ram wrote the following on 4/4/2007 12:56 AM -0800:
On Tue, 2007-04-03 at 13:15 -0700, Bill Landry wrote:
Dave Pooser wrote the following on 4/3/2007 11:19 AM -0800:
I'm seeing a bunch of spam using URLs from domains created on the same day
or in the past day or two. I don't know how red.uribl.com works, but I
imagine it missed the same-day stuff because its automated process needs
time to work. Is there a better way to handle this-- possibly pulling the
information from whois during mail processing? (Although that would be
resource-intensive and would probably run afoul of their prohibition on
high-volume querying, so that's probably a lose.)
Maybe have a look at using "The Day Old Bread List" DNSRBL? More info
at http://support-intelligence.com/dob/
This seems to be a intelligent idea. Can I subscribe to their DOB lists
alone.
What are the zones to query ?
No subscription necessary to use the DNSRBL service. Here is how I've
been using their list with SA:
header __RCVD_IN_DOB eval:check_rbl('dob',
'dob.sibl.support-intelligence.net.', '255')
describe __RCVD_IN_DOB Received via relay in new domain (Day Old Bread)
tflags __RCVD_IN_DOB net
score __RCVD_IN_DOB 0
header RCVD_IN_DOB eval:check_rbl_sub('dob', '127.0.0.2')
describe RCVD_IN_DOB Received via relay in new domain (Day Old Bread)
tflags RCVD_IN_DOB net
score RCVD_IN_DOB 1.667
header DNS_FROM_DOB
eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
describe DNS_FROM_DOB Sender from new domain (Day Old Bread)
tflags DNS_FROM_DOB net
score DNS_FROM_DOB 1.334
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 127.0.0.2
body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
tflags URIBL_RHS_DOB net
score URIBL_RHS_DOB 2.75
I've using these for several months and have not found any issue to
date; however, YMMV...
Bill
