Jeff Chan wrote:
Quoting Matt Kettler <[EMAIL PROTECTED]>:
Matt Kettler wrote:
Giampaolo Tomassoni wrote:
It doesn't use whois *instead of* dns. It uses both and attempts
even to
detect any discrepancy between their responses.
Both types of queries can cause problems.
How are these going to be different?? The information published to
whois has to match the information published to the authoritative
DNS servers for the TLD the domain falls under.
That's a false assumption. Legitimate domains can have mismatched
whois and nameserver information during the time when they're being
changed.
Ok, I guess I meant "how are these going to be usefully different".
There's a time spread between TLD NS updates and whois updates, but you
can't configure the two to be different and have it stay that way. So,
any difference between the two sources of data is a function of timing,
and probably not useful as a spam detection criteria.
But this isn't the approach Giampaolo has taken. He's comparing whois to
SOA records, so he's essentially detecting misconfigured SOA's that
don't match the whois DNS servers.
He'd still be better off looking up the NS record at the TLD and
comparing that to the SOA. Both are DNS queries and would show the same
thing, except during moves.
If detecting moves is your desire, you should be comparing the whois to
the TLD NS record, not the SOA.
However, I'm still stuck on how this information is useful, or has any
high correlation to spam activity.
