On Fri, 5 Mar 2004, David B Funk wrote: > On Fri, 5 Mar 2004, Chris Santerre wrote: > > > I was the loudest voice screaming for this. SA devs opened a bug on it. > > (Wish I could find it again!) Then I realised the 1 SERIOUS flaw with it. > > > > With a DNSRBL and email there is one sender to check. With URLs there is no > > limit to how many one could put in a spam. A spammer could simply flood the > > spam with good and bad URLs. This would cause a timeout and simply skip the > > test. You could limit the number of URLS, but the spammers would simply add > > that many good ones in.
[ edit ] > One other way to approach this question, use either 'whois' or DNS-NS > records as a spam indicator. > Spammers can register bunches of domain names but each name will cost > them something, so they tend to look for registrars that offer bulk > discounts. I'll bet that if you check the registration info for many of > those spamdomains, you'll find that they're registered with a few > specific sites (several of those being in China). That's an intersting hypothesis, and one I just put to a quick-and- dirty (*very* quick-and-dirty) test. I used this weeks' corpus of SA- identified spam, dug out all the URLs I could find, and passed the host names through a "dig $hotname ANY | grep '<TAB>NS'". There is _some_ commonality of NS records but not a whole lot that I can find. The winners are "pharm45454dns.info" (try telling me that *that* isn't a spam domain), "network-dns.biz", and "name2004.com". "THEBESTMAIL.US" gets an honourable mention. Most interesting, however, are the number of hostnames that _didn't_ return anything other than an NXDOMAIN error or timeouts. I think that _those_ can be used effectively as scoring hits. > Another spam indication would be to look at the number of NS records > registered for a given domain. A legit business cares about the > reliability of its net presence and will register 2 or more DNS servers. > Spam-domains will sometimes have only 1 DNS server of record. That didn't seem to be a good indicator. I only saw four domains that had a single NS record out of 47 lookups (of the 47, 12 returned timeouts); the rest returned two or more. +------------------------------------------------+---------------------+ | Carl Richard Friend (UNIX Sysadmin) | West Boylston | | Minicomputer Collector / Enthusiast | Massachusetts, USA | | mailto:[EMAIL PROTECTED] +---------------------+ | http://users.rcn.com/crfriend/museum | ICBM: 42:22N 71:47W | +------------------------------------------------+---------------------+
