-----Original Message-----
From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 6:38 AM
Giampaolo Tomassoni wrote:
Right, it is.
The URIWhois does not detect the registrar. It detects the name and
the
address of the DNS- and whois-defined NSes for that domain.
So how is this substantially different from the URIDNSBL plugin that
comes with SA?
It can also check for mismatches between the DNS- and whois-defined
nameservers, in example. The sample URIWhois.cf shows two such uses:
PARTNSMIS firing on more than 50% of mismatch among the two sets of
nameservers, and FULLNSMIS firing on more than 99,9%. As I previously said,
the NSes defined in a whois record are more difficult to change (you have
often to wait many hours before the change takes effect). Spammers basically
never change them, but they may sometimes "fool" your DNS resolver to look
at different NSes to resolve the domain.
An example of such dns-fooling job was the hltcjkvhyok<dot>com domain, but
now you can't get an NS RR about it even from gTLD-servers.net... Basically,
spammer seems to have recently dismissed this method. This doesn't mean they
can't use it again in the future, however. Quite interestingly, they began
dismissing this method few weeks after the URIWhois plugin was out...
Bear in mind this plugin *DOES* resolve the NSes for the domain, and
DOES check those too. Take for example URIBL_SBL, which only makes
sense
in the context of the IP of the nameservers (since it's an IP based
RBL).
Well, I use and like URIBL_SBL, but please note that a centralized solution
may easily be "fooled" the other way around, by giving it RRs which are not
the ones most people will see and will query for through the URIBL_SBL
itself. In order to do this spammer only need to know the address of the DNS
server(s) acting as resolvers for SpamHaus...
I guess you could say that looking up the IP of the host in the
URL would also work, but that's an invitation for DoS, so it's not
something URIDNSBL does.
Sorry, didn't get this sentence. Do you mean performing a whois about the
host address? In this case, where is the DoS? Please note SpamHaus do
perform some whois queries about suspicious domains (probably not IP
address, I don't know), so URIDNSBL doesn't need to. By the way, URIDNSBL is
meant to obtain data from BLs, not from whois...
The only big difference I see at face value is it uses whois instead of
DNS to find the NS records.. that hardly seems efficient..
It doesn't use whois *instead of* dns. It uses both and attempts even to
detect any discrepancy between their responses.
