________________________________

From: John Rudd [mailto:[EMAIL PROTECTED]
Sent: Fri 8/10/2007 12:27 PM
To: Jared Hall
Cc: users@spamassassin.apache.org
Subject: Re: Detecting short-TTL domains?




I'm a prophet now!?

:-)

Hm.  So, I'm sure I can figure this out eventually, but does anyone know
the right Net::DNS way to extract the TTL?

I could probably set it up as a value in Botnet.cf, where the default is
0 (disabled), but other values will trigger some rule's score if its
less than the number that was set.

And, it shouldn't be too hard for me to write a test for number of A
records returned by a domain.

I probably wont make them part of the BOTNET rule, but make them
separate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?).



Jared Hall wrote:
> Upon examining various URI messages that trolls
> have sent here the last two days (of those that still
> have DNS resolution):
>
> (A) TTL is less than 300 on all but  two
> (2560 and 3600). 
> (B) Even 2g00d.mobi is running a TTL of 181.
>
> Would a spamvertized URI from a "legit" company
> be running a TTL that low?  I think not.  Seems like
> a good way to combat Fast-Flux DNS system spam.
> Drawbacks include DNS SOA timeouts for bad
> domains.
>
> Where's our prophet "John the Botnet" when you
> need him?
>
> Ever Pondering,
>
> Jared Hall
> General Telecom, LLC.
>
>
>
>
> On Friday 10 August 2007 10:34, clsgis wrote:
>> We're seeing URIs in spam whose domains have between
>> a dozen and three dozen Address records, with time-to-live TTLs less than
>> ten minutes.
>> Is there a test for too many Address records?  What's its name?
>> Is there a test for too-short TTLs?


Oh mighty one (sorry I don't have an emoticon that bows) :)

I don't know how effective these tests will be as part of fast-flux scheme is 
constantly changing DNS records. There's no test for that. How many A records 
will be too many? I guess with careful scoring it could be another tool to use 
to increase the score of these emails.

I've been working on a program that starts checking all the new domains on a 
constant basis to see if they're changing. This will produce a blacklist, and 
that might be the way to check this as a dnsbl.

Any ideas are welcome. (like, forget about computers and go to the beach, go 
play hockey, go fishing...)

 

Reply via email to