Quoting Justin Mason <[EMAIL PROTECTED]>:
A similar idea, without the "back-channel" flaw is to test the
domain for either 'CNAME' or 'A' record `wildcards' (as in the command
"dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname").
This is an excellent spam sign (the host portion of the name is often
mapped back into a database to determine the actual recipient). Legitimate
domains will use wildcards for 'NS', 'MX' and even occasionally for some
more obscure records, but an 'A' or 'CNAME' record is nearly always a
spammer.
Check this out with any spam you've gotten with a hostname other
than "www" (about 70% of what I see).
ooh, interesting trick, thanks Paul! have you got any idea of
how much spam hits this?
I'll modify one of the test programs I have around so that:
For each URL/mail hostname:
Check for wildcards in domain
if yes - message is spam - output this case
if no - lookup IP as I mentioned previously and then check with RBLs
Hosts without wildcards should be fairly safe to resolve to an IP.
I deleted my last test database of spam messages, but I'm sure I can come up
with at least a few hundred from my old yahoo account!
-- Evan
