Good day, all,
Chris and I - both enthusiatic spamassassin users! - had been
talking about some dns characteristics that might be worth considering in
future spamassassin versions.
1) If the domain has been recently registered, say, in the last
two months, give the message a small plus score for spam. This can be
quickly pulled from a whois lookup.
2) If the domain was registered for 1 year or less, give the spam
a small plus score. This also comes from a whois lookup.
Our logic for the above is that spammers frequently sign up for
domains that they expect to discard after a relatively short time (2-4
months). There's no point in paying the registrar for extra time on a
throwaway domain, while legitimate domain customers will generally want to
take advantage of both multi-year discounts and the fact that they have to
spend less time re-registering. The final check for spamassassin might
very well be a check for both 1) and 2) instead of separate checks.
3) If all of the nameservers for that domain refuse to answer SOA
requests for that domain, or return that they are _not_ authoritative for
that domain, give the spam a small plus score. This can be pulled by
making a dns query for the SOA record for the domain (which should always
exist), and checking the authoritative flag on the response.
As a general rule (but certainly not a universal one), someone
signing up for a domain will provide two or more name servers that are
authoritative for that domain. Chris and I are looking into this, but we
have reason to believe that this may be less likely for throwaway spam
domains.
This third one should not be too expensive as some MTA's will be
querying the name servers for either MX or A records for the domain
anyways (as some MTA's will refuse to accept incoming mail from a domain
that would not itself accept return mail).
I've obviouusly not included scores for these as the scoring
process just before a major release can come up with better scores than I
could. I tend to suspect that these would all be in the less than +1.0
range, contributing to a spam score but not being large enough to push
over 5.0 by themselves, of course.
Comments, concerns, revisions, ideas, margueritas? *smile*
Cheers,
- Bill
---------------------------------------------------------------------------
I called up the Bureau of Alcohol, Tobacco, and Firearms regional
office and asked, "What wine goes best with an M-16?" The guy who
answered did his best to be helpful: "That depends. What are you smoking?"
(Courtesy of Andrej Todosic <[EMAIL PROTECTED]>)
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
Linux articles at: http://www.opensourcedigest.com
--------------------------------------------------------------------------
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
