On Fri, 7 Nov 2008, FractalBob wrote:

> Thanks, Mouss, for the pointers, but I still don't understand where the
> addresses and phone numbers in 70_sare_evilnum come from. Can SpamAssassin
> be configured to scan a message, pick up a domain and then do a WHOIS
> search, or did someone go through a few e-mails by hand, query WHOIS using
> the domain names found and add the phone #/address info to 70_sare_evilnum?
> I kind of doubt the second possibility, but had to ask ;-)


Those rules have nothing to do with WHOIS or the domain registration data
of the sender. From the rules page:

70_sare_evilnum*.cf
Description: Addresses and phone numbers harvested from spam

Somebody went through a spam corpus and pulled out addresses and phone
numbers that were common. How often do you see a phone number or contact
address in a spam any more? That is information that can be used to
identify and prosecute the spammer. That's why they use hacked or
fast-flux DNS websites these days.

(Is anybody willing to do a hit analysis of the evilnum rules to see if
they indeed do have any value any more?)

A much better way to do that sort of thing now is to subscribe to the
SOUGHT ruleset, which is dynamically generated from recent spam traffic.

A SA plugin can certainly be written to perform WHOIS lookups on
information derived from a message - as an experiment I wrote one that
would look up the sending domain's registrar and compare it to a list of
registrars known to be spam-friendly. However, this is likely to be
considered abusive of the whois system and if put into production will
likely not work for long - the whois providers will likely block your
MTA's IP address fairly soon.

So in other words, SA WHOIS lookups = bad idea.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
4 days until Veterans Day