> -----Original Message----- > From: David B Funk [mailto:[EMAIL PROTECTED] > Sent: Friday, March 05, 2004 10:27 PM > To: Chris Santerre > Cc: 'Robert Brooks'; SpamAssassin Mailing List > Subject: RE: New grubby med spammer sneeking through > > > On Fri, 5 Mar 2004, Chris Santerre wrote: > > > I was the loudest voice screaming for this. SA devs opened > a bug on it. > > (Wish I could find it again!) Then I realised the 1 SERIOUS > flaw with it. > > > > With a DNSRBL and email there is one sender to check. With > URLs there is no > > limit to how many one could put in a spam. A spammer could > simply flood the > > spam with good and bad URLs. This would cause a timeout and > simply skip the > > test. You could limit the number of URLS, but the spammers > would simply add > > that many good ones in. > > > > I've even spoken to RBL hosts. Some fear what this would do to their > > servers. THe number of lookups would skyrocket. > > > > So the only ting I can think of is a local RBL. :( > > > > --Chris > > It may be a problem but probably not. When you do -any- dns lookup > your local DNS server will cache the answer and locally hand it out on > repeated lookups. So if that spam has 20 URLs there would be 1 hit > against the remote DNSRBL server and 19 local repeats, > unless the spammer registered 20 different domains and puts them all > into their spam. But then all 20 answers would be cached for the > next instance of that spam. > > One other way to approach this question, use either 'whois' or DNS-NS > records as a spam indicator. > Spammers can register bunches of domain names but each name will cost > them something, so they tend to look for registrars that offer bulk > discounts. I'll bet that if you check the registration info > for many of > those spamdomains, you'll find that they're registered with a few > specific sites (several of those being in China). > > Only problem is that 'whois' lookups tend to be slow and can timeout. > DNS-NS record lookups are quick and easy. Often legit businesses will > have their own DNS servers or use their ISPs. The bulk registration > customers (spammers) are more likely to use the DNS services provided > by the bulk registrars, rather than bothering with finding their own. > > I'll bet that if you check the DNS-NS records for all those > spam-domains > you see in those fake-meds spams you'll find that the majority of them > are listed as one of half-dozen specific servers. > > EG: nicsimple.com, domain2004.com, arxcom.com, xinnet.cn, > namelite.com, > nsfornothing.biz > > Another spam indication would be to look at the number of NS records > registered for a given domain. A legit business cares about the > reliability of its net presence and will register 2 or more > DNS servers. > Spam-domains will sometimes have only 1 DNS server of record. > > -- > Dave Funk University of Iowa
Maybe I'm confused. I'm not talking about DNS lookups, but RBL lookups. Those don't get cached. I've even talked to a few RBL providers and they also don't like this idea. I've seen spam with all sorts of URL fodder in it. These hijack small images (Like bullets, diamonds, ..ect...) from legit sites. I've seen spam with about 20-30 different domain URL's to confuse both bayes and my Bigevil scripts. A spammer could simply put in 30 different URLs and the URI RBL lookup would 1) Timeout 2) Dramatically increase the load on an RBL server. Unless this can be solved. I'm against it. :( --Chris
