Vocus Pt. I, wherein PRWeb re-use a very old list
I figured they might have sent to their suppression list or re-used an old list ‘accidentally’ as seems to be happening a lot these days. Just ask the Direct Marketing Association.
For those of you playing along at home, here are the headers:
To: Neil Schwartzman <neil @ cauce.org>
Reply-to: PRWeb <reply@prweb.com>
Subject: IMPORTANT: New Account Security Information
Return-Path: <bounce@bounce.go.vocus.com>
Received: (qmail 93526 invoked by uid 1014); 6 Nov 2013 17:38:11 -0000
Received: (qmail 93521 invoked from network); 6 Nov 2013 17:38:10 -0000
Received: from mail04.prsoftware.vocus.com (mail04.prsoftware.vocus.com [204.92.114.28]) by smtp.abuse.net ([64.57.183.109]) with ESMTP via TCP port 51514/25 id 542742305; 06 Nov 2013 17:38:08 -0000
Authentication-Results: iecc.com; spf=pass spf.mailfrom=bounce@bounce.go.vocus.com spf.helo=mail04.prsoftware.vocus.com; dkim=pass header.d=prweb.com header.b=”c+1DMr6P”; dmarc=pass header.from=prweb.com policy=none
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prweb.com; i=reply@prweb.com; q=dns/txt; s=dk1024-2012; t=1383759488; x=1415295488; h=message-id:mime-version:from:to:reply-to:date:subject; bh=YQxY71fBfkOrFXafFROyaBDX1fYpqgPIgu/sW01962g=; b=c+1DMr6P7FZQNE5RGq+CHJyehOo+AYkWhrxKB88Jvf41pP9xcrkoi/Dh 3jGTLwCpVspLQxFgEo2VT0xWMALdr0bbkqBwjKS1FXzjeWI/B0dMhgr2Z nOmFqgaRBvuit49hRRsB3Y5cbvnTQxVNqgf9WXJjflVTf2TmkvXjRTo0a k=;
Message-Id: <001d693da1e54c958a8deaf6df84feff@1321>
X-Binding: 1321
X-Elqpod: 0x04D4AA276AEFAC548AF4C2541180280C6E4E16410A533B620AAC2EC8FC2601D8
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=–boundary_710603_664a29b4-1459-41d9-a94f-6edd46c4e280
PRWeb uses Vocus in the 204.92.114.28/29 range, specifically :
204.92.114.28 Sent X mail04.prsoftware.vocus.com
204.92.114.29 Sent X mail05.prsoftware.vocus.com
204.92.114.30 Sent X mail06.prsoftware.vocus.com
This entire .24 is SWIPped to Eloqua, about whom we have heard recently.
MCI Communications Services, Inc. d/b/a Verizon Business UUNET-1-A (NET-204-92-0-0-1) 204.92.0.0 – 204.92.255.255
Eloqua Corporation ELOQUAUU9 (NET-204-92-114-0-1) 204.92.114.0 – 204.92.114.255
Interestingly, they are snowshoeing, but this may be because they didn’t leave space for expansion on the earlier range
204.92.114.188 Sent X mail01.prsoftware.vocus.com
204.92.114.189 Sent X mail02.prsoftware.vocus.com
204.92.114.190 Sent X mail03.prsoftware.vocus.com
I can’t recommend blocking the entire /24, as there are many legitimate senders in there (human shields?) but this small plaxo.com sub-set does warrant some attention
204.92.114.11 Sent X mail01.cloud.plaxo.com
204.92.114.12 Sent X mail02.cloud.plaxo.com
204.92.114.13 Sent X mail03.cloud.plaxo.com
Plaxo is, of course an ‘address book sychnronization service’ that has had repeated incidents of spam allegations rightfully leveled against them :
- Why my address book is spamming you? – ZDNet, 2003
- Now That Plaxo Spam Has Annoyed Enough People, It’s Time To Fade It Out? TechDirt 2006
- Plaxo Goes Back To Being A Smart Address Book, Launches Virtual Assistant – TechCrunch, 2011
“Plaxo has had its fair share of ups and downs. Back in 2006, the company famously wrestled with spamming allegations and was later the subject of controversy over the screen scraping techniques it used to pull contacts from Facebook.“
“Google warns users about potential unauthorized account access after spammers use back door at Plaxo, CNET has learned“
Suggested ranges suitable for blocking
- 204.92.114[.11-.13]
- 204.92.114[.28-.30]
- 204.92.114[.188-.190]
Pages: 1 2