I'm a prophet now!?
:-)
Hm. So, I'm sure I can figure this out eventually, but does anyone know
the right Net::DNS way to extract the TTL?
I could probably set it up as a value in Botnet.cf, where the default is
0 (disabled), but other values will trigger some rule's score if its
less than the number that was set.
And, it shouldn't be too hard for me to write a test for number of A
records returned by a domain.
I probably wont make them part of the BOTNET rule, but make them
separate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?).
Jared Hall wrote:
Upon examining various URI messages that trolls
have sent here the last two days (of those that still
have DNS resolution):
(A) TTL is less than 300 on all but two
(2560 and 3600).
(B) Even 2g00d.mobi is running a TTL of 181.
Would a spamvertized URI from a "legit" company
be running a TTL that low? I think not. Seems like
a good way to combat Fast-Flux DNS system spam.
Drawbacks include DNS SOA timeouts for bad
domains.
Where's our prophet "John the Botnet" when you
need him?
Ever Pondering,
Jared Hall
General Telecom, LLC.
On Friday 10 August 2007 10:34, clsgis wrote:
We're seeing URIs in spam whose domains have between
a dozen and three dozen Address records, with time-to-live TTLs less than
ten minutes.
Is there a test for too many Address records? What's its name?
Is there a test for too-short TTLs?
