On Fri, 5 Mar 2004, Chris Santerre wrote:
> I was the loudest voice screaming for this. SA devs opened a bug on it.
> (Wish I could find it again!) Then I realised the 1 SERIOUS flaw with it.
>
> With a DNSRBL and email there is one sender to check. With URLs there is no
> limit to how many one could put in a spam. A spammer could simply flood the
> spam with good and bad URLs. This would cause a timeout and simply skip the
> test. You could limit the number of URLS, but the spammers would simply add
> that many good ones in.
>
> I've even spoken to RBL hosts. Some fear what this would do to their
> servers. THe number of lookups would skyrocket.
>
> So the only ting I can think of is a local RBL. :(
>
> --Chris
It may be a problem but probably not. When you do -any- dns lookup
your local DNS server will cache the answer and locally hand it out on
repeated lookups. So if that spam has 20 URLs there would be 1 hit
against the remote DNSRBL server and 19 local repeats,
unless the spammer registered 20 different domains and puts them all
into their spam. But then all 20 answers would be cached for the
next instance of that spam.
One other way to approach this question, use either 'whois' or DNS-NS
records as a spam indicator.
Spammers can register bunches of domain names but each name will cost
them something, so they tend to look for registrars that offer bulk
discounts. I'll bet that if you check the registration info for many of
those spamdomains, you'll find that they're registered with a few
specific sites (several of those being in China).
Only problem is that 'whois' lookups tend to be slow and can timeout.
DNS-NS record lookups are quick and easy. Often legit businesses will
have their own DNS servers or use their ISPs. The bulk registration
customers (spammers) are more likely to use the DNS services provided
by the bulk registrars, rather than bothering with finding their own.
I'll bet that if you check the DNS-NS records for all those spam-domains
you see in those fake-meds spams you'll find that the majority of them
are listed as one of half-dozen specific servers.
EG: nicsimple.com, domain2004.com, arxcom.com, xinnet.cn, namelite.com,
nsfornothing.biz
Another spam indication would be to look at the number of NS records
registered for a given domain. A legit business cares about the
reliability of its net presence and will register 2 or more DNS servers.
Spam-domains will sometimes have only 1 DNS server of record.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
