________________________________
From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Fri 8/10/2007 12:27 PM To: Jared Hall Cc: users@spamassassin.apache.org Subject: Re: Detecting short-TTL domains? I'm a prophet now!? :-) Hm. So, I'm sure I can figure this out eventually, but does anyone know the right Net::DNS way to extract the TTL? I could probably set it up as a value in Botnet.cf, where the default is 0 (disabled), but other values will trigger some rule's score if its less than the number that was set. And, it shouldn't be too hard for me to write a test for number of A records returned by a domain. I probably wont make them part of the BOTNET rule, but make them separate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?). Jared Hall wrote: > Upon examining various URI messages that trolls > have sent here the last two days (of those that still > have DNS resolution): > > (A) TTL is less than 300 on all but two > (2560 and 3600). > (B) Even 2g00d.mobi is running a TTL of 181. > > Would a spamvertized URI from a "legit" company > be running a TTL that low? I think not. Seems like > a good way to combat Fast-Flux DNS system spam. > Drawbacks include DNS SOA timeouts for bad > domains. > > Where's our prophet "John the Botnet" when you > need him? > > Ever Pondering, > > Jared Hall > General Telecom, LLC. > > > > > On Friday 10 August 2007 10:34, clsgis wrote: >> We're seeing URIs in spam whose domains have between >> a dozen and three dozen Address records, with time-to-live TTLs less than >> ten minutes. >> Is there a test for too many Address records? What's its name? >> Is there a test for too-short TTLs? Oh mighty one (sorry I don't have an emoticon that bows) :) I don't know how effective these tests will be as part of fast-flux scheme is constantly changing DNS records. There's no test for that. How many A records will be too many? I guess with careful scoring it could be another tool to use to increase the score of these emails. I've been working on a program that starts checking all the new domains on a constant basis to see if they're changing. This will produce a blacklist, and that might be the way to check this as a dnsbl. Any ideas are welcome. (like, forget about computers and go to the beach, go play hockey, go fishing...)
