This is a discussion on Re: negative caching of throwaway spam domains - DNS ; On Wed, 21 Jun 2006, Ken A wrote: > Hi, > > We have 3 spam filtering machines that each run a bind caching > nameserver to help with rbl lookups, etc.. > After mail passes through these machines it ...
On Wed, 21 Jun 2006, Ken A wrote:
> We have 3 spam filtering machines that each run a bind caching
> nameserver to help with rbl lookups, etc..
> After mail passes through these machines it goes to our mail hub.
> Every so often, a spam from a throwaway spam domain will get through the
> spam filtering machines to the mailserver hub. The caching nameserver on
> the spam filtering machine will be able to lookup the sender's hostname,
> so sendmail accepts it.
> But, sendmail, on the mailserver hub will bounce it back to the spam
> filtering machine with an error.. 'Domain of sender address
> firstname.lastname@example.org does not exist'. (that one is from this am..
> registered yesterday by a spammer).
> The question is, is there something I can do to, other than telling the
> mail filter machines to all use the same instance of bind to avoid this
> Also, a bit off topic, but it occurs to me that this kind of information
> is useful in spam fighting. Are there any rbls out there that list all
> domains registered in the last 48 hrs?
I would ask on the SpamAssassin mailing list, as those guys
seem to be most aware of what's available (even if it's not SpamAssassin
you're using, this is not a bad idea for a plugin and/or blacklist) --
however, generically RBL's work on IP address, not domains. Given an IP
address a.b.c.d, the domains d.c.b.a.blacklist.wherever.org is looked up,
and if it returns a certain value, it's considered listed.
What you'd be more likely to look at is a SURBL -- which looks to block
url's embedded in emails, and works on actual hostnames as opposed to ips.
Also, I should note that parsing the information with regard to how long
ago a domain was registered is somewhat difficult, as at this point we're
out of the realm of DNS and into the realm of WHOIS. And whomever
conceived WHOIS apparently did not feel that things like standardization
and formatting (or even date-field order) were things that needed to be
There is a long-out-of-date perl module which was written by the GANDI
registrar that was supposed to parse these things, and had a modular
plug-in architecture, however even that has broken majorly on .org since
that registry no longer uses referrals.
"There is no right and wrong, there is only fun and boring."
-Fisher Stevens, "Hackers"
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM