On Wed, 11 Jun 2014, Joe Quinn wrote:
On 6/11/2014 11:54 AM, Axb wrote:
On 06/11/2014 05:52 PM, Joe Quinn wrote:
> On 6/11/2014 11:44 AM, John Hardin wrote:
> > Folks:
> >
> > I just came across a PayPal phish that has a potentially useful
> > indicator: the domain referenced in the URI has no MX record defined,
> > so it cannot accept email.
> >
> > Would it be worth another DNS query in URIBL to check whether the
> > domain has an MX record, and add a point if not?
>
> Just off the top of my head, it may cause issues with mass email
> services like Constant Contact which send their email from oodles of
> CDN-like alternate domains which aren't intended to receive email.
>
> I expect you would need to limit it to headers that are clearly intended
> to receive messages (ie, Reply-To, Return-Path, From if the other two
> headers are not present, etc).
Shouldn't the URIBL plugin only looks at msg body and not headers..
I don't think so. If you run this rule on a message body that uses a
shortener like goo.gl, it will see that there is no MX record for goo.gl and
FP.
OK, so might need an exclusion list for common widespread cases like this.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
No representation without taxation!
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
