On Thu, 9 Sep 2004, Raymond Dijkxhoorn wrote:
Hi!
1) Spammers can set up multiple ip addresses to an A record. Whatever does the reporting should check all A records, from the top down. i.e. query each NS multiple times to make sure it's not being round-robined or reported differently from multiple DNS servers.
2) I can easily forsee spammers doing a wildcard subdomain as an effort to thwart this, if we're doing nslookups.
3) It's a common case that spammers use disposable landing sites, such as the forwarding services offered by tinyurl, zoneedit, and the like, or will put an HTTP redirect on a hotmail or geocities page. Should those be exempt from this, since they have a fair number of legitimate domains as well?
Did you actually have a look on the sata provided at the start of this thread ? Sure, it COULD be different, but somehow, it isnt.
Yes, I did. But I'm trying to think ahead of current practice, by what's considered a GOOD practice to keep a site up, and what's bad. I'm not saying they're all doing it now, but I've *seen* them have another server ready to go when I yank ether (invariably, they migrate the ip by hand, to prevent everything being yanked at onces).
-Dan
Thats why we posted the data in the first place, a lot of spam is boosted inside via the exact same way. We can ignore that, and say they will migitate, but if we never react they will never migitate either.
Bye, Raymond.
--
"Man, this is such a trip"
-Dan Mahoney, October 25, 1997
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
