Re: Bogus day old domains from RRPPROXY.NET

Fri, 13 Mar 2015 11:38:25 -0700 

On Wed, 11 Mar 2015, Axb wrote:
I don't quite understand your logic/language but yes, that's the point of such a list. You list the NS and all domains on that NS get scored. 

for example see:

URIBL's "Extra Datasets via Datafeed Service"
http://uribl.com/datasets.shtml


black_ns.txt - This file contains nameservers we have identified as bad, and 
in turn proactively lists all domains registered against them to Gold and 
lists reactive hits to URIBL Black.


# Example black_ns zone data
..
ns1.gdlpdlvrydirect.net   :127.0.0.2:black_ns $ added on 2008-07-13 23:12:53
ns1.panamans.com          :127.0.0.2:black_ns $ added on 2008-07-14 04:16:18
ns1.easyquickdebts.com    :127.0.0.2:black_ns $ added on 2008-07-14 08:01:41
ns0.holidaynicegood.com   :127.0.0.2:black_ns $ added on 2008-07-14 08:02:18
..

# Example SpamAssassin Rule usage
#   - urifullnsrhssub is a SpamAssassin 3.3 SVN feature only and will
#     not work in currently released versions of SpamAssassin!
#   - Change blackns.your-domain.tld to the host you have this data loaded in
#   - Rescore from 0.01 after testing effectiveness on your mail flow
urifullnsrhssub BLACK_NS        blackns.your-domain.tld.  A 2
body            BLACK_NS        eval:check_uridnsbl('BLACK_NS')
tflags          BLACK_NS        net
score           BLACK_NS        0.01

Theres a also a rather large number of such private lists.
Trust me, it's highly efficient...


Except that the rrpproxy.net people have figured out a way to cirumvent this.
They now register spammer domains and don't list -any- NS records in the zone.

 # dig -t ns hardinskinrestore.com.

 ; <<>> DiG 9.9.6-P1 <<>> -t ns hardinskinrestore.com.
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26749
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 1024
 ;; QUESTION SECTION:
 ;hardinskinrestore.com.         IN      NS

 ;; AUTHORITY SECTION:
 hardinskinrestore.com.  10800   IN      SOA     ns1.rrpproxy.net. 
tech.rrpproxy.net. 2015031300 10800 3600 604800 28800

 ;; Query time: 111 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Fri Mar 13 13:16:18 CDT 2015
 ;; MSG SIZE  rcvd: 107

May be worth hacking the urifullnsrhssub code to use the NS field from the SOA
record if there's no answers to the NS query.


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{























					Reply via email to