>> >...
>>
>> A similar idea, without the "back-channel" flaw is to test the
>> domain for either 'CNAME' or 'A' record `wildcards' (as in the command
>> "dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname").
>> This is an excellent spam sign (the host portion of the name is often
>> mapped back into a database to determine the actual recipient). Legitimate
>> domains will use wildcards for 'NS', 'MX' and even occasionally for some
>> more obscure records, but an 'A' or 'CNAME' record is nearly always a
>> spammer.
>>
>> Check this out with any spam you've gotten with a hostname other
>> than "www" (about 70% of what I see).
>
>ooh, interesting trick, thanks Paul! have you got any idea of
>how much spam hits this?
>
>a great way to make life harder for spammers ;)
>
>- --j.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.5 (GNU/Linux)
>Comment: Exmh CVS
>
>iD8DBQFCknqJMJF5cimLx9ARAjP/AJ9MI1R577iNtzrs1nWWuT4IgX05yQCfROq/
>qMMm1iD9xxIP6g4rEV9/mxw=
>=JOJg
>-----END PGP SIGNATURE-----
>
>
Looks like I slightly over estimated. I just checked the last
40 spams I received. After ignoring 419s, stock pumps and phishing I
found 14 without wildcards and 21 with - exactly 60% (only one had a
'CNAME' wildcard, the rest were all 'A' record wildcards). Much to my
surprise, I tested them all and of the 21 wildcards, 13 used "www.subdomain"
to match the wildcard. I've never seen a case of a valid domain using
them for 'A' or 'CNAME' records, but I can think up (admittedly marginal)
cases where an administrator might want to for a subdomain of a SLD - I
can't come up with a single reason to use them on a SLD itself, but maybe
someone else can.
So the answer looks like 60% with 0% FPs. (But what I get is
very biased because of the large amount of filtering at both the MTA
level and in front of SA.) If a few other people could test and report
that would probably be helpful.
Paul Shupak
[EMAIL PROTECTED]
