Richard Gray wrote:
>Please just throw fish at me if this has already been proposed, but I
>was thinking today about what aspects of spamming a spammer finds hard
>to change.
>=20
>Changing names and IP addresses are easy, but I imagine that finding a
>DNS server that will be authoratitive for them is a tougher challenge.
>=20
>So, if one was to develop a list of the name servers that are
>authoratative for spam domains, then when a spammer changes but keeps
>the same name server, we will know and squash them!
>=20
>I'm imagining this in a set up that is engineered around trust (unknown
>sender, untrusted NS =3D mid level sensitivity; unknown sender; bad NS =3D
>high sensitivity)
>=20
>I imagine the checks could be done using perl's DNS lookup module?
>=20
>R
>
>...
Richard,
You are quite correct, normally spammers have two orders of
magnitude more "spam" domains than DNS domains. Going after the DNS
servers is a primary (counter-)attack method. Also, the failure of
the URI rules to use the RHS lists against name servers (Bugzilla #4106),
makes SA less useful than it could be for the URI rules and identifying
name servers as "evil".
This has been proposed in private to SURBL (i.e. mining their
existing datasets to produce a RHS BL specific to name servers). Also,
note that the group at completewhois has mention of developing such a
project on their web page.
Whenever a spammer needs to change a DNS server (by name), he must
contact the registrar and in doing so risks exposing fraudulent contact or
registrant data. For an example of someone caught with their "pants down"
look at the domain 876JHT.BIZ (suspended, but valid - though they lost the
contract with CaveCreek/cwie and do not function) and an example of a "spam"
domain it served was (still valid otherwise - NetworkSolutions *refuses* to
consider name server issues as registration problems - they claim they are
*all* DOSs), look at some of the domains DRITANOMIL.COM, EMORAC.COM or
KEANIX.COM (I have about another 20 that weren't shut down by NetworkSolutions
- other registrars closed greater than 1200 other domains - all pointed to
a single site; You can find many of them by "google"'ng on "800-893-4511").
This spammer changed DNS servers twice, before I timed it correctly
to get him locked out *just* after a change to 876JHT.BIZ.
Paul Shupak
[EMAIL PROTECTED]
