Adam Katz wrote:
> (note, I'm guessing at the appropriate mailing list for cross-post)
>
> Dennis Davis wrote:
>> http://code.google.com/p/anti-phishing-email-reply/
>>
>> is also useful as it attempts to detail the compromised accounts.
>> Just block/quarantine email for those accounts.
>
> Interesting ... this seems like it would be best served by DNS in a
> manner similar to URIBLs ... does such an "emailBL" exist?
>
> A lookup for 8h...@osu.edu (pulled from the live list) on emailBL
> server "emailbl.org" could look like this:
>
> $ host 8help.AT.osu.edu.emailbl.org
> 8help.AT.osu.edu.emailbl.org has address 127.0.0.1
> $ host -t txt 8help.AT.osu.edu.emailbl.org
> 8help.AT.osu.edu.emailbl.org has descriptive text "20090310"
> $
>
> This maps 127.0.0.1 to type A, .2 to type B, etc. Expirations, if
> even necessary given the fact that the DNS entries should be updated
> by the server, would be in the TXT records as illustrated above.
>
> Since email addresses contain everything a valid domain can contain,
> the user.AT.domain.tld (which is really user.at.domain.tld since
> domains are not case-sensitive) could be ambiguous if the "user" or
> the "domain" contains ".at." in itself, or whatever workaround we
> create. My proposed workaround is ".real-at." and an incremented
> numeric suffix like ".real-at2." if needed. As to pluses, just snip
> them and their trailing data out.
>
> 8h...@osu.edu -> 8help.at.osu.edu
> portal.ac.at....@live.com -> portal.ac.at.edu.real-at.live.com
> 123+...@789.xyz -> 123.at.789.xyz
> abc.real-at....@ghi.jkl -> abc.real-at.def.real-at1.ghi.jkl
> mno.real-at5....@stu.vwx -> mno.real-at5.pqr.real-at6.stu.vwx
> y.real-at99...@a.at.real-at2.bc ->
> y.real-at4.z.real-at1000.a.at.real-at999.bc
>
> This workaround should only find trouble when there are so many digits
> that the overflow creates an invalid email address, which isn't a
> realistic problem.
>
> (Oh crap, is this a draft for an RFC?)
>
I've been thinking about creating an emailBL to target dropboxes used
for 419 scams, phishing, russian penpals etc. as I have a reasonable way
to collect these in real-time and it would close a lot of doors on these
folks provided I can avoid being caught by address stuffing.
However - rather than trying to do some sort of munging to work with
DNS; I was simply going to either MD5 or SHA1 the e-mail address e.g.
s...@laptop-smf:~$ perl -MDigest::MD5 -e 'print
Digest::MD5::md5_hex("s...@fsg.com").".emailbl.org\n"'
132e76bc8e252dee7c911ea2cde1f079.emailbl.org
If you want to separate stuff out into different meanings e.g. the
Google Anti-Phishing stuff; then just use a different sub-domain for each.
Just an idea.
Cheers,
Steve.
