>...
>Jeff Chan wrote:
>> On Thursday, June 22, 2006, 10:35:10 AM, Ken A wrote:
>>> Rick Wesson over at Alice's Registry has a dnsrbl listing recently
>>> registered domains (see below). I thought this might be of interest to
>>> SA users. Anyone used this, or other rbl with similar functions?
>>> Scoring?
>>> Accuracy?
>>
>>> Thanks,
>>> Ken A
>>> Pacific.Net
>>
>> Hi Ken,
>> I was corresponding with Rick about how to test this and was
>> going to suggest the developers add a test rule.
>
>
># test for Day Old Bread DNSRBL of recently registered domains.
>
>header FROM_IN_DOB
>eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
>describe FROM_IN_DOB Domain recently registered
>tflags FROM_IN_DOB net
>score FROM_IN_DOB 0.1
>
>This has hit a few spams today. ymmv..
>
>Ken A
>Pacific.Net
>...
Seems quite conservative to me - It seems that any "new" domain
should/would be *very* well behaved during the 5-day ICANN defined "trial"
period (a domains can be deleted by the registrar in the first 5 days with
no "redemption" period). So I just started with:
## Aging would be nice - an MTA could 45x for a couple of days
header __RCVD_IN_DOB eval:check_rbl('dob',
'dob.sibl.support-intelligence.net.', '255')
describe __RCVD_IN_DOB Received via relay in new domain (Day Old Bread)
tflags __RCVD_IN_DOB net
score __RCVD_IN_DOB 0
header RCVD_IN_DOB eval:check_rbl_sub('dob', '127.0.0.2')
describe RCVD_IN_DOB Received via relay in new domain (Day Old Bread)
tflags RCVD_IN_DOB net
score RCVD_IN_DOB 1.667
header DNS_FROM_DOB
eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
describe DNS_FROM_DOB Sender from new domain (Day Old Bread)
tflags DNS_FROM_DOB net
score DNS_FROM_DOB 1.334
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A
127.0.0.2
body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
tflags URIBL_RHS_DOB net
score URIBL_RHS_DOB 2.75
It has hit a significant amount of spam from traps and feeds, but
mostly the "URI" rule (and a few "senders" too). Basically, I'm only
allowing mail sent from and referencing a "brand new" domain if it hits
practically no other rules or earns some negative points. Lots of spam
domains don't get used for the first 5 days already because of the ease
with which they can be nuke'd in that time period.
BTW. Everything that has been hit has been > 30 point scores already, so
the value may not be that great - i.e. spammers who use new domains are
already caught by existing SA rules (and the smarter ones wait).
Paul Shupak
[EMAIL PROTECTED]
