Detecting the Registrar of the sending host? - SpamAssassin

This is a discussion on Detecting the Registrar of the sending host? - SpamAssassin ; Marc Perkel wrote: > > > Matus UHLAR - fantomas wrote: >> On 03.07.08 13:22, Henrik K wrote: >> >>> If lesser registrar means that it's probably ham, why couldn't someone use >>> that to add some negative scores or ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 25 of 25

Thread: Detecting the Registrar of the sending host?

  1. Re: Detecting the Registrar of the sending host?

    Marc Perkel wrote:
    >
    >
    > Matus UHLAR - fantomas wrote:
    >> On 03.07.08 13:22, Henrik K wrote:
    >>
    >>> If lesser registrar means that it's probably ham, why couldn't someone use
    >>> that to add some negative scores or use it as a part of whitelist
    >>> trustworthiness? Even if it's handful of domains, it's useful. If you could
    >>> get the registrar data without expensive lookups..
    >>>

    >> what if spammers start register domains using those registrars?
    >>

    > The registrars I'm talking about are extremely expensive and very
    > exclusive. Spammers couldn't afford it.
    >

    What if they just use the domains of those that do it? Or what if they
    compromise the accounts of those that use these exclusive registrars
    (like .edu)? I don't see any performance gain as it would have to be
    handled at MTA, which can suffer from spoofing.


  2. Re: Detecting the Registrar of the sending host?

    Marc Perkel wrote:
    >
    >
    > Michele Neylon wrote:
    >>
    >> On 2 Jul 2008, at 19:56, Marc Perkel wrote:
    >>>>
    >>>
    >>> Again - it's not to figure out where spam comes from. It's figuring
    >>> out where non-spam comes from. I think there are registrars out
    >>> there that don't have any spam domains registered.
    >>>

    >>
    >>
    >> What are you trying to prove?
    >>
    >> Your logic completely escapes me
    >>
    >> I also fail to see how the registrar is of much importance
    >>
    >> There are over 900 ICANN accredited registrars
    >>
    >> Of those about 200 odd are active
    >>
    >> Of the 200 a handful account for the bulk of all domains registered /
    >> managed
    >>
    >> Statistically this means you're going to see spam from domains
    >> registered with enom, godaddy, directi, tucows and a few others. It
    >> doesn't mean anything
    >>
    >> In fact it's totally meaningless
    >>

    >
    > It's interesting how the concept of white rules seems to be beyond
    > comprehension here. There is a registrar called markmonitor.com that
    > looks like a very high end and expensive registrar that only services
    > big companies like banks and such. So domains who are registered
    > through Markmonitor would not be spammers and would likely be all ham.
    > This isn't about spam detection - it's about ham detection.
    >
    >

    The question is, how do you reliably tell that the mail actually came
    from the from company in question? It can be spoofed, or they can end up
    with compromised systems.


  3. Re: Detecting the Registrar of the sending host?

    Marc Perkel wrote:

    > Matus UHLAR - fantomas wrote:
    >
    > On 03.07.08 13:22, Henrik K wrote:
    >
    >
    > If lesser registrar means that it's probably ham, why couldn't someone use
    > that to add some negative scores or use it as a part of whitelist
    > trustworthiness? Even if it's handful of domains, it's useful. If you could
    > get the registrar data without expensive lookups..
    >
    >
    > what if spammers start register domains using those registrars?
    >
    >
    > The registrars I'm talking about are extremely expensive and very exclusive.
    > Spammers couldn't afford it.


    Big sloppy/lousy corporation can afford it.

    --
    [pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
    Most people can't understand how others can blow their noses differently
    than they do.
    -- Turgenev


  4. Re: Detecting the Registrar of the sending host?



    Richard Frovarp wrote:
    > Marc Perkel wrote:
    >>
    >>
    >> Michele Neylon wrote:
    >>>
    >>> On 2 Jul 2008, at 19:56, Marc Perkel wrote:
    >>>>>
    >>>>
    >>>> Again - it's not to figure out where spam comes from. It's figuring
    >>>> out where non-spam comes from. I think there are registrars out
    >>>> there that don't have any spam domains registered.
    >>>>
    >>>
    >>>
    >>> What are you trying to prove?
    >>>
    >>> Your logic completely escapes me
    >>>
    >>> I also fail to see how the registrar is of much importance
    >>>
    >>> There are over 900 ICANN accredited registrars
    >>>
    >>> Of those about 200 odd are active
    >>>
    >>> Of the 200 a handful account for the bulk of all domains registered
    >>> / managed
    >>>
    >>> Statistically this means you're going to see spam from domains
    >>> registered with enom, godaddy, directi, tucows and a few others. It
    >>> doesn't mean anything
    >>>
    >>> In fact it's totally meaningless
    >>>

    >>
    >> It's interesting how the concept of white rules seems to be beyond
    >> comprehension here. There is a registrar called markmonitor.com that
    >> looks like a very high end and expensive registrar that only services
    >> big companies like banks and such. So domains who are registered
    >> through Markmonitor would not be spammers and would likely be all
    >> ham. This isn't about spam detection - it's about ham detection.
    >>
    >>

    > The question is, how do you reliably tell that the mail actually came
    > from the from company in question? It can be spoofed, or they can end
    > up with compromised systems.
    >


    You can't spoof Forward Confirmed rDNS.


  5. Re: Detecting the Registrar of the sending host?

    Marc Perkel wrote:
    >
    >
    > Yet Another Ninja wrote:
    >> On 7/2/2008 6:05 PM, Marc Perkel wrote:
    >>> Is there an easy way to detect the registrar of a domain through DNS?
    >>> For example - can I easilly figure out if an email I'm processing is
    >>> hosted by GoDaddy or Tucows?
    >>>
    >>> Here's what I'm thinking. I think there's some expensive and highly
    >>> secure registrars out there who are the registrar of expensive
    >>> domains and probably have no spam domains at all. This could be used
    >>> to create white rules.
    >>>
    >>> Can this be done?

    >>
    >> you sure there are major registrars you can whitelist?
    >>
    >> http://rss.uribl.com/nic/
    >>
    >> Even EUrid is happily supporting pillz spammers on .eu
    >>
    >>

    >
    > Not major registrars, minor ones. There's one called markmonitor.com
    > that seems to have clients like banks and major corporations. My guess
    > is that this is an extremely expensive registrar where security means
    > everything and no one is going to accidentally mess with anything. The
    > idea here is that if the registrar is this expensive and restrictive
    > then only the good guys will be using them. At least that was what I
    > would test if there were a way to test it. Apparently there is not.
    >


    Not reliably & securely. Parsing whois data is messy, there's no
    standard format, clients are blocked frequently, and data can be quite
    stale (dns servers ips are often old). The best you can do is a static
    list that is part of an SA rule to add a point or so if you are also
    happy with the dns....if you really think it's worth it. DKIM does a
    better job with most of these domains anyway, imo.

    fwiw, markmonitor 'monitors' 'marks' - they are in the intellectual
    property protection business. Too bad ICANN wasn't using them.
    http://www.icann.org/en/announcement...03jul08-en.htm
    ooops!

    Ken

    --
    Ken Anderson
    Pacific.Net


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2