Re: Detecting the Registrar of the sending host?
On 2 Jul 2008, at 17:30, Yet Another Ninja wrote: Even EUrid is happily supporting pillz spammers on .eu Eurid is a registry NOT a registrar Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
On 7 Jul 2008, at 14:40, Richard Frovarp wrote: Fortune 500's suffer from botnet infections as well. Exactly Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Marc Perkel wrote: Yet Another Ninja wrote: On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? you sure there are major registrars you can whitelist? http://rss.uribl.com/nic/ Even EUrid is happily supporting pillz spammers on .eu Not major registrars, minor ones. There's one called markmonitor.com that seems to have clients like banks and major corporations. My guess is that this is an extremely expensive registrar where security means everything and no one is going to accidentally mess with anything. The idea here is that if the registrar is this expensive and restrictive then only the good guys will be using them. At least that was what I would test if there were a way to test it. Apparently there is not. Not reliably & securely. Parsing whois data is messy, there's no standard format, clients are blocked frequently, and data can be quite stale (dns servers ips are often old). The best you can do is a static list that is part of an SA rule to add a point or so if you are also happy with the dnsif you really think it's worth it. DKIM does a better job with most of these domains anyway, imo. fwiw, markmonitor 'monitors' 'marks' - they are in the intellectual property protection business. Too bad ICANN wasn't using them. http://www.icann.org/en/announcements/announcement-03jul08-en.htm ooops! Ken -- Ken Anderson Pacific.Net
Re: Detecting the Registrar of the sending host?
Yet Another Ninja wrote: On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? you sure there are major registrars you can whitelist? http://rss.uribl.com/nic/ Even EUrid is happily supporting pillz spammers on .eu Not major registrars, minor ones. There's one called markmonitor.com that seems to have clients like banks and major corporations. My guess is that this is an extremely expensive registrar where security means everything and no one is going to accidentally mess with anything. The idea here is that if the registrar is this expensive and restrictive then only the good guys will be using them. At least that was what I would test if there were a way to test it. Apparently there is not.
Re: Detecting the Registrar of the sending host?
Yet Another Ninja wrote: On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? you sure there are major registrars you can whitelist? http://rss.uribl.com/nic/ Even EUrid is happily supporting pill spammers on .eu Fortune 500's suffer from botnet infections as well.
Re: Detecting the Registrar of the sending host?
On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? you sure there are major registrars you can whitelist? http://rss.uribl.com/nic/ Even EUrid is happily supporting pill spammers on .eu
Re: Detecting the Registrar of the sending host?
On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? you sure there are major registrars you can whitelist? http://rss.uribl.com/nic/ Even EUrid is happily supporting pillz spammers on .eu
Re: Detecting the Registrar of the sending host?
On fredagen den 4 juli 2008, Michele Neylon wrote: > On 3 Jul 2008, at 22:06, Marc Perkel wrote: > > You can't spoof Forward Confirmed rDNS. > > But you can't stop $bigcorporations PCs getting compromised either You don't have to. As long as there is a non-zero correlation coefficient between some property of a mail message and its spamminess, you can assign a score. The correlation coefficient doesn't have to be 1 or -1 - in other words, the property, in this example the registrar of the domain of the remote host, doesn't have to be a perfect indicator of spam or ham. It's enough that mail from domains registered with some registrars are less likely to emit spam than others. > And I really love the way you completely ignored my example of > gmail.com Exceptions are possible to handle. After all, SpamAssassin is all about combining and adding many various rules. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) signature.asc Description: This is a digitally signed message part.
Re: Detecting the Registrar of the sending host?
> You can't spoof Forward Confirmed rDNS. If we could find registrar of domain then I can write a rule if( Expensive_registrar && Not_spoofed && Not_freemail ) we can give a negative score I would not like to whitelist the entire stuff though That means I would have to maintain a list of Expensive_registrars as well as a list of Freemail domains. I wonder if such lists are available though But you could have big corporates , with weak password policies and accounts getting compromised. So spam does come from these accounts Thanks Ram
Re: Detecting the Registrar of the sending host?
On Fri, Jul 04, 2008 at 12:38:49PM +0100, Michele Neylon wrote: > > On 3 Jul 2008, at 22:06, Marc Perkel wrote: >>> >> >> You can't spoof Forward Confirmed rDNS. > > But you can't stop $bigcorporations PCs getting compromised either > > And I really love the way you completely ignored my example of gmail.com > > > > You may have good intentions, but your idea is seriously flawed > > > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.com/ > http://blog.blacknight.com/ > Intl. +353 (0) 59 9183072 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 1 4811 763 > --- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
On 3 Jul 2008, at 22:06, Marc Perkel wrote: You can't spoof Forward Confirmed rDNS. But you can't stop $bigcorporations PCs getting compromised either And I really love the way you completely ignored my example of gmail.com You may have good intentions, but your idea is seriously flawed Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Richard Frovarp wrote: Marc Perkel wrote: Michele Neylon wrote: On 2 Jul 2008, at 19:56, Marc Perkel wrote: Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered. What are you trying to prove? Your logic completely escapes me I also fail to see how the registrar is of much importance There are over 900 ICANN accredited registrars Of those about 200 odd are active Of the 200 a handful account for the bulk of all domains registered / managed Statistically this means you're going to see spam from domains registered with enom, godaddy, directi, tucows and a few others. It doesn't mean anything In fact it's totally meaningless It's interesting how the concept of white rules seems to be beyond comprehension here. There is a registrar called markmonitor.com that looks like a very high end and expensive registrar that only services big companies like banks and such. So domains who are registered through Markmonitor would not be spammers and would likely be all ham. This isn't about spam detection - it's about ham detection. The question is, how do you reliably tell that the mail actually came from the from company in question? It can be spoofed, or they can end up with compromised systems. You can't spoof Forward Confirmed rDNS.
Re: Detecting the Registrar of the sending host?
Marc Perkel <[EMAIL PROTECTED]> wrote: > Matus UHLAR - fantomas wrote: > > On 03.07.08 13:22, Henrik K wrote: > > > If lesser registrar means that it's probably ham, why couldn't > someone use > that to add some negative scores or use it as a part of whitelist > trustworthiness? Even if it's handful of domains, it's useful. If you > could > get the registrar data without expensive lookups.. > > > what if spammers start register domains using those registrars? > > > The registrars I'm talking about are extremely expensive and very exclusive. > Spammers couldn't afford it. Big sloppy/lousy corporation can afford it. -- [pl>en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] Most people can't understand how others can blow their noses differently than they do. -- Turgenev
Re: Detecting the Registrar of the sending host?
Marc Perkel wrote: Michele Neylon wrote: On 2 Jul 2008, at 19:56, Marc Perkel wrote: Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered. What are you trying to prove? Your logic completely escapes me I also fail to see how the registrar is of much importance There are over 900 ICANN accredited registrars Of those about 200 odd are active Of the 200 a handful account for the bulk of all domains registered / managed Statistically this means you're going to see spam from domains registered with enom, godaddy, directi, tucows and a few others. It doesn't mean anything In fact it's totally meaningless It's interesting how the concept of white rules seems to be beyond comprehension here. There is a registrar called markmonitor.com that looks like a very high end and expensive registrar that only services big companies like banks and such. So domains who are registered through Markmonitor would not be spammers and would likely be all ham. This isn't about spam detection - it's about ham detection. The question is, how do you reliably tell that the mail actually came from the from company in question? It can be spoofed, or they can end up with compromised systems.
RE: Detecting the Registrar of the sending host?
The registrars I'm talking about are extremely expensive and very exclusive. Spammers couldn't afford it. Hmm, check out markmonitor.com The really interesting point is this. Since so much spam is about getting brand recognition in the peoples faces and not necessarily getting them to click on anything, this is an interesting concept. Protect your brand. Makes you wonder if the some, or many big brands are two faced. Wanna look good on one side, protect the brand, look good to the public, yet have back room deals with spammers to get the brand name out there at almost any cost. Doesn't everyone see tons of spam from "big brands" that is just totally tasteless emails from scum you know you wouldn't touch based upon our technological view of email and it's content? h - rh
Re: Detecting the Registrar of the sending host?
On 3 Jul 2008, at 16:26, Marc Perkel wrote: It's interesting how the concept of white rules seems to be beyond comprehension here. There is a registrar called markmonitor.com that looks like a very high end and expensive registrar that only services big companies like banks and such. So domains who are registered through Markmonitor would not be spammers and would likely be all ham. This isn't about spam detection - it's about ham detection. Markmonitor is used by big brands - yes Big brands don't send spam?? -= Dangerous assumption gmail.com is owned by a big brand is registered with Mark Monitor and is a source of spam Domain Name: gmail.com Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
RE: Detecting the Registrar of the sending host?
Marc Perkel wrote: > > It's interesting how the concept of white rules seems to be beyond > comprehension here. There is a registrar called markmonitor.com that > looks like a very high end and expensive registrar that only services > big companies like banks and such. So domains who are registered > through Markmonitor would not be spammers and would likely be all > ham. This isn't about spam detection - it's about ham detection. It sounds like a good idea to me. Of course, you need to find a reliable way to do it and test to make sure it hits enough mail to be worthwhile. And, of course, make sure it works the way you think it will. :) I think the problem is that most people think "Whitelist == Mark as Ham". In those terms, I'm not sure I would go with this idea. But I think it would probably be worth subtracting a few points from the score. With testing, we may find that it does work well as a solid whitelist, or we may find that it doesn't work at all, but we'll never know until we try ... so go for it! -- Bowie
Re: Detecting the Registrar of the sending host?
Marc Perkel wrote: Matus UHLAR - fantomas wrote: On 03.07.08 13:22, Henrik K wrote: If lesser registrar means that it's probably ham, why couldn't someone use that to add some negative scores or use it as a part of whitelist trustworthiness? Even if it's handful of domains, it's useful. If you could get the registrar data without expensive lookups.. what if spammers start register domains using those registrars? The registrars I'm talking about are extremely expensive and very exclusive. Spammers couldn't afford it. What if they just use the domains of those that do it? Or what if they compromise the accounts of those that use these exclusive registrars (like .edu)? I don't see any performance gain as it would have to be handled at MTA, which can suffer from spoofing.
Re: Detecting the Registrar of the sending host?
Michele Neylon wrote: On 2 Jul 2008, at 19:56, Marc Perkel wrote: Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered. What are you trying to prove? Your logic completely escapes me I also fail to see how the registrar is of much importance There are over 900 ICANN accredited registrars Of those about 200 odd are active Of the 200 a handful account for the bulk of all domains registered / managed Statistically this means you're going to see spam from domains registered with enom, godaddy, directi, tucows and a few others. It doesn't mean anything In fact it's totally meaningless It's interesting how the concept of white rules seems to be beyond comprehension here. There is a registrar called markmonitor.com that looks like a very high end and expensive registrar that only services big companies like banks and such. So domains who are registered through Markmonitor would not be spammers and would likely be all ham. This isn't about spam detection - it's about ham detection.
Re: Detecting the Registrar of the sending host?
Matus UHLAR - fantomas wrote: On 03.07.08 13:22, Henrik K wrote: If lesser registrar means that it's probably ham, why couldn't someone use that to add some negative scores or use it as a part of whitelist trustworthiness? Even if it's handful of domains, it's useful. If you could get the registrar data without expensive lookups.. what if spammers start register domains using those registrars? The registrars I'm talking about are extremely expensive and very exclusive. Spammers couldn't afford it.
Re: Detecting the Registrar of the sending host?
On 03.07.08 13:22, Henrik K wrote: > If lesser registrar means that it's probably ham, why couldn't someone use > that to add some negative scores or use it as a part of whitelist > trustworthiness? Even if it's handful of domains, it's useful. If you could > get the registrar data without expensive lookups.. what if spammers start register domains using those registrars? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: Detecting the Registrar of the sending host?
On 3 Jul 2008, at 11:22, Henrik K wrote: Your logic completely escapes me So does yours. Diddums Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
On Thu, Jul 03, 2008 at 11:09:15AM +0100, Michele Neylon wrote: > > On 2 Jul 2008, at 19:56, Marc Perkel wrote: >>> >> >> Again - it's not to figure out where spam comes from. It's figuring >> out where non-spam comes from. I think there are registrars out there >> that don't have any spam domains registered. >> > > > What are you trying to prove? > > Your logic completely escapes me So does yours. > I also fail to see how the registrar is of much importance > > There are over 900 ICANN accredited registrars > > Of those about 200 odd are active > > Of the 200 a handful account for the bulk of all domains registered / > managed > > Statistically this means you're going to see spam from domains > registered with enom, godaddy, directi, tucows and a few others. It > doesn't mean anything > > In fact it's totally meaningless If lesser registrar means that it's probably ham, why couldn't someone use that to add some negative scores or use it as a part of whitelist trustworthiness? Even if it's handful of domains, it's useful. If you could get the registrar data without expensive lookups..
Re: Detecting the Registrar of the sending host?
On 2 Jul 2008, at 19:56, Marc Perkel wrote: Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered. What are you trying to prove? Your logic completely escapes me I also fail to see how the registrar is of much importance There are over 900 ICANN accredited registrars Of those about 200 odd are active Of the 200 a handful account for the bulk of all domains registered / managed Statistically this means you're going to see spam from domains registered with enom, godaddy, directi, tucows and a few others. It doesn't mean anything In fact it's totally meaningless Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
On Thu, 2008-07-03 at 06:32, Henrik K wrote: > On Wed, Jul 02, 2008 at 09:18:41PM -0700, John Hardin wrote: > > > > On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote: > > > On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote: > > > > On Wed, 2 Jul 2008, Marc Perkel wrote: > > > > > > > >> Again - it's not to figure out where spam comes from. It's figuring > > > >> out > > > >> where non-spam comes from. I think there are registrars out there that > > > >> > > > >> don't have any spam domains registered. > > > > > > > > Right, but how do you guarantee a host with a whitelisted RDNS domain > > > > name doesn't get infected with a smapbot? > > > > > > What's that got to do with anything? If there's a 0.5% chance, who cares. > > > You should always scan for viruses, but it's trivial to skip SA for such > > > cases. Are you saying that we shouldn't take advantage of DNSWL data > > > either, > > > since it's possible that some spam may come? > > > > No, I was simply responding to Marc's apparent contention that a host > > with an RDNS domain name from a trustworthy registrar won't be a source > > of spam. > > I doubt you have any statistics about this, so why speculate? No one has to > _guarantee_ anything. If Marc is able to find some good correlation for > (almost) spamless sources, it will help everyone. > I really don't see how it will help. Here's my reason for saying that. If there's even a small chance that somebody behind a corporate firewall got complacent and didn't keep the AV software up to date and/or got caught by an infected website, then we still have to scan mail from them regardless of who registered their domain. This makes checking the registrar an extra and needless task since, like white/black listing, its something we need to do for for every piece of mail we receive. I'd be happy to know I'm wrong about this, but so far none of the domain lookup advocates have produced hard evidence of its benefits. Also, nobody has explained how to automate the job apart from the possibly abusive use of whois lookups. A manually maintained list doesn't cut it for me: its far too easy for list maintenance to get out of date, which is why I won't use a personal white list until I can automate its maintenance. Martin
Re: Detecting the Registrar of the sending host?
On Wed, Jul 02, 2008 at 09:18:41PM -0700, John Hardin wrote: > > On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote: > > On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote: > > > On Wed, 2 Jul 2008, Marc Perkel wrote: > > > > > >> Again - it's not to figure out where spam comes from. It's figuring out > > >> where non-spam comes from. I think there are registrars out there that > > >> don't have any spam domains registered. > > > > > > Right, but how do you guarantee a host with a whitelisted RDNS domain > > > name doesn't get infected with a smapbot? > > > > What's that got to do with anything? If there's a 0.5% chance, who cares. > > You should always scan for viruses, but it's trivial to skip SA for such > > cases. Are you saying that we shouldn't take advantage of DNSWL data either, > > since it's possible that some spam may come? > > No, I was simply responding to Marc's apparent contention that a host > with an RDNS domain name from a trustworthy registrar won't be a source > of spam. I doubt you have any statistics about this, so why speculate? No one has to _guarantee_ anything. If Marc is able to find some good correlation for (almost) spamless sources, it will help everyone.
Re: Detecting the Registrar of the sending host?
On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote: > On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote: > > On Wed, 2 Jul 2008, Marc Perkel wrote: > > > >> Again - it's not to figure out where spam comes from. It's figuring out > >> where non-spam comes from. I think there are registrars out there that > >> don't have any spam domains registered. > > > > Right, but how do you guarantee a host with a whitelisted RDNS domain > > name doesn't get infected with a smapbot? > > What's that got to do with anything? If there's a 0.5% chance, who cares. > You should always scan for viruses, but it's trivial to skip SA for such > cases. Are you saying that we shouldn't take advantage of DNSWL data either, > since it's possible that some spam may come? No, I was simply responding to Marc's apparent contention that a host with an RDNS domain name from a trustworthy registrar won't be a source of spam. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Phobias should not be the basis for laws. --- 2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote: > On Wed, 2 Jul 2008, Marc Perkel wrote: > >> Again - it's not to figure out where spam comes from. It's figuring out >> where non-spam comes from. I think there are registrars out there that >> don't have any spam domains registered. > > Right, but how do you guarantee a host with a whitelisted RDNS domain > name doesn't get infected with a smapbot? What's that got to do with anything? If there's a 0.5% chance, who cares. You should always scan for viruses, but it's trivial to skip SA for such cases. Are you saying that we shouldn't take advantage of DNSWL data either, since it's possible that some spam may come?
Re: Detecting the Registrar of the sending host?
On Wed, 2 Jul 2008, Marc Perkel wrote: Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered. Right, but how do you guarantee a host with a whitelisted RDNS domain name doesn't get infected with a smapbot? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
On Wed, 2 Jul 2008, Marc Perkel wrote: John Hardin wrote: On Wed, 2 Jul 2008, Marc Perkel wrote: > Is there an easy way to detect the registrar of a domain through DNS? > For example - can I easilly figure out if an email I'm processing is > hosted by GoDaddy or Tucows? Registrar != hosted by. > Here's what I'm thinking. I think there's some expensive and highly > secure registrars out there who are the registrar of expensive domains > and probably have no spam domains at all. This could be used to create > white rules. > > Can this be done? This has been discussed before, at least from the POV of identifying *bad* domains, and it sounds like a fairly good idea if someone is willing and able to get a realtime ICANN feed of domain/registrar data and create a URIBL from it. Actually I'm not looking for spam friendly registrars. I'm looking for registrars that banks use that are really expensive and spammers never use. This is for white listing - not black listing. The URIBL-based-on-registrar solution doesn't change, just (1) which registrars you choose to use to populate your URIBL, and (2) the score is negative rather than positive. The data can be useful in either direction - reputation works both ways. For example, I noticed that Wells Fargo Bank and bank of America both use a registrar called markmonitor.com. I'm guessing that this is a highly secure and expensive registrar than only banks and really big customers use. So if the FCrDNS of the sending host resolves to a domain that is registered with markmonitor.com then it's not spam. (Less of course ISPs and Freemail providers) Does SA support checking the FCrDNS domain of the sending host against a URIBL? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
On Wed, 2 Jul 2008, Martin Gregorie wrote: OK, but it still won't work. A lot of spam comes from botnets: hence my comment about PC users. There's certainly no correlation between the location of infected PCs and the reputation of the domain registrar of the domain the infected PC is posting from. But it may tell you something useful about URIs within the message. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #20: The faster you finish the fight, the less shot you will get. --- 2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
Martin Gregorie wrote: On Wed, 2008-07-02 at 18:46, Marc Perkel wrote: Martin Gregorie wrote: On Wed, 2008-07-02 at 17:05, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Even if it was possible I don't think its would be at all useful. Spammers don't generally register domains to sent spam from. They're not that stupid. Unfortunately some PC users ARE that stupid. If a PC can receive mail there's a sporting chance it may be infected no matter who the domain registrar might be. Martin Again - this is not something to find spammers. It's to find non-spammers. It's a white rule. OK, but it still won't work. A lot of spam comes from botnets: hence my comment about PC users. There's certainly no correlation between the location of infected PCs and the reputation of the domain registrar of the domain the infected PC is posting from. Martin Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered.
Re: Detecting the Registrar of the sending host?
On Wed, 2008-07-02 at 18:46, Marc Perkel wrote: > > Martin Gregorie wrote: > > On Wed, 2008-07-02 at 17:05, Marc Perkel wrote: > > > > > Is there an easy way to detect the registrar of a domain through DNS? > > > For example - can I easilly figure out if an email I'm processing is > > > hosted by GoDaddy or Tucows? > > > > > > > > Even if it was possible I don't think its would be at all useful. > > Spammers don't generally register domains to sent spam from. They're not > > that stupid. > > > > Unfortunately some PC users ARE that stupid. If a PC can receive mail > > there's a sporting chance it may be infected no matter who the domain > > registrar might be. > > > > Martin > > > > > > > > Again - this is not something to find spammers. It's to find > non-spammers. It's a white rule. > OK, but it still won't work. A lot of spam comes from botnets: hence my comment about PC users. There's certainly no correlation between the location of infected PCs and the reputation of the domain registrar of the domain the infected PC is posting from. Martin
Re: Detecting the Registrar of the sending host?
Martin Gregorie wrote: On Wed, 2008-07-02 at 17:05, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Even if it was possible I don't think its would be at all useful. Spammers don't generally register domains to sent spam from. They're not that stupid. Unfortunately some PC users ARE that stupid. If a PC can receive mail there's a sporting chance it may be infected no matter who the domain registrar might be. Martin Again - this is not something to find spammers. It's to find non-spammers. It's a white rule.
Re: Detecting the Registrar of the sending host?
On Wed, 2008-07-02 at 17:05, Marc Perkel wrote: > Is there an easy way to detect the registrar of a domain through DNS? > For example - can I easilly figure out if an email I'm processing is > hosted by GoDaddy or Tucows? > Even if it was possible I don't think its would be at all useful. Spammers don't generally register domains to sent spam from. They're not that stupid. Unfortunately some PC users ARE that stupid. If a PC can receive mail there's a sporting chance it may be infected no matter who the domain registrar might be. Martin
Re: Detecting the Registrar of the sending host?
John Hardin wrote: On Wed, 2 Jul 2008, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Registrar != hosted by. Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? This has been discussed before, at least from the POV of identifying *bad* domains, and it sounds like a fairly good idea if someone is willing and able to get a realtime ICANN feed of domain/registrar data and create a URIBL from it. There's also the problem of determining which registrars are "spam friendly". Here might be a good start: http://www.knujon.com/registrars/ I wrote a plugin that does this check against whois, but that's likely to be considered abusive. Look under here: http://www.impsec.org/~jhardin/antispam/ I'm not currently maintaining it, and the "evil registrar" list is stale and certainly not comprehensive. Actually I'm not looking for spam friendly registrars. I'm looking for registrars that banks use that are really expensive and spammers never use. This is for white listing - not black listing. For example, I noticed that Wells Fargo Bank and bank of America both use a registrar called markmonitor.com. I'm guessing that this is a highly secure and expensive registrar than only banks and really big customers use. So if the FCrDNS of the sending host resolves to a domain that is registered with markmonitor.com then it's not spam. (Less of course ISPs and Freemail providers)
Re: Detecting the Registrar of the sending host?
On Wed, 2 Jul 2008, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Registrar != hosted by. Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? This has been discussed before, at least from the POV of identifying *bad* domains, and it sounds like a fairly good idea if someone is willing and able to get a realtime ICANN feed of domain/registrar data and create a URIBL from it. There's also the problem of determining which registrars are "spam friendly". Here might be a good start: http://www.knujon.com/registrars/ I wrote a plugin that does this check against whois, but that's likely to be considered abusive. Look under here: http://www.impsec.org/~jhardin/antispam/ I'm not currently maintaining it, and the "evil registrar" list is stale and certainly not comprehensive. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Taking my gun away because I *might* shoot someone is like cutting my tongue out because I *might* yell "Fire!" in a crowded theater. -- Peter Venetoklis --- 2 days until the 232nd anniversary of the Declaration of Independence