>...
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Theo Van Dinter writes:
>> On Mon, May 23, 2005 at 06:45:12PM -0500, [EMAIL PROTECTED] wrote:
>> > Here's the algorithm:
>> >
>> > 1 Decode any URL-encoding in the message
>> > 2 Un-MIME the message
>>
>> Wrong order?
>>
>> > 3 Scan all parts of the message for URLs and email addresses (this can
>> > be
>> > links, IMG tags, mailto:'s, or even just something that looks like a web
>> > address or email address). Do NOT scan the headers.
>>
>> get_uri_list().
>>
>> > 4 For each address, resolve the hostname to an IP and then look up that
>> > IP
>> > in your favorite DNS RBL - I use "sbl-xbl.spamhaus.org" as it caches the
>> > most,
>> > but you can also add bl.spamcop.net and relays.ordb.net
>>
>> SURBL?
>
>A bit more like URIBL_SBL, although in URIBL_SBL, we use the NS of the
>domains (because they're harder to switch to new servers in the spammer
>shell-game style).
>
>We did actually have an "A of domain name" test during 3.0.0 development,
>I think, but dropped it for various reasons:
>
>- - if a spammer were to use a hostname like
> "jm_at_jmason_dot_org.spamdomain.com", they get a free backchannel to
> verify that I was (a) using SpamAssassin to filter to my mail, and (b)
> that that address is valid. So blindly resolving the full hostname was
> judged as unsafe. However, replacing hostname portions with another
> token is not useful: assuming that "jm_at_jmason_dot_org.spamdomain.com"
> will have the same A as "spamdomain.com" or "www.spamdomain.com" is
> naive and easily evaded.
>
>- - more importantly, the results weren't very good. ;) Not as good as
> URIBL_SBL and the SURBL rules, at least. iirc, the hits mapped very
> closely to URIBL_SBL, esp since Spamhaus explicitly list nameservers of
> spammed domains.
>
>The details should be on bugzilla somewhere.
>Thanks anyway though!
>
>- --j.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.5 (GNU/Linux)
>Comment: Exmh CVS
>
>iD8DBQFCkm5RMJF5cimLx9ARAgdbAJ9ji51PEG0MDlZc3XkG04JepiP6tQCdHhq6
>xzicut+LZT7YmjyaZmQmCdg=
>=U4oZ
>-----END PGP SIGNATURE-----
>
>
A similar idea, without the "back-channel" flaw is to test the
domain for either 'CNAME' or 'A' record `wildcards' (as in the command
"dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname").
This is an excellent spam sign (the host portion of the name is often
mapped back into a database to determine the actual recipient). Legitimate
domains will use wildcards for 'NS', 'MX' and even occasionally for some
more obscure records, but an 'A' or 'CNAME' record is nearly always a
spammer.
Check this out with any spam you've gotten with a hostname other
than "www" (about 70% of what I see).
Paul Shupak
[EMAIL PROTECTED]
