Dspam

Peter Peters P.G.M.Peters at utwente.nl
Wed Feb 25 14:03:08 GMT 2004


On Tue, 24 Feb 2004 14:28:22 -0800, you wrote:

>On Tue, 24 Feb 2004, Michele Neylon :: Blacknight Solutions wrote:
>> So you have three problems (in my rather simplistic view)
>> - 1 Source IP - almost impossible to forge, but could be anywhere in the world
>> - 2 Source address/domain/hostname - meaningless
>> - 3 URLs in the text/body of the email -
>> - 4 The *real* hostnames that 3 refers to
>> 1 - is easy enough to track/block
>> 2 - is meaningless
>> 3 - awkward. Reverse IP lookups on each one???? Sounds painful
>> 4 - unless you follow the URL in 3 you have no way of knowing what it is
>
>Just because its not perfect doesnt mean its useless.
>
>Its certainly better than a lot of the filtering techniques out there, and
>should be a lot more effective.
>
>Reverse lookups for #3? No. *forward* lookups. Eg
>http://www.grblsndktqer.biz/ in the body of the spam resolves to an IP in
>china. So you block it.

A number of spammers swap their domains around (or round robin them)
over (free) webhosters. The referenced website only has a redirection
frame in it. And sometimes the redirection is only activated when you
get referred from the same URL.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ



More information about the MailScanner mailing list