> -----Original Message----- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 2:21 AM > > Matt Kettler wrote: > > Giampaolo Tomassoni wrote: > >> > >> It doesn't use whois *instead of* dns. It uses both and attempts > even to > >> detect any discrepancy between their responses. > >> > > How are these going to be different?? The information published to > > whois has to match the information published to the authoritative DNS > > servers for the TLD the domain falls under. > > > > I guess you could send a request to one of the servers for the domain > > and ask for a NS record. But that's asking for a DoS. You could also > > still do it a lot more efficiently by sending one to the authority > for > > the TLD, and one to the domain server. > > Ahh, I see what you're doing, you're looking up the SOA. Which is > basically forcing the query down to the spammer's DNS server, and > opening yourself up for a DoS attack.
You're seriously concerned by DoS. You may probably get some relief by unplugging your MX servers from internet. It is the red cable with the label "Warning: potential DoS carrier!" :) > hint: a malicious spammer could fill an email with domains that point > to a server which generates really slow responses to your SOA querries, > bogging your server down with DNS timeouts. This is the whole reason > why nothing in SA ever does an "A" record lookup on URI's. Doing a SOA > lookup isn't quite as bad, as it would take many domains instead of > many > hosts, but it's still the same concept. Thanks to the asynchronous query engine in SA 3.2.x this is not anymore a problem: you may have many outstanding DNS queries in parallel and your code is going to wait at most for the duration of a single timeout. Besides, during the time the queries are outstanding SA do works on other things. Instead, the fact that a SOA and/or NS request is not replied can be very useful: an authoritative NS must respond to them. A reply to an A request and a missing one to SOA or NS requests may be used as an indication that the URI refers to a spam site. Giampaolo
