On Thursday, September 9, 2004, 2:52:53 PM, Matt Kettler wrote: > At 05:23 PM 9/9/2004, Chris Santerre wrote: >>OOOOOOHHHHH yeah! I didn't know that! Are we sure this is actually what it >>means and not just a miss-syntaxed paragraph? It actually resolves the IP >>against the RBL lookup? >> >>If so....well then...problem solved, and devs get a cookie :)
> Actually, upon closer read it checks the IP of the NS record.. So it's > essentially blacklisting the IP's of the DNS servers that spammers are using. > So, for http://www.merchantsoverseas.com, it would look at your NS records: > MerchantsOverseas.com. 18185 IN NS auth20.ns.wcom.com. > MerchantsOverseas.com. 18185 IN NS auth10.ns.wcom.com. > And would check the IPs 198.6.100.37 (auth20.ns.wcom.com) and > 198.6.100.21 (auth10.ns.wcom.com) Yes, which is why it's good as an SA rule, which can get a lower score to avoid collateral damage from FPs. In other words it's used as a booster of spam scoring and not an outright block criteria. Jeff C.
