Steve Freegard writes: > Yet Another Ninja wrote: > > On 9/5/2007 5:27 PM, Marc Perkel wrote: > >> I have to say that the idea of having a blacklist of name servers used > >> by spammers is interesting. Something to investigate. > >> > > one, and its a good one, is already in use :-) > > > > uridnsbl URIBL_SBL sbl.spamhaus.org. TXT > > Yes - true, but the SBL lists the IP of the nameservers. > > I think Ram has seen the same thing as me in the past, I've had stuff > that has slipped past the URIBL_* tests and upon investigation of the > FNs - the *domain name* of the nameservers for the referenced domain is > already listed in either SURBL or URIBL, so therefore if the URIBL_* > tests were expanded to lookup the nameservers hostnames, strip of the > domains and test those against the URIBL_* lists, then it might yield > some good results.
Could that be a temporal issue, ie. fast-flux causing the domain to change, and you caught it just in time to spot it? I would be very surprised if one of the BLs wasn't already doing this on the backend... --j.
