Post on Slashdot
mkettler at evi-inc.com
Fri Sep 5 18:12:11 IST 2008
Matt Hayes wrote:
> Alex Neuman van der Hans wrote:
>> I saw this post on Slashdot and wanted to share - see if you have any
>> insights, suggestions, etc.
>> Use the information against the spammers? (Score:4, Interesting)
>> by Seriph (466197) on Friday September 05, @08:49AM (#24886827)
>> I've been doing some digging into this over the last few months and
>> noticed an awful lot of spamvertized sites seem to have their domains
>> registered with such privacy protecting registrars.
>> I've been thinking about how to use the fact that a domain is registered
>> with such a registrar as part of a spam scoring metric and whether
>> anyone else has already done work on this? Just on the mail passing
>> through my systems, I'm seeing a very strong correlation between a mail
>> being spam and it referring to a domain registered with such a
>> registrar, with the domain nameservers being on dynamic IP space, and
>> with the DNS for the spam domain having a very low TTL value set.
>> It's also interesting to track back the nameservers for any domains
>> referred to in the NS records of the spam domain. By doing so I can find
>> fairly large networks of interrelated spam domains and spam websites,
>> the addresses of many of which already appear on the likes of the
>> Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards.
>> The point is, is it practical to use this sort of information against
>> spammers and is anyone already doing it?
> To me, private registration is a fine thing. I do it with my domains.
> If people start scoring spam because of a private registration, I would
> say a lot of false positives are going to happen. The private
> registration just means that the contact info posted is a "proxy" to the
> real person. All in all, you can still get a hold of the right people,
> just takes a little bit longer.
True, but as I read it that's not the point here. The point is not that "private
registration = spam".
It's "private registration + dynamic IP + low DNS TTLS = spam", and they're also
talking about URI's in the message, not the sending domain.
Quite frankly, you can probably just drop the private registration part. An
email with a URI pointing to a domain with low DNS TTLs is very likely to be
spam, no matter how the domain is registered.
Quite frankly, I suspect uribl.com already uses the described metric for
preemptively blacklisting domains (yes, they *do* have automated systems that
troll around for candidate domains that have not yet spammed, although they are
reluctant to describe what metrics they use.), so if you've got URIBL_BLACK (a
default rule) you're probably already using this technique without realizing it.
More information about the MailScanner