John D. Hardin wrote:
The Obtuse daemon also has a function that can reject mail
according to the domain of the sending server's DNS host. That
works well with some spamming operations that have dozens of bogus
domains all pointing at a common DNS host.
Any stats for that?
I'm not sure I know what kind of stats you're looking for, John.
Uncovering situations like this requires a bit of detective work.
Sometimes when I get messages from obviously spammy domains like
randomword-anotherrandomword.com, I'll do some checking into their IP and
domain whois records. I might also use nmap to ping-scan their class-C
subnet to see what other hostnames are nearby. Following those domains
back can often uncover a common DNS server. If the DNS server doesn't
have reverse-DNS configured (e.g., dns[12].superduperspecials.com), it's
*really* suspicious.
My list isn't all that long because this takes a bit of work. I usually
resort to such measures when I get really annoyed by a particular set of
spams. Most of my rules depend on the IP/hostname of the sending server,
not this indirect approach based on DNS servers, but the latter can come
in handy sometimes.
Peter
