> -----Original Message----- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 6:38 AM > > Giampaolo Tomassoni wrote: > > > > Right, it is. > > > > The URIWhois does not detect the registrar. It detects the name and > the > > address of the DNS- and whois-defined NSes for that domain. > > > > So how is this substantially different from the URIDNSBL plugin that > comes with SA?
It can also check for mismatches between the DNS- and whois-defined nameservers, in example. The sample URIWhois.cf shows two such uses: PARTNSMIS firing on more than 50% of mismatch among the two sets of nameservers, and FULLNSMIS firing on more than 99,9%. As I previously said, the NSes defined in a whois record are more difficult to change (you have often to wait many hours before the change takes effect). Spammers basically never change them, but they may sometimes "fool" your DNS resolver to look at different NSes to resolve the domain. An example of such dns-fooling job was the hltcjkvhyok<dot>com domain, but now you can't get an NS RR about it even from gTLD-servers.net... Basically, spammer seems to have recently dismissed this method. This doesn't mean they can't use it again in the future, however. Quite interestingly, they began dismissing this method few weeks after the URIWhois plugin was out... > Bear in mind this plugin *DOES* resolve the NSes for the domain, and > DOES check those too. Take for example URIBL_SBL, which only makes > sense > in the context of the IP of the nameservers (since it's an IP based > RBL). Well, I use and like URIBL_SBL, but please note that a centralized solution may easily be "fooled" the other way around, by giving it RRs which are not the ones most people will see and will query for through the URIBL_SBL itself. In order to do this spammer only need to know the address of the DNS server(s) acting as resolvers for SpamHaus... > I guess you could say that looking up the IP of the host in the > URL would also work, but that's an invitation for DoS, so it's not > something URIDNSBL does. Sorry, didn't get this sentence. Do you mean performing a whois about the host address? In this case, where is the DoS? Please note SpamHaus do perform some whois queries about suspicious domains (probably not IP address, I don't know), so URIDNSBL doesn't need to. By the way, URIDNSBL is meant to obtain data from BLs, not from whois... > The only big difference I see at face value is it uses whois instead of > DNS to find the NS records.. that hardly seems efficient.. It doesn't use whois *instead of* dns. It uses both and attempts even to detect any discrepancy between their responses. Apart the other differences I just told you, URIWhois also checks for domain age. I made this plugin mostly to detect this. I know that now such information is also available through some BLs, but it is still coarser than the URIWhois one and at the age I was developing this plugin a whois query was the only mean available to get it. Please note I coded the URIWhois plugin for my own use, which means a really low whois traffic (we speak of about 500 to 1k messages/day handled by my MXes). Since whois replies (either positive or negative ones) are cached by this plugin, I'm not probably issuing more than 100-300 whois queries/day, which are spread among several registrars and NICs. This is not a traffic amount meant to cause DoS, I guess. ISPs know the risks and probably stay at large from the URIWhois plugin... In summary, it is true that the effectiveness of the URIWhois plugin had been somehow severed by both spammers stopping fooling DNS RRs and BLs implementing some of the functionalities that URIWhois had. Nevertheless, it worked to me for some months and it had a role as a test-case for the asynchronous engine in the development of SA 3.2.x (which doesn't mean that SA is endorsing it at all). It could also be improved to get things like the registrar name or detect missing replies to SOA and NS requests. So, it was and probably still isn't completely useless. That said, if someone wants to give it a try and can't find the download url, I say that it is really alpha code borrowing a number of troubles and limitations, but I also spare its download link. Is it wrong? Giampaolo
