for example, if the sending domain has no MX records of its own it is
more likely spam that if there are 3 or more MX records that resolve
to multiple IPs over more than one network. Generally spam only
domains are minimally configured, and highly configured domains are
not spam only. I also think that NS records might indicate that a
domain is serious or not.
I think the serious scale could be a useful factor in SA. It doesn't
determine if it's spam or ham in itself. Yahoo is a serious domain and
there's lost of spam. Serious domains should not be blacklisted for
example. We could also look for consistency. Bad RDNS from a serious
domain might be a spam indicator.
There might be other methods of detecting serious domains. If they are
using expensive services. Spammers would not have their dns hosted
with Ultra DNS, or use the expensive registrars, or other services
that are expensive.
Also - thinking we should slowly mine the whois database and provide
some sort of DNS based lookup of whois information to be able to
determine the registrar of a domain, the domain age, or other info
that would be useful in determining that the domain is serious or not.
Who thinks I'm onto something?
You have ideas here that have been done before (whois information and
domain age for example). You have some others that I would question
without research.
I would recommend you look at installing something like MIMEDefang that
you can use to do research on incoming email and gather some statistics
and see if you can spot a ham/spam trend.
There is certainly merit to the investigation and then you can come back
and say I found XYZ.
For example, I've seen .info domains used a lot by spammers. I'm sure
there is a patter there with a registrar probably.
Regards,
KAM
