Post on Slashdot

Matt Kettler mkettler at
Fri Sep 5 18:12:11 IST 2008

Matt Hayes wrote:
> Alex Neuman van der Hans wrote:
>> I saw this post on Slashdot and wanted to share - see if you have any
>> insights, suggestions, etc.
>> ----
>> Use the information against the spammers? (Score:4, Interesting)
>> by Seriph (466197) on Friday September 05, @08:49AM (#24886827)
>> I've been doing some digging into this over the last few months and
>> noticed an awful lot of spamvertized sites seem to have their domains
>> registered with such privacy protecting registrars.
>> I've been thinking about how to use the fact that a domain is registered
>> with such a registrar as part of a spam scoring metric and whether
>> anyone else has already done work on this? Just on the mail passing
>> through my systems, I'm seeing a very strong correlation between a mail
>> being spam and it referring to a domain registered with such a
>> registrar, with the domain nameservers being on dynamic IP space, and
>> with the DNS for the spam domain having a very low TTL value set.
>> It's also interesting to track back the nameservers for any domains
>> referred to in the NS records of the spam domain. By doing so I can find
>> fairly large networks of interrelated spam domains and spam websites,
>> the addresses of many of which already appear on the likes of the
>> Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards.
>> The point is, is it practical to use this sort of information against
>> spammers and is anyone already doing it?
>> -----
> To me, private registration is a fine thing.  I do it with my domains.
> If people start scoring spam because of a private registration, I would
> say a lot of false positives are going to happen.  The private
> registration just means that the contact info posted is a "proxy" to the
> real person.  All in all, you can still get a hold of the right people,
> just takes a little bit longer.

True, but as I read it that's not the point here. The point is not that "private 
registration = spam".

It's "private registration + dynamic IP + low DNS TTLS = spam", and they're also 
talking about URI's in the message, not the sending domain.

Quite frankly, you can probably just drop the private registration part. An 
email with a URI pointing to a domain with low DNS TTLs is very likely to be 
spam, no matter how the domain is registered.

Quite frankly, I suspect already uses the described metric for 
preemptively blacklisting domains (yes, they *do* have automated systems that 
troll around for candidate domains that have not yet spammed, although they are 
reluctant to describe what metrics they use.), so if you've got URIBL_BLACK (a 
default rule) you're probably already using this technique without realizing it.

More information about the MailScanner mailing list