> -----Original Message----- > From: Jeff Chan [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 9:37 AM > > Quoting Matt Kettler <[EMAIL PROTECTED]>: > > > Matt Kettler wrote: > >> Giampaolo Tomassoni wrote: > >>> > >>> It doesn't use whois *instead of* dns. It uses both and attempts > even to > >>> detect any discrepancy between their responses. > > Both types of queries can cause problems.
Of course, since everything can. > >> How are these going to be different?? The information published to > >> whois has to match the information published to the authoritative > >> DNS servers for the TLD the domain falls under. > > That's a false assumption. Legitimate domains can have mismatched > whois and nameserver information during the time when they're being > changed. The root zone files in some cases update nearly instantly. > Whois data tend to get updated more slowly, for example once a day. > The time factors for reflecting updated information are often not the > same. During that time, this approach could false positive on > entirely legitimate domains that happen to be under updates. A legitimate domain changes its NSes once every some years and I don't expect that when this happens it is going to send a lot of mail... Since the whole change lasts at most a couple of days URIWhois is not going to punish any legitimate too much and, hey, the score I suggest for the FULLNSMIS rule (i.e., when NSes from whois completely mismatch the ones from DNS) is 3, not 30... > >> I guess you could send a request to one of the servers for the > >> domain and ask for a NS record. But that's asking for a DoS. You > >> could also still do it a lot more efficiently by sending one to the > >> authority for the TLD, and one to the domain server. > > Querying down to the delegated namesevrer is not a good idea. > Spammers do track who queries their servers, give false answers, > trigger ddos attacks back, gather information about the querying > system, etc. This is the very same kind of problems you may incur by reporting a spam to SpamCop... Also, the querying system is often not the one running SA, since most often your box uses referrals to separate DNS servers. This is true both if you are a large ISP or a home user. ISPs stay at large from URIWhois please. > > Ahh, I see what you're doing, you're looking up the SOA. Which is > > basically forcing the query down to the spammer's DNS server, and > > opening yourself up for a DoS attack. > > > > hint: a malicious spammer could fill an email with domains that > point > > to a server which generates really slow responses to your SOA > querries, > > bogging your server down with DNS timeouts. This is the whole reason > > why nothing in SA ever does an "A" record lookup on URI's. > > I suspect very strongly that it's not the whole reason. There are > very many reasons not to look up A records of URIs: > > 1. Querying jack_smith.uri.com could confirm jack_smith received the > spam > 2. Querying 12345.uri.com could expose someone's bank account number, > national ID number, or other private information to the Internet, etc. > > There are other reasons. > > Jeff C. URIWhois doesn't actually issue any A query. Giampaolo
