Quoting Matt Kettler <[EMAIL PROTECTED]>:
Matt Kettler wrote:
Giampaolo Tomassoni wrote:
It doesn't use whois *instead of* dns. It uses both and attempts even to
detect any discrepancy between their responses.
Both types of queries can cause problems.
How are these going to be different?? The information published to
whois has to match the information published to the authoritative
DNS servers for the TLD the domain falls under.
That's a false assumption. Legitimate domains can have mismatched
whois and nameserver information during the time when they're being
changed. The root zone files in some cases update nearly instantly.
Whois data tend to get updated more slowly, for example once a day.
The time factors for reflecting updated information are often not the
same. During that time, this approach could false positive on
entirely legitimate domains that happen to be under updates.
I guess you could send a request to one of the servers for the
domain and ask for a NS record. But that's asking for a DoS. You
could also still do it a lot more efficiently by sending one to the
authority for the TLD, and one to the domain server.
Querying down to the delegated namesevrer is not a good idea.
Spammers do track who queries their servers, give false answers,
trigger ddos attacks back, gather information about the querying
system, etc.
Ahh, I see what you're doing, you're looking up the SOA. Which is
basically forcing the query down to the spammer's DNS server, and
opening yourself up for a DoS attack.
hint: a malicious spammer could fill an email with domains that point
to a server which generates really slow responses to your SOA querries,
bogging your server down with DNS timeouts. This is the whole reason
why nothing in SA ever does an "A" record lookup on URI's.
I suspect very strongly that it's not the whole reason. There are
very many reasons not to look up A records of URIs:
1. Querying jack_smith.uri.com could confirm jack_smith received the spam
2. Querying 12345.uri.com could expose someone's bank account number,
national ID number, or other private information to the Internet, etc.
There are other reasons.
Jeff C.
