On 10/10/2013 2:17 PM, John Levine wrote: >> I suspect either it's just a mistake, or stuff that actually used that >> domain in a URL (as opposed to just a random string in a message)q has >> been really spammy. > > I asked. There really is a domain master.cf, > and it really is used > in URLs in a lot of spam.
I established this earlier. Your generous use of scissors in your reply to that message suggests you didn't read it. Here it is again. On 10/10/2013 5:06 AM, Stan Hoeppner wrote:... > ~$ whois master.cf > This TLD has no whois server. > > http://en.wikipedia.org/wiki/.cf > Central African Republic > > ~$ host master.cf > master.cf has address 62.116.181.25 > master.cf mail is handled by 0 FALLBACKMX.SPAMEXPERTS.EU. > master.cf mail is handled by 0 LASTMX.SPAMEXPERTS.NET. > master.cf mail is handled by 0 MX.SPAMEXPERTS.COM. This ccTLD is a central African country with almost non-existent internet infrastructure. The TLD has no whois server for Pete's sake. The domain in question, master.cf, is tied to hosts in German IPv4 space. Clearly the domain was registered for the purpose of sending spam or other criminal activity. It is also abundantly clear that this spammer was banking on Postfix' "master.cf" receiving good will in content filters, etc, which was the whole point of registering this domain. He was obviously wrong. Due to this overwhelming evidence I didn't find it necessary to bother any of my Spamhaus contacts for "confirmation". > Solution: don't look up strings in the DBL that aren't host names in > URLs. No, the solution is to not apply a larger than default score to dbl hits in SA. The OP in this case clearly stated he had: "Unfortunately I always found the DBL check quite reliable and I increased it weight over the default..." You're starting to slip in your "old age" John. ;) Focus on writing RFCs, your mayoral duties, etc, and leave the trenches to the rest of us. ;) (tongue obviously buried heavily in cheek) -- Stan
