As I sat manually sorting through my spambucket and submitting URIs to URIBL, I noticed a trend: the (DKIM-signed) "from" domain is often different from the payload URI domain, but both are in the same <%word%><%otherword%>.com format and both are in the same /24. So I started checking PTR records for the whole /24 and I'm seeing snowshoe farms like this (mildly borked to not hit URI lists):
3.193.111.66.in-addr.arpa name = dancethree[dot]com. 4.193.111.66.in-addr.arpa name = dancethree[dot]com. 5.193.111.66.in-addr.arpa name = dancethree[dot]com. 6.193.111.66.in-addr.arpa name = dancethree[dot]com. 7.193.111.66.in-addr.arpa name = dancethree[dot]com. 8.193.111.66.in-addr.arpa name = dancetide[dot]com. 9.193.111.66.in-addr.arpa name = dancetide[dot]com. 10.193.111.66.in-addr.arpa name = dancetide[dot]com. 11.193.111.66.in-addr.arpa name = dancetide[dot]com. 12.193.111.66.in-addr.arpa name = dancetide[dot]com. 13.193.111.66.in-addr.arpa name = dancetopaz[dot]com. 14.193.111.66.in-addr.arpa name = dancetopaz[dot]com. 15.193.111.66.in-addr.arpa name = dancetopaz[dot]com. 16.193.111.66.in-addr.arpa name = dancetopaz[dot]com. 17.193.111.66.in-addr.arpa name = dancetopaz[dot]com. 18.193.111.66.in-addr.arpa name = dancetwist[dot]com. 19.193.111.66.in-addr.arpa name = dancetwist[dot]com. 20.193.111.66.in-addr.arpa name = dancetwist[dot]com. 21.193.111.66.in-addr.arpa name = dancetwist[dot]com. 22.193.111.66.in-addr.arpa name = fudgeblue[dot]com. 23.193.111.66.in-addr.arpa name = fudgeblue[dot]com. 24.193.111.66.in-addr.arpa name = fudgeblue[dot]com. 25.193.111.66.in-addr.arpa name = fudgeblue[dot]com. 26.193.111.66.in-addr.arpa name = fudgecamel[dot]com. 27.193.111.66.in-addr.arpa name = fudgecamel[dot]com. 28.193.111.66.in-addr.arpa name = fudgecamel[dot]com. 29.193.111.66.in-addr.arpa name = fudgecamel[dot]com. ... And so on through the whole /24 I've tried submitting the "from" domains to URIBL, which is a hit or miss affair (though I enjoy the "I told you so" effect when my rejected submission joins their blacklist a couple of weeks later) -- but I think the real win would come in creating a URI specifically for preemptively listing these snowshoe domains. Anybody else think this could be useful? -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "I don't think there's a problem you CAN'T solve with murder!"
