Re: [Fwd: Re: [dns-operations] negative caching of throwaway spam domains]

Fri, 23 Jun 2006 01:16:15 -0700 

On Thursday, June 22, 2006, 7:46:33 PM, List User wrote:
>         Seems quite conservative to me - It seems that any "new" domain
> should/would be *very* well behaved during the 5-day ICANN defined "trial"
> period (a domains can be deleted by the registrar in the first 5 days with
> no "redemption" period).  So I just started with:

> ## Aging would be nice - an MTA could 45x for a couple of days
> header __RCVD_IN_DOB            eval:check_rbl('dob', 
> 'dob.sibl.support-intelligence.net.', '255')
> describe __RCVD_IN_DOB          Received via relay in new domain (Day Old 
> Bread)
> tflags __RCVD_IN_DOB            net
> score __RCVD_IN_DOB             0

> header RCVD_IN_DOB              eval:check_rbl_sub('dob', '127.0.0.2')
> describe RCVD_IN_DOB            Received via relay in new domain (Day Old 
> Bread)
> tflags RCVD_IN_DOB              net
> score RCVD_IN_DOB               1.667

> header DNS_FROM_DOB             
> eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
> describe DNS_FROM_DOB           Sender from new domain (Day Old Bread)
> tflags DNS_FROM_DOB             net
> score DNS_FROM_DOB              1.334

> urirhssub URIBL_RHS_DOB         dob.sibl.support-intelligence.net       A     
>   127.0.0.2
> body URIBL_RHS_DOB              eval:check_uridnsbl('URIBL_RHS_DOB')
> describe URIBL_RHS_DOB          Contains an URI of a new domain (Day Old 
> Bread)
> tflags URIBL_RHS_DOB            net
> score URIBL_RHS_DOB             2.75

>         It has hit a significant amount of spam from traps and feeds, but
> mostly the "URI" rule (and a few "senders" too).  Basically, I'm only
> allowing mail sent from and referencing a "brand new" domain if it hits
> practically no other rules or earns some negative points.  Lots of spam
> domains don't get used for the first 5 days already because of the ease
> with which they can be nuke'd in that time period.

On the contrary, many of the spam domains we see are only a few
days old, including 0 through 5 days.  Therefore the list could
be useful.

Interestingly spammers may be reading these announcements, since
they seem to have grabbed a bunch of domains several years old
that recently expired.  There was a burst of them today.
Probably even saying that we noticed that helps the spammers.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Reply via email to