Off hand I would suspect a very low (10 minute for example) TTL would be worth a detection and a rule of some sort. It is certainly not a slam dunk. But it is something that is likely to be more common in spam than in ham.
Were I working a largish outfit as opposed to a small two person 2 dozen
computer setup I'd certainly add it as a scoring tool to reject mail in
the MTA.
{^_^}
----- Original Message -----
From: "Stream Service || Mark Scholten" <[EMAIL PROTECTED]>
For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM.With kind regards, Met vriendelijke groet,----- Original Message ----- From: "clsgis" <[EMAIL PROTECTED]>To: <users@spamassassin.apache.org> Sent: Friday, August 10, 2007 4:34 PM Subject: Detecting short-TTL domains?We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs? --View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12092425Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
