From: <[EMAIL PROTECTED]>
> Quoting Justin Mason <[EMAIL PROTECTED]>:
>
> >> A similar idea, without the "back-channel" flaw is to test the
> >> domain for either 'CNAME' or 'A' record `wildcards' (as in the command
> >> "dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname").
> >> This is an excellent spam sign (the host portion of the name is often
> >> mapped back into a database to determine the actual recipient).
Legitimate
> >> domains will use wildcards for 'NS', 'MX' and even occasionally for
some
> >> more obscure records, but an 'A' or 'CNAME' record is nearly always a
> >> spammer.
> >>
> >> Check this out with any spam you've gotten with a hostname other
> >> than "www" (about 70% of what I see).
> >
> > ooh, interesting trick, thanks Paul! have you got any idea of
> > how much spam hits this?
>
> I'll modify one of the test programs I have around so that:
> For each URL/mail hostname:
> Check for wildcards in domain
> if yes - message is spam - output this case
> if no - lookup IP as I mentioned previously and then check with
RBLs
>
> Hosts without wildcards should be fairly safe to resolve to an IP.
>
> I deleted my last test database of spam messages, but I'm sure I can come
up
> with at least a few hundred from my old yahoo account!
>
> -- Evan
This might be a good SURBL trick.
{^_^}
