Detecting very recently registered domain names
We are noticing a lot of spam coming from domains that are less than two months old. Is there a good way to detect this automatically? We've thought about whois, but do not want to get blocked for looking like we are harvesting information. Regards, JMQ
Re: Detecting very recently registered domain names
Hi, On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn jqu...@pccc.com wrote: Isn't that where Kevin works too? Couldn't you just walk down the hall and ask him? lol We are noticing a lot of spam coming from domains that are less than two months old. Is there a good way to detect this automatically? Two months? That's already ancient. Check out the URIBL_RHS_DOB (day old bread) rule. Your domains should be hitting that. Best, Alex
Re: Detecting very recently registered domain names
According to this thread of five years ago, that RBL is not very well maintained. I wonder if that's still the case? (http://spamassassin.1065346.n5.nabble.com/New-Day-old-Bread-list-trick-td52989.html) There also don't appear to be any alternative RBLs that provide a similar list. I might have to chalk this one up as not worth the effort. :( On 12/19/2013 10:13 AM, Alex wrote: Hi, On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn jqu...@pccc.com wrote: Isn't that where Kevin works too? Couldn't you just walk down the hall and ask him? lol We are noticing a lot of spam coming from domains that are less than two months old. Is there a good way to detect this automatically? Two months? That's already ancient. Check out the URIBL_RHS_DOB (day old bread) rule. Your domains should be hitting that. Best, Alex
Re: Detecting very recently registered domain names
On 19/12/13 15:50, Joe Quinn wrote: According to this thread of five years ago, that RBL is not very well maintained. I wonder if that's still the case? (http://spamassassin.1065346.n5.nabble.com/New-Day-old-Bread-list-trick-td52989.html) There also don't appear to be any alternative RBLs that provide a similar list. I might have to chalk this one up as not worth the effort. :( See SEM-FRESH: http://spameatingmonkey.com/lists.html Regards, Steve.
Re: Detecting very recently registered domain names
W dniu 19.12.2013 16:13, Alex pisze: Hi, Hi, On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn jqu...@pccc.com wrote: Isn't that where Kevin works too? Couldn't you just walk down the hall and ask him? lol We are noticing a lot of spam coming from domains that are less than two months old. Is there a good way to detect this automatically? Two months? That's already ancient. Check out the URIBL_RHS_DOB (day old bread) rule. Your domains should be hitting that. I've noticed false positives in last days in this rule. 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [URIs: imageshack.us]
Re: Detecting very recently registered domain names
Joe Quinn skrev den 2013-12-19 16:02: We are noticing a lot of spam coming from domains that are less than two months old. Is there a good way to detect this automatically? We've thought about whois, but do not want to get blocked for looking like we are harvesting information. maybe make a rule that match any domain, then use uribl_skip_domains to whitelist the ones that does not spam ? spammers know there domain will be blacklisted if seen in spam, thats why thay got new problems each day :=) but if thay need to get whitelisted for not spamming thay would try to keep there problem uribl_skip_domains example.org example.net uri ANY_DOMAIN /./ describe ANY_DOMAIN domain not skipped score ANY_DOMAIN 0.1 then uri rule will not hit on example.org and example.net untested, but i think its the way to solve it
Re: Detecting very recently registered domain names
Marcin Mirosław skrev den 2013-12-19 17:47: I've noticed false positives in last days in this rule. 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [URIs: imageshack.us] add this domain to uribl_skip_domains dont be fool :)
Re: Detecting very recently registered domain names
On Thu, 19 Dec 2013, Benny Pedersen wrote: Marcin Mirosław skrev den 2013-12-19 17:47: I've noticed false positives in last days in this rule. 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [URIs: imageshack.us] add this domain to uribl_skip_domains You shouldn't have to do that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 6 days until Christmas
Re: Detecting very recently registered domain names
John Hardin skrev den 2013-12-19 18:31: You shouldn't have to do that. one should not complain either :) hard to be right :(
Re: Detecting very recently registered domain names
On 12/19/2013 10:13 AM, Alex wrote: Isn't that where Kevin works too? Couldn't you just walk down the hall and ask him? lol :-) I'm trying to get more people involved in the project. Speaking of which, I published the crash course on email / spam at https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium if anyone has any comments. I know I need to add some about DMARC but a lot of people have contributed to this. I'm going to get the ability to comment, etc. soon but I want it to be a general resource for new system admins or people coming up to speed on the spam battle to use as a crash course. You can also see all the framework I'm working on for an RBL for the SA Project. Regards, KAM
Re: Detecting very recently registered domain names
Am 19.12.2013 18:48, schrieb Kevin A. McGrail: On 12/19/2013 10:13 AM, Alex wrote: Isn't that where Kevin works too? Couldn't you just walk down the hall and ask him? lol :-) I'm trying to get more people involved in the project. Speaking of which, I published the crash course on email / spam at https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium couldnt read that all ,but looks nice if anyone has any comments. I know I need to add some about DMARC but a lot of people have contributed to this. I'm going to get the ability to comment, etc. soon but I want it to be a general resource for new system admins or people coming up to speed on the spam battle to use as a crash course. spf. dkim, dmarc are not antispam mechs, however they may help sometimes in some spam cases, so do not mix it up with antispam and confuse users see http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail ... DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message ... see http://en.wikipedia.org/wiki/Sender_Policy_Framework .. Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing .. Dmarc goes on top of DKIM and SPF Anyone may have right spf,dkim,dmarc stuff i got tons of spam passing spf, dkim, dmarc checks, mostly from hacked big freemailer accounts, at the end its always the content which makes a mail spammy You can also see all the framework I'm working on for an RBL for the SA Project. Regards, KAM Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Detecting very recently registered domain names
On 12/19/2013 1:17 PM, Robert Schetterer wrote: couldnt read that all ,but looks nice Thanks. spf. dkim, dmarc are not antispam mechs, however they may help sometimes in some spam cases, so do not mix it up with antispam and confuse users Good point. I'll add a caveat because mail administrators need to know about these topics but this is an email and anti-spam compendium not just an anti-spam. Regards, KAM
Re: Detecting very recently registered domain names
Am 19.12.2013 19:21, schrieb Kevin A. McGrail: On 12/19/2013 1:17 PM, Robert Schetterer wrote: couldnt read that all ,but looks nice Thanks. spf. dkim, dmarc are not antispam mechs, however they may help sometimes in some spam cases, so do not mix it up with antispam and confuse users Good point. I'll add a caveat because mail administrators need to know about these topics but this is an email and anti-spam compendium not just an anti-spam. Regards, KAM see https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium ... Sender Policy Framework (SPF) - SPF is an anti-spam approach in which the Internet domain ... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Detecting very recently registered domain names
Kevin A. McGrail skrev den 2013-12-19 19:21: On 12/19/2013 1:17 PM, Robert Schetterer wrote: couldnt read that all ,but looks nice Thanks. spf. dkim, dmarc are not antispam mechs, however they may help sometimes in some spam cases, so do not mix it up with antispam and confuse users Good point. I'll add a caveat because mail administrators need to know about these topics but this is an email and anti-spam compendium not just an anti-spam. spf/dkim/dmarc help sort out who to complain to, it can still be spam or not spam rule i self follow is if spf/dkim/dmarc pass, report spam to auth domains that its sent from, if possitive feed back then its done, if negative feedback i can safely blacklist sender domain local but maybe its just me :(
Re: Detecting very recently registered domain names
Sender Policy Framework (SPF) - SPF is an anti-spam approach in which the Internet domain ... Will clarify but I wouldn't be shocked if that was the description on wikipedia from a year or so ago. This compendium has been written over many years. Regards, KAM -- Kevin A. McGrail President Peregrine Computer Consultants Corporation 3927 Old Lee Highway, Suite 102-C Fairfax, VA 22030-2422 http://www.pccc.com/ 703-359-9700 x50 / 800-823-8402 (Toll-Free) 703-359-8451 (fax) kmcgr...@pccc.com
Re: Detecting very recently registered domain names
Am 19.12.2013 19:28, schrieb Kevin A. McGrail: Sender Policy Framework (SPF) - SPF is an anti-spam approach in which the Internet domain ... Will clarify but I wouldn't be shocked if that was the description on wikipedia from a year or so ago. This compendium has been written over many years. Regards, KAM not a big problem at all ,in your case, but some marketing people promote spf/dkim/dmarc as some jedi wonder tool against spam, which simply isnt true -- *Kevin A. McGrail* President Peregrine Computer Consultants Corporation 3927 Old Lee Highway, Suite 102-C Fairfax, VA 22030-2422 http://www.pccc.com/ 703-359-9700 x50 / 800-823-8402 (Toll-Free) 703-359-8451 (fax) kmcgr...@pccc.com mailto:kmcgr...@pccc.com Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Detecting very recently registered domain names
Robert Schetterer skrev den 2013-12-19 19:39: not a big problem at all ,in your case, but some marketing people promote spf/dkim/dmarc as some jedi wonder tool against spam, which simply isnt true so what is true ? i really hate ignorants
Re: Detecting very recently registered domain names
On 12/19/2013 1:17 PM, Robert Schetterer wrote: couldnt read that all ,but looks nice spf. dkim, dmarc are not antispam mechs, however they may help sometimes in some spam cases, so do not mix it up with antispam and confuse users Am 19.12.2013 19:21, schrieb Kevin A. McGrail: Good point. I'll add a caveat because mail administrators need to know about these topics but this is an email and anti-spam compendium not just an anti-spam. On 19.12.13 19:26, Robert Schetterer wrote: see https://raptor.pccc.com/raptor.cgim?template=email_spam_compendium ... Sender Policy Framework (SPF) - SPF is an anti-spam approach in which the Internet domain ok, so this is again one site that should be corrected... spf is NOT an anti-spam tool - it is anti-forgery tool. Yes, much of spam is forged but the info above is still wrong... Kevin, please fix that info... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: Detecting very recently registered domain names
Sender Policy Framework (SPF) - SPF is an anti-spam approach in which the Internet domain ... Am 19.12.2013 19:28, schrieb Kevin A. McGrail: Will clarify but I wouldn't be shocked if that was the description on wikipedia from a year or so ago. This compendium has been written over many years. On 19.12.13 19:39, Robert Schetterer wrote: not a big problem at all ,in your case, but some marketing people promote spf/dkim/dmarc as some jedi wonder tool against spam, which simply isnt true ... and so we see other marketing people telling we don't use SPF, becausei t's useless - there are spammers using SPF ohh f... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: Detecting very recently registered domain names
On 12/19/2013 1:47 PM, Matus UHLAR - fantomas wrote: ok, so this is again one site that should be corrected... spf is NOT an anti-spam tool - it is anti-forgery tool. Yes, much of spam is forged but the info above is still wrong... Kevin, please fix that info... Definitely will mark it as anti-forgery not anti-spam. Regards, KAM
Re: Detecting very recently registered domain names
Kevin A. McGrail skrev den 2013-12-19 20:14: On 12/19/2013 1:47 PM, Matus UHLAR - fantomas wrote: ok, so this is again one site that should be corrected... spf is NOT an anti-spam tool - it is anti-forgery tool. Yes, much of spam is forged but the info above is still wrong... Kevin, please fix that info... Definitely will mark it as anti-forgery not anti-spam. if marketing begin to say we dont use ip since spammers are using ips, then i will have respect for there knowledge, maybe there money contains forged ips ? :) adsp and ip-blacklist is more or less not usefull anymore domain blacklist is, since a ham domain can still send from a ip that is blacklisted antispam should know this, hoppefully marketing learns
Re: Detecting very recently registered domain names
Am 19.12.2013 19:49, schrieb Matus UHLAR - fantomas: Sender Policy Framework (SPF) - SPF is an anti-spam approach in which the Internet domain ... Am 19.12.2013 19:28, schrieb Kevin A. McGrail: Will clarify but I wouldn't be shocked if that was the description on wikipedia from a year or so ago. This compendium has been written over many years. On 19.12.13 19:39, Robert Schetterer wrote: not a big problem at all ,in your case, but some marketing people promote spf/dkim/dmarc as some jedi wonder tool against spam, which simply isnt true ... and so we see other marketing people telling we don't use SPF, becausei t's useless - there are spammers using SPF ohh f... i think their main message will be ever trust in me and gimme your money *g Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein