In article <mailman.459.1518222411.749.bind-us...@lists.isc.org> you write: >For the record, the issue is not RBLs or legitimate domains, it is = >spammer scum that set super-low DNS because they are shotgunning spam = >from a a vast botnet and they want to have maximal impact, so you get a = >different IP for every spam they send. It is a way of trying to = >overwhelm a machines tarpits, blacklists, sshguard protections, and = >others.
Um, you have it completely backward. Botnets are computers with IP addresses. They don't need DNS pointing at them to send spam. DNSBLs with low TTLs try and list them the moment the first spam hits the spamtraps. There is fast flux DNS for computers running landing pages, but they tend to use a lot of A records at once and don't care about the TTL since they're going for quantity, not quality. >But to answer your question, off-hand, I'd say that any TTL under 60s is = >suspicious and any TTL under 10s is almost certainly intentionally = >abusive. I hope you're not planning to do much spam filtering. R's, John _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list email@example.com https://lists.isc.org/mailman/listinfo/bind-users