On Monday, May 23, 2005, 5:20:10 PM, List User wrote: > A similar idea, without the "back-channel" flaw is to test the > domain for either 'CNAME' or 'A' record `wildcards' (as in the command > "dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname"). > This is an excellent spam sign (the host portion of the name is often > mapped back into a database to determine the actual recipient). Legitimate > domains will use wildcards for 'NS', 'MX' and even occasionally for some > more obscure records, but an 'A' or 'CNAME' record is nearly always a > spammer.
> Check this out with any spam you've gotten with a hostname other > than "www" (about 70% of what I see). > Paul Shupak > [EMAIL PROTECTED] It's possible that many spam URI domains use wildcard A or CNAME records, but quite a few non-spam URI domains may also use them. As a partial measure I checked my SURBL manual whitelist and got hits on 119 out of 1199 (10%). (Note that this is not the full SURBL whitelist but some of my personal records.) Some of the domains included sf.net (sourceforge), about.com, msn.de, msn.fr, msn.co.za, orgdns.org, lindows.com, tiscali.it, cdbaby.com, drugs.com, dsbl.org, freehosting.net, freesurf.fr, lottery.co.uk, spamprimer.com, tinyurl.com, slashdot.org, spamlaws.com, yahoo.fr, yahooo.com (belongs to yahoo). In addition wildcards seem to be pretty common on low-end shared web hosting accounts, presumably for the reason proposed earlier in this thread: really simple load sharing across multiple web servers. In other words sometimes it may be used as a convenience on low end hosting. I'll send Paul my results off-list. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
