Re: negative caching of throwaway spam domains
Dan Mahoney, System Admin wrote:[color=blue]
> On Wed, 21 Jun 2006, Ken A wrote:
>> We have 3 spam filtering machines that each run a bind caching
>> nameserver to help with rbl lookups, etc..
>> After mail passes through these machines it goes to our mail hub.
>> Every so often, a spam from a throwaway spam domain will get through the
>> spam filtering machines to the mailserver hub. The caching nameserver on
>> the spam filtering machine will be able to lookup the sender's hostname,
>> so sendmail accepts it.
>> But, sendmail, on the mailserver hub will bounce it back to the spam
>> filtering machine with an error.. 'Domain of sender address
>> [email]email@example.com[/email] does not exist'. (that one is from this am..
>> registered yesterday by a spammer).
>> The question is, is there something I can do to, other than telling the
>> mail filter machines to all use the same instance of bind to avoid this
Any ideas on this DNS question?
>> Also, a bit off topic, but it occurs to me that this kind of information
>> is useful in spam fighting. Are there any rbls out there that list all
>> domains registered in the last 48 hrs?[/color]
> I would ask on the SpamAssassin mailing list, as those guys seem to be
> most aware of what's available (even if it's not SpamAssassin you're
> using, this is not a bad idea for a plugin and/or blacklist) -- however,
> generically RBL's work on IP address, not domains. Given an IP address
> a.b.c.d, the domains d.c.b.a.blacklist.wherever.org is looked up, and if
> it returns a certain value, it's considered listed.
> What you'd be more likely to look at is a SURBL -- which looks to block
> url's embedded in emails, and works on actual hostnames as opposed to ips.[/color]
Yes, we use SURBL and uribl in S.A. to help score spam. rbldnsd uses
these 'dnsets' to define hostnames in a rbl that are looked up via dns.
DNS can be used for all sorts of things, not the least of which is
spyware, which is why I worry when some newly installed software likes
to do a DNS lookup for no apparent reason. Now we are way off topic..
> Also, I should note that parsing the information with regard to how long
> ago a domain was registered is somewhat difficult, as at this point
> we're out of the realm of DNS and into the realm of WHOIS. And whomever
> conceived WHOIS apparently did not feel that things like standardization
> and formatting (or even date-field order) were things that needed to be
> agreed upon.[/color]
I have a rather lengthy perl script that does this to check expiration
dates for domains we host, but I agree, it's a parsing nightmare! :-\
> There is a long-out-of-date perl module which was written by the GANDI
> registrar that was supposed to parse these things, and had a modular
> plug-in architecture, however even that has broken majorly on .org since
> that registry no longer uses referrals.
> "There is no right and wrong, there is only fun and boring."
> -Fisher Stevens, "Hackers"
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: [url]http://www.gushi.org[/url]