P.G.M.Peters at utwente.nl
Wed Feb 25 14:03:08 GMT 2004
On Tue, 24 Feb 2004 14:28:22 -0800, you wrote:
>On Tue, 24 Feb 2004, Michele Neylon :: Blacknight Solutions wrote:
>> So you have three problems (in my rather simplistic view)
>> - 1 Source IP - almost impossible to forge, but could be anywhere in the world
>> - 2 Source address/domain/hostname - meaningless
>> - 3 URLs in the text/body of the email -
>> - 4 The *real* hostnames that 3 refers to
>> 1 - is easy enough to track/block
>> 2 - is meaningless
>> 3 - awkward. Reverse IP lookups on each one???? Sounds painful
>> 4 - unless you follow the URL in 3 you have no way of knowing what it is
>Just because its not perfect doesnt mean its useless.
>Its certainly better than a lot of the filtering techniques out there, and
>should be a lot more effective.
>Reverse lookups for #3? No. *forward* lookups. Eg
>http://www.grblsndktqer.biz/ in the body of the spam resolves to an IP in
>china. So you block it.
A number of spammers swap their domains around (or round robin them)
over (free) webhosters. The referenced website only has a redirection
frame in it. And sometimes the redirection is only activated when you
get referred from the same URL.
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ
More information about the MailScanner