Re: Age of a domain name - a new test?
Jeff Chan wrote: Generally speaking whois queries is a poor way to determine domain age, at least for client applications. The whois infrastructure is simply not designed to support the volume of queries required, even if locally cached. Perhaps CRISP is part of the answer to this problem. http://www.completewhois.com/other_projects.htm -- Andreas
Re: Age of a domain name - a new test?
On Mon, 30 Oct 2006, Wolfgang Uhr wrote: The test contains the examination of all links in the body. You have to get the date of registration and to calculate the age of this urls. There is a URIBL for recently-registered domains - search the list archives for day-old bread. Of course for practal use you have to cache thoose whois-requests onto a central server and to provide a complete series of mta's. I'm already doing this for a spam-friendly registrar plugin. http://www.impsec.org/~jhardin/SURBL_registrar/ Mathias Leisi's opinion is that it is better to avoid a direct spam-ham-decision but to score the age of an url. 5 days - 5 Points 10 days - 3 Points 15 Tage - 1 Point May be that this test is interesting for you. This does sound interesting, and would be a fairly minor change to the spam-friendly registrar plugin. I'll take a shot at it shortly. Pity you didn't post this Friday or I would have fiddled with it over the weekend... :) I'm thinking the plugin would implement a set of rules like URI_DOM_AGE_[5,10,15,20,25,30] and let the normal scoring and score customization methods apply. Comments? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Tomorrow: Halloween
RE: Age of a domain name - a new test?
Title: RE: Age of a domain name - a new test? Its also one of the MANY things we look at for URIBL submissions. --Chris
RE: Age of a domain name - a new test?
On Mon, 30 Oct 2006, Chris Santerre wrote: Its also one of the MANY things we look at for URIBL submissions. Good, but a domain has to be submitted to you for URIBL inclusion before you loot at that, no? A plugin would eliminate that on new domains. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Tomorrow: Halloween
RE: Age of a domain name - a new test?
Title: RE: Age of a domain name - a new test? -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED]] Sent: Monday, October 30, 2006 3:30 PM To: Chris Santerre Cc: Wolfgang Uhr; users@spamassassin.apache.org Subject: RE: Age of a domain name - a new test? On Mon, 30 Oct 2006, Chris Santerre wrote: Its also one of the MANY things we look at for URIBL submissions. Good, but a domain has to be submitted to you for URIBL inclusion before you loot at that, no? Not exactly ;) I can't say anymore. A plugin would eliminate that on new domains. Hell, I'd love to see it as well. Except this data alone does not make a domain evil. It just increases the chances that it is evil. And where would you get this info? How would you feed this list. dailychanges.com? Essentially you are looking at a URI greylist for whois date info. Its just too prone to FPs. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: Age of a domain name - a new test?
Chris Santerre wrote: -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Monday, October 30, 2006 3:30 PM To: Chris Santerre Cc: Wolfgang Uhr; users@spamassassin.apache.org Subject: RE: Age of a domain name - a new test? On Mon, 30 Oct 2006, Chris Santerre wrote: Its also one of the MANY things we look at for URIBL submissions. Good, but a domain has to be submitted to you for URIBL inclusion before you loot at that, no? Not exactly ;) I can't say anymore. A plugin would eliminate that on new domains. Hell, I'd love to see it as well. Except this data alone does not make a domain evil. It just increases the chances that it is evil. And where would you get this info? How would you feed this list. dailychanges.com? In bulk... if you've got the credibility you should be able to get the info from the TLD operators. There are people getting this for input to their reputation systems. Essentially you are looking at a URI greylist for whois date info. Its just too prone to FPs. I ran a whois plugin (which is quite trivial to implement) for over a year, I don't any more. Unless you've got the data in bulk already it just isn't worth the time to get the info as there are usually far more efficient ways that are less FP prone to catch the spam. Daryl
RE: Age of a domain name - a new test?
On Mon, 30 Oct 2006, Chris Santerre wrote: A plugin would eliminate that on new domains. Hell, I'd love to see it as well. Except this data alone does not make a domain evil. It just increases the chances that it is evil. And where would you get this info? How would you feed this list. dailychanges.com? No, it wouldn't be a real DNS URIBL, but whois with result caching. Essentially you are looking at a URI greylist for whois date info. Exactly. Its just too prone to FPs. I would think a shiny new legitimate domain name would generally only appear in emails among the people setting the domain name services up, and they are all probably mutually whitelisted. But I may be an optimist... -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Tomorrow: Halloween
RE: Age of a domain name - a new test?
-Original Message- From: Wolfgang Uhr [mailto:[EMAIL PROTECTED] Sent: maandag 30 oktober 2006 19:05 To: users@spamassassin.apache.org Subject: Age of a domain name - a new test? I'm surprised people are so positive about this. Not that I'm negative about it per se, but I have quite a few issue with it. To name a few: 1): Doing high-volume WHOIS queries can come to bite you in the butt. NETWORK SOLUTIONS, LLC., for instance, specifically states: You are not authorized to access or query our WHOIS database through the use of high-volume, automated, electronic processes. People can ignore that, I reckon; but at their own risk. 2): Blanket assigning of spam-scores to a every young domain, effectively brands every new domain owner a likely spammer (or if your score were so low that it doesn't matter, then this use of this Domain-Age test is useless to begin with). I see a potential for false positives. 3): WHOIS data tends to be bulky. Not sure I care for such huge overhead. caching here won't matter, because, as the OP pointed out, these domains just have a very short life-span. You'd essentially be making WHOIS queries all the time. I'm quite open to the possibility that I'm missing a vital concept of this idea that would allow me to see things in a different light; but for now, I think I'll pass. :) - Mark
RE: Age of a domain name - a new test?
From: Chris Santerre [mailto:[EMAIL PROTECTED] Hell, I'd love to see it as well. Except this data alone does not make a domain evil. It just increases the chances that it is evil. And where would you get this info? How would you feed this list. dailychanges.com? Essentially you are looking at a URI greylist for whois date info. Its just too prone to FPs. I'd say reverse the viewpoint. IF the name has been in place for quite some time AND it passes one of the checks that show it's not a spoofed email (SPF, DomainKeys, etc), THEN apply a good strong ham score. (Less strong if the domain's recently been updated) The more good ham indicators we can include the better, as FPs are the devil themselves :) [And hopefully if we could add a lot of good, stong ham indicators then the spam indicators might all be able to be scored higher, yielding even better catching as well.] Of course this one's problematic because the TLD providers don't in general provide a quick, efficient network check for this sort of thing. But in general I'd say the more strong ham indicators we find the better. -- John C. Ring, Jr. [EMAIL PROTECTED] Network Engineer Union Switch Signal Inc. If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary. -- James Madison
Re: Age of a domain name - a new test?
On Monday, October 30, 2006, 9:56:49 AM, Wolfgang Uhr wrote: The test contains the examination of all links in the body. You have to get the date of registration and to calculate the age of this urls. Of course for practal use you have to cache thoose whois-requests onto a central server and to provide a complete series of mta's. Generally speaking whois queries is a poor way to determine domain age, at least for client applications. The whois infrastructure is simply not designed to support the volume of queries required, even if locally cached. Other problems: 1. Inconsistent record formats 2. Rate limits much lower than the number of domains registered or kited/tasted each day. http://www.bobparsons.com/DomainKiting.html 3. Unavailability of whois for some TLDs A centralized server would be better, but still subject to some of the problems above. As a general concept domain age is a pretty good measurement of spam potential, but it's by no means 100%. As others have noted the false positive potential is pretty high. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/