) but this small plaxo.com sub-set does warrant some attention Sent X mail01.cloud.plaxo.com Sent X mail02.cloud.plaxo.com Sent X mail03.cloud.plaxo.com

Plaxo is, of course an ‘address book sychnronization service’ that has had repeated incidents of spam allegations rightfully leveled against them :

Plaxo has had its fair share of ups and downs. Back in 2006, the company famously wrestled with spamming allegations and was later the subject of controversy over the screen scraping techniques it used to pull contacts from Facebook.

Google warns users about potential unauthorized account access after spammers use back door at Plaxo, CNET has learned

Suggested ranges suitable for blocking

  • 204.92.114[.11-.13]
  • 204.92.114[.28-.30]
  • 204.92.114[.188-.190]

Pages: 1 2

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top