[repost from earlier posting to spamassassin-devel, where it hasn't shown up after 7 hours or so. excuse my ignorance: but is that list moderated? http://lists.sourceforge.net/lists/listinfo/spamassassin-devel is not hinting to this] Hello,
I wish to propose the following new method to be implemented in future versions of SA - but I unfortunately lack familiarity with the code base, so I am unlikely to do the programming :) I've had this concept in my head for a couple of months, but have not seen anyone else uttering it. 1) virtually all spam contains either a URL or an email address, or both as a means of contacting the spammers. These are easily available with current code for URL/URI rules. 2) hostnames in URLs and email addresses tend to resolve to valid IP numbers, and have name service from DNS servers at known and valid IP addresses to be functional. 3) people are attempting to use SA for assigning scores based on appearance of arbitrary IP numbers (in headers) and domain names, as witnessed by http://www.stearns.org/sa-blacklist/sa-blacklist.current and http://www.merchantsoverseas.com/wwwroot/gorilla/evilrules.cf This does not scale: maintaining these rulesets by hand and distributing them to a larger audience is exceedingly hard and completely impractical. 4) IP numbers are relatively easily mapped to geographical regions (by RIR : ARIN, LACNIC, RIPE, APNIC, JPNIC) - this is a backup classification criteria in addition to 5) : 5) IP numbers are listed in great quantities in DNSBLs, with listing criteria as diverse as country/region, open relay/proxy, spam source, or spam support services like spamvertized web page or DNS hosting. Operation of DNSBLs is a well-established 'science', it scales, it is manageable, there is plenty of choice. 6) 'roaming' websites have appeared that are hosted via reverse proxies on 1000's of compromised, trojaned and unfirewalled (Windows) machines, for both port 80/tcp (http) traffic, as well as 53/udp DNS traffic - with delegated nameservers changing records for these sites every few minutes, and keeping extremely short TTLs (less than 10 min.) I propose the inclusion of code and rulesets to achieve the following three goals, with a fourth one being designated a 'far future' goal: a) based on the concept of the current DNSBL lookups for IP numbers in mail headers: extend that concept to every hostname contained in URLs or email address FQDNs found in the message body or any header line: Subject:,From: and Return-Path: comes to mind, primarily. b) based on the concept of a), lookup all host nameserver records (IP numbers) for said host/domain names (based on statement #2 above) in DNSBL's as well, and permit rulesets to assign scores. A rule computing a score based on the NUMBER of such NS records (in case some crafty spammer tries to DoS this concept by listing 200+ DNS servers for his domains), and a limit for the number of DNSBL lookups so done to a reasonable number is required. c) lookup the zone SOA values of a given website's domain name records, and assign a score based on arbitrary ranges of these values: refresh, retry, expiry, minimum time. d) future concept: follow the spamvertised URL and determine if the page gets redirected to some target page and server that can again be treated with goal b) Desired result: - we can now assign arbitrary scores for spamvertized websites and their DNS servers that have their IP addresses appear in any DNSBL, or have suspiciously 'mobile' DNS configurations. Example: - Just ONE rule assigning a substantial score for every hostname resolving to an IP number listed in the cn-kr.blackholes.us DNSBL would be enough to reliably cut off whatever air supply Alan Ralsky thinks he currently has: Web *AND* DNS-hosting in China, and criminal spamvertizing my means of breaking and entering through 100,000's of open proxies. Take a very deep breath before going under, Alan, I say. Thanks, bye,Kai -- "Just say No" to Spam Kai Schlichting New York, Palo Alto, You name it Sophisticated Technical Peon Kai's SpamShield <tm> is FREE! http://www.SpamShield.org | | LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
