Yeah, I raised the idea of Whois registration date checks a few months ago and was shot down...for various legitimate reasons.
I've thought about the gibberish vs. real domain check as well...problem is it can be very difficult, if not impossible to determine that. Acronyms could be impossible to determine from gibberish domains....though perhaps a combo test with a whois reg. date check might help the accuracy a bit. However, only about half of the domain names we see like this are gibberish. Many are portions of doctor or prescription-like words stuck together. We could add a small weight to domains that have these fragments, but I wouldn't be comfortable holding on just that....and many of these initial spams don't fail any other of our tests. Another possibility that comes to mind is recording the total number of identical message bodies that come in over a given time. If more than X in period Y, then signal a body filter to hold it. This would catch a lot of bulk mailers, though, and could easily be defeated by simply varying each message body by a few characters. Darin. ----- Original Message ----- From: "Nick" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, February 11, 2005 9:46 AM Subject: Re: [Declude.JunkMail] domain name a name On 11 Feb 2005 at 8:51, Darin Cox wrote: Hi Darin - > Most of what slips through our filters is exactly this. Unfortunately > I know of no way to block this short of reacting to the first one seen > and adding a body filter for the URL Same here and that is exactly what I do. Mike had a good idea by using a registration date as a penalty, another idea was something along the lines some sort on non-english test for domain names contained in the body - however I have no idea how to do that - -Nick > > ----- Original Message ----- > From: "Nick" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, February 09, 2005 12:25 PM > Subject: Re: [Declude.JunkMail] domain name a name > > > I am seeing more and more I guess one would call throw-away domains > like: > > .hdcnsowp.com > .hcnmvkofut.com > .eisopfkcnjt.com > .edhcbxgsyi.com > > These are generally in the body of an email; is there a way to > determine if a domain is in readable format? I would not fail an > email over this but it would be nice to punish the email at least to > some degree - > > -Nick > > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
