Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014, Rob McEwen wrote: Domain age is a good metric to factor in. But I'm always fascinated with some people's desire to block all messages with extremely new domains. Keep in mind that many large and famous businesses... who have fairly good mail sending practices... sometimes launch a new products complete with links to very newly registered domains. Same is often true for ... Or for public research organizations which are often reformed by the Government, with change of name and consequential change of domain (even if the IP of the DNS and MX is unchanged :-)) Take my case, I've been working at the same physical place since 1982 and the name of my institute or of the organization it belongs to has changed about 7 times. And it does not only occur in this country (Italy), I've seen (mainly dealing with mailing list re-subscriptions) similar changes at least in France and UK .. -- Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy) For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Lucio Chiappetti lu...@lambrate.inaf.it: On Mon, 9 Jun 2014, Rob McEwen wrote: Domain age is a good metric to factor in. But I'm always fascinated with some people's desire to block all messages with extremely new domains. Keep in mind that many large and famous businesses... who have fairly good mail sending practices... sometimes launch a new products complete with links to very newly registered domains. Same is often true for ... Or for public research organizations which are often reformed by the Government, with change of name and consequential change of domain (even if the IP of the DNS and MX is unchanged :-)) Take my case, I've been working at the same physical place since 1982 and the name of my institute or of the organization it belongs to has changed about 7 times. And it does not only occur in this country (Italy), I've seen (mainly dealing with mailing list re-subscriptions) similar changes at least in France and UK .. Not saying this doesn't happen. But also, how often does someone register a domain, move all their users to the new domain, have the server all reconfigured to use this new domain, all within the first day? I know personally, I have always taken at least a week to do it, mainly just to make sure I didn't miss anything, and to double check everything as I go. The Last thing I do is force users to change their email addresses.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/10/2014 12:28 PM, Patrick Domack wrote: Not saying this doesn't happen. But also, how often does someone register a domain, move all their users to the new domain, have the server all reconfigured to use this new domain, all within the first day? I know personally, I have always taken at least a week to do it, mainly just to make sure I didn't miss anything, and to double check everything as I go. The Last thing I do is force users to change their email addresses. domains don't have to have users on them. coming up film sites, parents setting up sweet16 sites, wedding sites, cosmetic vendors, art festivals, etc, etc, TONS of etc, use new domains for marketing, often seen in mail even before DNS is has fully replicated.
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Axb axb.li...@gmail.com: On 06/10/2014 12:28 PM, Patrick Domack wrote: Not saying this doesn't happen. But also, how often does someone register a domain, move all their users to the new domain, have the server all reconfigured to use this new domain, all within the first day? I know personally, I have always taken at least a week to do it, mainly just to make sure I didn't miss anything, and to double check everything as I go. The Last thing I do is force users to change their email addresses. domains don't have to have users on them. coming up film sites, parents setting up sweet16 sites, wedding sites, cosmetic vendors, art festivals, etc, etc, TONS of etc, use new domains for marketing, often seen in mail even before DNS is has fully replicated. Yes, anything is possible. I have yet, to see any ligit email though, I'm sure I will a few times a year. I have seen email before dns/whois even is updated. But personally, one should work to establish their reputation before blasting out emails. You have to do this when moving ip addresses, and also for domains, though not as many servers track domain reputation as much as ip reputation.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/10/2014 04:14 PM, Patrick Domack wrote: Quoting Axb axb.li...@gmail.com: On 06/10/2014 12:28 PM, Patrick Domack wrote: Not saying this doesn't happen. But also, how often does someone register a domain, move all their users to the new domain, have the server all reconfigured to use this new domain, all within the first day? I know personally, I have always taken at least a week to do it, mainly just to make sure I didn't miss anything, and to double check everything as I go. The Last thing I do is force users to change their email addresses. domains don't have to have users on them. coming up film sites, parents setting up sweet16 sites, wedding sites, cosmetic vendors, art festivals, etc, etc, TONS of etc, use new domains for marketing, often seen in mail even before DNS is has fully replicated. Yes, anything is possible. I have yet, to see any ligit email though, I'm sure I will a few times a year. I have seen email before dns/whois even is updated. But personally, one should work to establish their reputation before blasting out emails. You have to do this when moving ip addresses, and also for domains, though not as many servers track domain reputation as much as ip reputation. you honestly expect marketing drones to understand/care? All URI BLs I know of (SURBL/URIBL/DBL/Invaluement/etc) check track domain reputation otherwise they'd be unusable. Their listings are not blind - they all have their secret sauce to process before listing a domain.
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Axb axb.li...@gmail.com: On 06/10/2014 04:14 PM, Patrick Domack wrote: Quoting Axb axb.li...@gmail.com: On 06/10/2014 12:28 PM, Patrick Domack wrote: Not saying this doesn't happen. But also, how often does someone register a domain, move all their users to the new domain, have the server all reconfigured to use this new domain, all within the first day? I know personally, I have always taken at least a week to do it, mainly just to make sure I didn't miss anything, and to double check everything as I go. The Last thing I do is force users to change their email addresses. domains don't have to have users on them. coming up film sites, parents setting up sweet16 sites, wedding sites, cosmetic vendors, art festivals, etc, etc, TONS of etc, use new domains for marketing, often seen in mail even before DNS is has fully replicated. Yes, anything is possible. I have yet, to see any ligit email though, I'm sure I will a few times a year. I have seen email before dns/whois even is updated. But personally, one should work to establish their reputation before blasting out emails. You have to do this when moving ip addresses, and also for domains, though not as many servers track domain reputation as much as ip reputation. you honestly expect marketing drones to understand/care? All URI BLs I know of (SURBL/URIBL/DBL/Invaluement/etc) check track domain reputation otherwise they'd be unusable. Their listings are not blind - they all have their secret sauce to process before listing a domain. So, we are unwilling to look into any new ideas cause there might be an issue? that we haven't scoped or checked into? How is progress made, when your unwilling to check and collect stats and figures. This was meant to be another metric that could, or might not be used. I personally got tired of everyone talking about it, many shooting it down, and NO ONE actually looking into it, and reporting real stats about it. Personally, I thought it was a pointless test, but it is proving useful. Does it single handily solve spam and has no side effects? No, but if you find that solution, you will be rich.
Re: Domain ages (was Re: SPAM from a registrar)
On 6/10/2014 10:21 AM, Axb wrote: All URI BLs I know of (SURBL/URIBL/DBL/Invaluement/etc) check track domain reputation otherwise they'd be unusable. Their listings are not blind - they all have their secret sauce to process before listing a domain. Absolutely. As Axb and KAM and others stated, a very young domain age is too dangerous to outright block or score high on... but might be a good factor or good for combining with other rules. Also, if anyone does see spam that contain domains in the clickable links where that spam should have been blocked, but was not... then check the domain contained within the spam again the lookup found at http://multirbl.valli.org and/or http://mxtoolbox.com/blacklists.aspx (some months ago, MX Toolbox upgraded their system to check domains against URI/domain blacklists. In some cases, this could have been a game of inches where your user caught the tip of the spear and received the very first spams in a spam campaign that otherwise was quickly listed by the well known URI BLs. However, you may find that one or two good URI BLs are simply not implemented in your system--where that would have made all the difference! Those lookup forms will point you in the right direction. The same can also be true for checking sending IPs--then reviewing your current mix of sender's IP dnsbls (aka RBLs). Of course, don't fall into the trap of using a BL that catches much, but has too many FPs. But the list of URI BLs that Axb gave above are all extremely low-FP URI blacklists. -- Rob McEwen +1 (478) 475-9032
Re: Domain ages (was Re: SPAM from a registrar)
On 6/10/2014 10:34 AM, Patrick Domack wrote: So, we are unwilling to look into any new ideas cause there might be an issue? that we haven't scoped or checked into? Patrick, I don't think Axe was arguing against this idea.. I think he was arguing against irrational exuberance by some who may be taking this idea to the point of outright blocking (or high scoring) on it, which would generate significant FPs. His examples were solid real world examples that DO happen and WOULD FP if this idea were taken too far. But using extremely-young-domain-age for low scoring or in combination with other rules could be very helpful. -- Rob McEwen +1 (478) 475-9032
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Rob McEwen r...@invaluement.com: On 6/10/2014 10:21 AM, Axb wrote: All URI BLs I know of (SURBL/URIBL/DBL/Invaluement/etc) check track domain reputation otherwise they'd be unusable. Their listings are not blind - they all have their secret sauce to process before listing a domain. Absolutely. As Axb and KAM and others stated, a very young domain age is too dangerous to outright block or score high on... but might be a good factor or good for combining with other rules. Also, if anyone does see spam that contain domains in the clickable links where that spam should have been blocked, but was not... then check the domain contained within the spam again the lookup found at http://multirbl.valli.org and/or http://mxtoolbox.com/blacklists.aspx (some months ago, MX Toolbox upgraded their system to check domains against URI/domain blacklists. In some cases, this could have been a game of inches where your user caught the tip of the spear and received the very first spams in a spam campaign that otherwise was quickly listed by the well known URI BLs. However, you may find that one or two good URI BLs are simply not implemented in your system--where that would have made all the difference! Those lookup forms will point you in the right direction. The same can also be true for checking sending IPs--then reviewing your current mix of sender's IP dnsbls (aka RBLs). Of course, don't fall into the trap of using a BL that catches much, but has too many FPs. But the list of URI BLs that Axb gave above are all extremely low-FP URI blacklists. In my case, Yes, I am using all the above and more. I had a user that normally never gets spam, started receiving around 20 per day, that where not marked. I found that around 18per day of these where from a new domain. These did appear on multirbl.valli.org lists, like invaluement, and uribl after a day or two. I hadn't seen them hit dbl or surbl though. This is what caused me to seriously look into if this method was useful, just greylisting the email for a day, would cause a huge benifit, for new domains, without causing an extreem backlash. There are all kinds of way to use the infomation. I just don't understand why people are so against it, cause it's not 100% foolproof. Nothing about marking spam is 100% foolproof.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/10/2014 04:34 PM, Patrick Domack wrote: Quoting Axb axb.li...@gmail.com: On 06/10/2014 04:14 PM, Patrick Domack wrote: Quoting Axb axb.li...@gmail.com: On 06/10/2014 12:28 PM, Patrick Domack wrote: Not saying this doesn't happen. But also, how often does someone register a domain, move all their users to the new domain, have the server all reconfigured to use this new domain, all within the first day? I know personally, I have always taken at least a week to do it, mainly just to make sure I didn't miss anything, and to double check everything as I go. The Last thing I do is force users to change their email addresses. domains don't have to have users on them. coming up film sites, parents setting up sweet16 sites, wedding sites, cosmetic vendors, art festivals, etc, etc, TONS of etc, use new domains for marketing, often seen in mail even before DNS is has fully replicated. Yes, anything is possible. I have yet, to see any ligit email though, I'm sure I will a few times a year. I have seen email before dns/whois even is updated. But personally, one should work to establish their reputation before blasting out emails. You have to do this when moving ip addresses, and also for domains, though not as many servers track domain reputation as much as ip reputation. you honestly expect marketing drones to understand/care? All URI BLs I know of (SURBL/URIBL/DBL/Invaluement/etc) check track domain reputation otherwise they'd be unusable. Their listings are not blind - they all have their secret sauce to process before listing a domain. So, we are unwilling to look into any new ideas cause there might be an issue? that we haven't scoped or checked into? How is progress made, when your unwilling to check and collect stats and figures. This was meant to be another metric that could, or might not be used. I personally got tired of everyone talking about it, many shooting it down, and NO ONE actually looking into it, and reporting real stats about it. Personally, I thought it was a pointless test, but it is proving useful. Does it single handily solve spam and has no side effects? No, but if you find that solution, you will be rich. Your ideas/approach has been dealt with a decade ago - they're not new. While it may work for you, they may not scale on a global user base.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/10/2014 05:11 PM, Patrick Domack wrote: There are all kinds of way to use the infomation. I just don't understand why people are so against it, cause it's not 100% foolproof. Nobody is against the idea, problem is scalability and trust. To make domain age usable, the BLs I mentioned make use of it as well as many other daata points to gain trust that a listing won' tbite the globe, as well as they can. Consider certain factors wich *can* contribute to delay in listings produce a positive hit,for example, mirror lag due to rsync, negative TTL, etc. as reasosn why you seem to see these domains being listed after you got the spams. (If your size/budget permits, datafeeds would probably help a lot) For a small site doing a few whois lookups/hour it may work, but what if suddenly an ISP/ASP doing many thousands of msgs/sec would implement this?
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Axb axb.li...@gmail.com: On 06/10/2014 05:11 PM, Patrick Domack wrote: There are all kinds of way to use the infomation. I just don't understand why people are so against it, cause it's not 100% foolproof. Nobody is against the idea, problem is scalability and trust. To make domain age usable, the BLs I mentioned make use of it as well as many other daata points to gain trust that a listing won' tbite the globe, as well as they can. Consider certain factors wich *can* contribute to delay in listings produce a positive hit,for example, mirror lag due to rsync, negative TTL, etc. as reasosn why you seem to see these domains being listed after you got the spams. (If your size/budget permits, datafeeds would probably help a lot) For a small site doing a few whois lookups/hour it may work, but what if suddenly an ISP/ASP doing many thousands of msgs/sec would implement this? I did consider those factors, and they where not the problem. I do rsync the data feeds locally, and feeds did not contain the lookups till hours later. It wasn't a negative ttl issue, as the ttl is non-existant for these lookups I fail to understand why you would be doing thousands of whois lookups per second. You see that many new domain names per second? Mostly it's the same domain names over and over again, and a few new ones per day. Domains don't expire, moved around, and updated a lot, and even if it did, that isn't really much a concern. To cache this infomation for atleast 3 years, would be fine, likely even longer. Also, the point of having a central body do this, would cause the cached results to be even better, and less lookups needed. I'm not a huge isp, but I don't seem to be any where near as tiny as you suggest.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/10/2014 06:51 PM, Patrick Domack wrote: Quoting Axb axb.li...@gmail.com: On 06/10/2014 05:11 PM, Patrick Domack wrote: There are all kinds of way to use the infomation. I just don't understand why people are so against it, cause it's not 100% foolproof. Nobody is against the idea, problem is scalability and trust. To make domain age usable, the BLs I mentioned make use of it as well as many other daata points to gain trust that a listing won' tbite the globe, as well as they can. Consider certain factors wich *can* contribute to delay in listings produce a positive hit,for example, mirror lag due to rsync, negative TTL, etc. as reasosn why you seem to see these domains being listed after you got the spams. (If your size/budget permits, datafeeds would probably help a lot) For a small site doing a few whois lookups/hour it may work, but what if suddenly an ISP/ASP doing many thousands of msgs/sec would implement this? I did consider those factors, and they where not the problem. I do rsync the data feeds locally, and feeds did not contain the lookups till hours later. It wasn't a negative ttl issue, as the ttl is non-existant for these lookups When you come up with a couple of such cases, please post them here as quickly as you can so BL ops or users lurking here can check their logs and maybe compare results. I fail to understand why you would be doing thousands of whois lookups per second. You see that many new domain names per second? Mostly it's the same domain names over and over again, and a few new ones per day. You do lookups on URIS in your mailflow right? so you do it for HAM/SPAM Domains don't expire, moved around, and updated a lot, and even if it did, that isn't really much a concern. To cache this infomation for atleast 3 years, would be fine, likely even longer. Check keep track of daily changes and you'll be surprised how often stuff gets moved around. Also, the point of having a central body do this, would cause the cached results to be even better, and less lookups needed. if found...ok. if not found negative TTL applies and short TTL means evne more lookups. I'm not a huge isp, but I don't seem to be any where near as tiny as you suggest. I'm not assuming/suggesting anything
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014 22:44:22 +0200 Matthias Leisi matth...@leisi.net wrote: I still have an experimental DNS server (written in Perl) lying around that this more-or-less what is described here. The overall system would need a bit more thought, though. Attached is a hacky proof-of-concept script that stores state in Berkeley DB. You query something.com.da.example.com and get back a TXT record with the UNIX time in seconds or an A record with the UNIX time encoded in the A record. (This time is the time in seconds since Jan 1 1970 00:00 UTC when the domain was first queried.) The script only handles com, net and org top-level domains. It also only looks at the domain label just before com, net and org so that foo.com and sub.foo.com are both treated as foo.com It sets the TTL of returned records to 14 days, so if you put this behind a caching name server like unbound, it might even work OK under reasonably heavy load. Regards, David. === #!/usr/bin/perl use strict; use warnings; use DB_File; use Net::DNS::Nameserver; my %hash; # Replace this with the path of your DB my $handle = tie %hash, 'DB_File', 'domain-age.db'; # Adjust settings below as needed... my $ns = new Net::DNS::Nameserver( LocalAddr = ['127.0.0.1'], LocalPort = '5354', ReplyHandler = \handler, Verbose = 0, Truncate = 0, ); $ns-main_loop(); exit(1); sub chunk_to_addr { my ($chunk) = @_; my $d = $chunk 255; $chunk /= 256; my $c = $chunk 255; $chunk /= 256; my $b = $chunk 255; $chunk /= 256; my $a = $chunk 255; return $a.$b.$c.$d; } sub handler { my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_; my (@ans, @auth, @add); # Adjust qname regex as needed if ($qname !~ /([^.]+)\.(com|net|org)\.da\.example\.com$/i) { return ('REFUSED', \@ans, \@auth, \@add, {aa = 1 }); } if ($qtype ne 'TXT' $qtype ne 'A') { return ('NXDOMAIN', \@ans, \@auth, \@add, {aa = 1 }); } my $chunk = lc($1.$2); if (!exists($hash{$chunk})) { $hash{$chunk} = time(); # FIXME: Maybe don't sync too often? Keep track and only # sync every 10 seconds? $handle-sync(); } if ($qtype eq 'TXT') { push(@ans, new Net::DNS::RR(name = $qname, ttl = 86400 * 14, type = 'TXT', txtdata = $hash{$chunk})); } elsif ($qtype = 'A') { push(@ans, new Net::DNS::RR(name = $qname, ttl = 86400 * 14, type = 'A', address = chunk_to_addr($hash{$chunk}))); } return ('NOERROR', \@ans, \@auth, \@add, {aa = 1 }); }
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Axb axb.li...@gmail.com: On 06/10/2014 06:51 PM, Patrick Domack wrote: Quoting Axb axb.li...@gmail.com: On 06/10/2014 05:11 PM, Patrick Domack wrote: There are all kinds of way to use the infomation. I just don't understand why people are so against it, cause it's not 100% foolproof. Nobody is against the idea, problem is scalability and trust. To make domain age usable, the BLs I mentioned make use of it as well as many other daata points to gain trust that a listing won' tbite the globe, as well as they can. Consider certain factors wich *can* contribute to delay in listings produce a positive hit,for example, mirror lag due to rsync, negative TTL, etc. as reasosn why you seem to see these domains being listed after you got the spams. (If your size/budget permits, datafeeds would probably help a lot) For a small site doing a few whois lookups/hour it may work, but what if suddenly an ISP/ASP doing many thousands of msgs/sec would implement this? I did consider those factors, and they where not the problem. I do rsync the data feeds locally, and feeds did not contain the lookups till hours later. It wasn't a negative ttl issue, as the ttl is non-existant for these lookups When you come up with a couple of such cases, please post them here as quickly as you can so BL ops or users lurking here can check their logs and maybe compare results. I fail to understand why you would be doing thousands of whois lookups per second. You see that many new domain names per second? Mostly it's the same domain names over and over again, and a few new ones per day. You do lookups on URIS in your mailflow right? so you do it for HAM/SPAM Domains don't expire, moved around, and updated a lot, and even if it did, that isn't really much a concern. To cache this infomation for atleast 3 years, would be fine, likely even longer. Check keep track of daily changes and you'll be surprised how often stuff gets moved around. Also, the point of having a central body do this, would cause the cached results to be even better, and less lookups needed. if found...ok. if not found negative TTL applies and short TTL means evne more lookups. I'm not a huge isp, but I don't seem to be any where near as tiny as you suggest. I'm not assuming/suggesting anything I'm not interested in how much stuff gets moved around, if a domain has been registered, and been moved around, it will have a reputation. So I don't really care if the data is 100% accurate or up to date. I'm not sure why negative ttl would cause more whois lookups? yes it will cause more dns lookups, but those are not an issue, expecially if you have a local data feed available, if you do, set your negative ttl to 5seconds.
RE: SPAM from a registrar
I have been tracking this for about 2 weeks now myself. Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I also tried to compair my list to fresh.spameatingmonkey.net, but none of my domains in the 0-5days old would get a match for com/net domains. I do get some hits for info and us though. But it's normally com and a few us that are on my lists. I am currently doing a whois lookups for about 30 tld's, and tracking their time and registar. I do minimize the lookups. I am currently seeing, about 2 .asia, 2 .uk, and then around 100 .com (all the .com are ENOM) sending email to me, with an age 1day old. This is pretty consistant day to day. Have you looked into Day old bread? http://wiki.apache.org/spamassassin/Rules/URIBL_RHS_DOB ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street .Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -Original Message- From: James B. Byrne [mailto:byrn...@harte-lyne.ca] Sent: Wednesday, May 14, 2014 8:52 AM To: users@spamassassin.apache.org Subject: SPAM from a registrar This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? - End forwarded message - ---BeginMessage--- I have been tracking this for about 2 weeks now myself. Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I also tried to compair my list to fresh.spameatingmonkey.net, but none of my domains in the 0-5days old would get a match. I am currently doing a whois lookups for about 30 tld's, and tracking their time and registar. I do minimize the lookups. I am currently seeing, about 2 .asia, 2 .uk, and then around 100 .com (all the .com are ENOM) sending email to me, with an age 1day old. This is pretty consistant day to day. Have you looked into Day old bread? http://wiki.apache.org/spamassassin/Rules/URIBL_RHS_DOB ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street .Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -Original Message- From: James B. Byrne [mailto:byrn...@harte-lyne.ca] Sent: Wednesday, May 14, 2014 8:52 AM To: users@spamassassin.apache.org Subject: SPAM from a registrar This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? ---End Message---
Re: SPAM from a registrar
On 6/9/2014 1:23 PM, Patrick Domack wrote: I have been tracking this for about 2 weeks now myself. Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I also tried to compair my list to fresh.spameatingmonkey.net, but none of my domains in the 0-5days old would get a match for com/net domains. I do get some hits for info and us though. But it's normally com and a few us that are on my lists. I am currently doing a whois lookups for about 30 tld's, and tracking their time and registar. I do minimize the lookups. I am currently seeing, about 2 .asia, 2 .uk, and then around 100 .com (all the .com are ENOM) sending email to me, with an age 1day old. This is pretty consistant day to day. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... Regards, KAM
Re: SPAM from a registrar
Quoting Kevin A. McGrail kmcgr...@pccc.com: On 6/9/2014 1:23 PM, Patrick Domack wrote: I have been tracking this for about 2 weeks now myself. Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I also tried to compair my list to fresh.spameatingmonkey.net, but none of my domains in the 0-5days old would get a match for com/net domains. I do get some hits for info and us though. But it's normally com and a few us that are on my lists. I am currently doing a whois lookups for about 30 tld's, and tracking their time and registar. I do minimize the lookups. I am currently seeing, about 2 .asia, 2 .uk, and then around 100 .com (all the .com are ENOM) sending email to me, with an age 1day old. This is pretty consistant day to day. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... That could be easily done. Only issue is, if you trust the distributed lookups to have accurate infomation. I suppose we could build in a trust system, where if enough distributed clients upload the same info, it could be trusted. This could work out pretty good. Each dns-rbl cluster could run with their own shared database, and you can cross-publish to other dns-rbl clusters, and set your own trust rating, depending on how many copies you get, on if you trust the info, or do your own whois lookup for the info. Bad thing is, I wonder how fast these are hammers out, and if the trust and replication wouldn't matter, due to latency.
Re: SPAM from a registrar
On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 1:23 PM, Patrick Domack wrote: Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... Perhaps we should cultivate contacts at a registrar so that the BL can be generated directly off their feed of changes? Perhaps somebody at DailyChanges.com or WhoisAPI.com? Though I agree getting the data for free will be challenging. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), armenians (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: SPAM from a registrar
On 6/9/2014 2:24 PM, Patrick Domack wrote: Quoting Kevin A. McGrail kmcgr...@pccc.com: On 6/9/2014 1:23 PM, Patrick Domack wrote: I have been tracking this for about 2 weeks now myself. Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I also tried to compair my list to fresh.spameatingmonkey.net, but none of my domains in the 0-5days old would get a match for com/net domains. I do get some hits for info and us though. But it's normally com and a few us that are on my lists. I am currently doing a whois lookups for about 30 tld's, and tracking their time and registar. I do minimize the lookups. I am currently seeing, about 2 .asia, 2 .uk, and then around 100 .com (all the .com are ENOM) sending email to me, with an age 1day old. This is pretty consistant day to day. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... That could be easily done. Only issue is, if you trust the distributed lookups to have accurate infomation. I suppose we could build in a trust system, where if enough distributed clients upload the same info, it could be trusted. This could work out pretty good. Each dns-rbl cluster could run with their own shared database, and you can cross-publish to other dns-rbl clusters, and set your own trust rating, depending on how many copies you get, on if you trust the info, or do your own whois lookup for the info. Bad thing is, I wonder how fast these are hammers out, and if the trust and replication wouldn't matter, due to latency. Thanks for weighing in. These are all issues we've solved with other RBLs via rsync of the data and I want to keep the hurdle low for implementation so you are write about the trust rating, etc.
Domain ages (was Re: SPAM from a registrar)
On Mon, 09 Jun 2014 14:24:19 -0400 Patrick Domack patric...@patrickdk.com wrote: That could be easily done. Only issue is, if you trust the distributed lookups to have accurate infomation. I suppose we could build in a trust system, where if enough distributed clients upload the same info, it could be trusted. There's a company that offers a domain-age-like service: https://www.farsightsecurity.com/Services/NOD/ Their approach is interesting (they receive a huge volume of DNS traffic and keep track of domain lookups that are newly seen.) Their price for practical volumes of lookups, unfortunately, is ridiculously expensive, which has prevented us from pursuing this any further. Regards, David.
Re: SPAM from a registrar
On 6/9/2014 2:33 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 1:23 PM, Patrick Domack wrote: Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... Perhaps we should cultivate contacts at a registrar so that the BL can be generated directly off their feed of changes? Perhaps somebody at DailyChanges.com or WhoisAPI.com? Though I agree getting the data for free will be challenging. Good idea. If we can get existing data from trustable sources such as registries, we can add that to the source RBL and then only query the new ones.
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 2:38 PM, David F. Skoll wrote: On Mon, 09 Jun 2014 14:24:19 -0400 Patrick Domack patric...@patrickdk.com wrote: That could be easily done. Only issue is, if you trust the distributed lookups to have accurate infomation. I suppose we could build in a trust system, where if enough distributed clients upload the same info, it could be trusted. There's a company that offers a domain-age-like service: https://www.farsightsecurity.com/Services/NOD/ Their approach is interesting (they receive a huge volume of DNS traffic and keep track of domain lookups that are newly seen.) Their price for practical volumes of lookups, unfortunately, is ridiculously expensive, which has prevented us from pursuing this any further. I think the core issue is that age of domains is a good indicator of spam. So there is merit in building a distributed look-up system using SA. I have more ideas than resources, of course...
Re: SPAM from a registrar
On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 2:33 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 1:23 PM, Patrick Domack wrote: Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... Perhaps we should cultivate contacts at a registrar so that the BL can be generated directly off their feed of changes? Perhaps somebody at DailyChanges.com or WhoisAPI.com? Though I agree getting the data for free will be challenging. Good idea. If we can get existing data from trustable sources such as registries, we can add that to the source RBL and then only query the new ones. I was referring to a feed of the new ones. Inferring that is the difficult part, I was hoping there was some way to avoid the inference part. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), armenians (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014, Kevin A. McGrail wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), armenians (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: SPAM from a registrar
Quoting Kevin A. McGrail kmcgr...@pccc.com: On 6/9/2014 2:24 PM, Patrick Domack wrote: Quoting Kevin A. McGrail kmcgr...@pccc.com: On 6/9/2014 1:23 PM, Patrick Domack wrote: I have been tracking this for about 2 weeks now myself. Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I also tried to compair my list to fresh.spameatingmonkey.net, but none of my domains in the 0-5days old would get a match for com/net domains. I do get some hits for info and us though. But it's normally com and a few us that are on my lists. I am currently doing a whois lookups for about 30 tld's, and tracking their time and registar. I do minimize the lookups. I am currently seeing, about 2 .asia, 2 .uk, and then around 100 .com (all the .com are ENOM) sending email to me, with an age 1day old. This is pretty consistant day to day. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... That could be easily done. Only issue is, if you trust the distributed lookups to have accurate infomation. I suppose we could build in a trust system, where if enough distributed clients upload the same info, it could be trusted. This could work out pretty good. Each dns-rbl cluster could run with their own shared database, and you can cross-publish to other dns-rbl clusters, and set your own trust rating, depending on how many copies you get, on if you trust the info, or do your own whois lookup for the info. Bad thing is, I wonder how fast these are hammers out, and if the trust and replication wouldn't matter, due to latency. Thanks for weighing in. These are all issues we've solved with other RBLs via rsync of the data and I want to keep the hurdle low for implementation so you are write about the trust rating, etc. Well, while rsync works, you need a source, if the source was a feed from the tld's themselfs, that would work just fine. The main thing I'm more worried about here is making sure new domains are noticed. Atleast I have seen 1day old domains send a lot more spam than 2-3day old ones. So the new, unknown domain, is going be more important to lookup.
Re: SPAM from a registrar
On Mon, Jun 9, 2014 at 2:39 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: On 6/9/2014 2:33 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 1:23 PM, Patrick Domack wrote: Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... Perhaps we should cultivate contacts at a registrar so that the BL can be generated directly off their feed of changes? Perhaps somebody at DailyChanges.com or WhoisAPI.com? Though I agree getting the data for free will be challenging. Good idea. If we can get existing data from trustable sources such as registries, we can add that to the source RBL and then only query the new ones. I haven't been following this whole thread. I always thought it odd to look for new domains. I tend to think that everything is new unless it's been seen before (and there's a bunch of data out there on existing domains) -Jim P.
Re: SPAM from a registrar
On 06/09/2014 08:39 PM, Kevin A. McGrail wrote: On 6/9/2014 2:33 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 1:23 PM, Patrick Domack wrote: Comparing my list of new domains, shows that DOB seems to pick them up after they are 2 days old. I wonder how we can use DNS, an RBL and distributed lookups to get the age of domains AND share the information so it's centrally available... Perhaps we should cultivate contacts at a registrar so that the BL can be generated directly off their feed of changes? Perhaps somebody at DailyChanges.com or WhoisAPI.com? Though I agree getting the data for free will be challenging. Good idea. If we can get existing data from trustable sources such as registries, we can add that to the source RBL and then only query the new ones. WHOIS age data is a good indicator with a handful of TLDs but only in combination with their registrars and NS. Even low scoring on age only will cause lost of surprises. What you want is something like reputation data which URIBL publishes via datafeeds http://www.uribl.com/datasets.shtml domain_data.txt and the you come across such zones as .us which is slow in updating zone data.
Re: Domain ages (was Re: SPAM from a registrar)
Domain age is a good metric to factor in. But I'm always fascinated with some people's desire to block all messages with extremely new domains. (NOT saying that this applies to everyone who posted on this thread!) Keep in mind that many large and famous businesses... who have fairly good mail sending practices... sometimes launch a new products complete with links to very newly registered domains. Same is often true for advertisments for things like rock concerts, etc. Or web sites that deal with specific events or hot-topic political issues that appeared out of nowhere. Yes, some of these are UBE. But many are NOT! These example provide one of the largest source of FPs for all the major domain/URI blacklists. But the better domain/URI blacklists have good mechanisms in place to (a) PREVENT... MANY of these from ever becoming FPs in the first place, and (b) and where those mechanism failed, they have good triggers/feedback to remove whitelist such FPs VERY QUICKLY if/when they do occur. In contrast, many who might go overboard by outright blocking on newness... and/or scoring too agressively on newness... may find too-high FP problems kicking their butts in the long run. And when such a FP starts happening, they may not have the proper telemetry to catch/fix it until AFTER much FP damage has happened. Personally, I think that the real problem here is that some of the most famous URI/domain blacklists are NOT catching everything and/or NOT catching everything fast enough... combined with many sys admins failing to make use of ALL the good and low-FP URI/domain blacklists... where they 'd see MUCH better results if they were using ALL of the good URI blacklists! ...but I'm a little biased on this point! :) -- Rob McEwen +1 (478) 475-9032
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014 11:51:21 -0700 (PDT) John Hardin jhar...@impsec.org wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? Well, here's how it could be done. Imagine someone runs a DNS zone for newdomain.example.net. You want to see if example.org is a new domain, so you look up a TXT record for example.org.newdomain.example.net. The DNS software that serves the zone newdomain.example.net runs the following pseudo-code when example.org is looked up: IF example.org is in my database THEN return the TXT record associated with example.org update the last-looked-up time for example.org ELSE generate a TXT record of the form MMDDHHMMSS corresponding to current time (UTC) insert it in the database return it ENDIF A background job will periodically clean out domains that haven't been queried in a long time. The clever part is that once lots of sites begin using this in their SA setups, we'll very quickly build up quite an accurate database of newly-seen domains that's completely independent of any registrar for a data source. Yes, spammers can poison it by specifically looking up a domain, waiting a couple of days, and then spamming. But I think most won't bother (witness how effective greylisting still is.) Furthermore, you can ignore all but the first few hundred lookups before you enter the TXT record in the database; this will make it more expensive for spammers to poison the data. Or you could not enter a record in the database until it has been looked up from 100 different IP addresses... I can think of a few other countermeasures. So who's volunteering to do this? :) Regards, David.
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 2:51 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? Yes. Because whois data is hard to get and many whois servers limit lookups, distributing and sharing the lookup load to determine age of domains IMO has merit.
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 3:02 PM, Rob McEwen wrote: Domain age is a good metric to factor in. But I'm always fascinated with some people's desire to block all messages with extremely new domains. (NOT saying that this applies to everyone who posted on this thread!) Keep in mind that many large and famous businesses... who have fairly good mail sending practices... sometimes launch a new products complete with links to very newly registered domains. Same is often true for advertisments for things like rock concerts, etc. Or web sites that deal with specific events or hot-topic political issues that appeared out of nowhere. Yes, some of these are UBE. But many are NOT! These example provide one of the largest source of FPs for all the major domain/URI blacklists. But the better domain/URI blacklists have good mechanisms in place to (a) PREVENT... MANY of these from ever becoming FPs in the first place, and (b) and where those mechanism failed, they have good triggers/feedback to remove whitelist such FPs VERY QUICKLY if/when they do occur. In contrast, many who might go overboard by outright blocking on newness... and/or scoring too agressively on newness... may find too-high FP problems kicking their butts in the long run. And when such a FP starts happening, they may not have the proper telemetry to catch/fix it until AFTER much FP damage has happened. Personally, I think that the real problem here is that some of the most famous URI/domain blacklists are NOT catching everything and/or NOT catching everything fast enough... combined with many sys admins failing to make use of ALL the good and low-FP URI/domain blacklists... where they 'd see MUCH better results if they were using ALL of the good URI blacklists! ...but I'm a little biased on this point! :) A great point. My goal is simply to build a system to identify the age of domains and use it as YAIOS or yet another indicator of spamminess not as a poison pill.
Re: Domain ages (was Re: SPAM from a registrar)
Quoting David F. Skoll d...@roaringpenguin.com: On Mon, 9 Jun 2014 11:51:21 -0700 (PDT) John Hardin jhar...@impsec.org wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? Well, here's how it could be done. Imagine someone runs a DNS zone for newdomain.example.net. You want to see if example.org is a new domain, so you look up a TXT record for example.org.newdomain.example.net. The DNS software that serves the zone newdomain.example.net runs the following pseudo-code when example.org is looked up: IF example.org is in my database THEN return the TXT record associated with example.org update the last-looked-up time for example.org ELSE generate a TXT record of the form MMDDHHMMSS corresponding to current time (UTC) insert it in the database return it ENDIF A background job will periodically clean out domains that haven't been queried in a long time. The clever part is that once lots of sites begin using this in their SA setups, we'll very quickly build up quite an accurate database of newly-seen domains that's completely independent of any registrar for a data source. Yes, spammers can poison it by specifically looking up a domain, waiting a couple of days, and then spamming. But I think most won't bother (witness how effective greylisting still is.) Furthermore, you can ignore all but the first few hundred lookups before you enter the TXT record in the database; this will make it more expensive for spammers to poison the data. Or you could not enter a record in the database until it has been looked up from 100 different IP addresses... I can think of a few other countermeasures. So who's volunteering to do this? :) Regards, David. The point was, I have already done this, and have it in production. I did this cause this subject keeps coming up from time to time, and I was personally interested to see the results of it. And I do agree with Rob McEwen on many points. And I would be hisentant to outright block. But so far, and I doubt much in real usage, and haven't found any yet, any issues with blocking 1day outright. But then the only way to be completely sure of that, will be time.
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014, David F. Skoll wrote: On Mon, 9 Jun 2014 11:51:21 -0700 (PDT) John Hardin jhar...@impsec.org wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? The clever part is that once lots of sites begin using this in their SA setups, we'll very quickly build up quite an accurate database of newly-seen domains that's completely independent of any registrar for a data source. Ah, ok, that's where I was confused. The proposal is for a distributed network gathering newly-SEEN domain names, rather than newly-REGISTERED domain names. Thanks for the clarification. I was focusing on the latter. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You can't reason a person out of a position if he didn't use reason to get there in the first place. -- Kristopher, at Marko's --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 09 Jun 2014 15:24:29 -0400 Patrick Domack patric...@patrickdk.com wrote: The point was, I have already done this, and have it in production. I did this cause this subject keeps coming up from time to time, and I was personally interested to see the results of it. Interesting. If you don't mind my asking... how much data do you collect? How many lookups/day? I was thinking a system that gets lookups from thousands or more SA installations would get a pretty good overview of new domains. A local installation would necessarily see a limited subset. And I do agree with Rob McEwen on many points. And I would be hisentant to outright block. But so far, and I doubt much in real usage, and haven't found any yet, any issues with blocking 1day outright. Or even just holding the mail for a day or so and then re-analyzing it. Regards, David.
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 3:24 PM, Patrick Domack wrote: The point was, I have already done this, and have it in production. I did this cause this subject keeps coming up from time to time, and I was personally interested to see the results of it. And I do agree with Rob McEwen on many points. And I would be hisentant to outright block. But so far, and I doubt much in real usage, and haven't found any yet, any issues with blocking 1day outright. But then the only way to be completely sure of that, will be time. My conjecture is that many people have built this for lower volume. But you can't be doing much volume or your IP gets blocked from whois servers. The twist I want to do is bring more data back centralized from SA installations such as whois data where it can only be done in a distributed manner. regards, KAM
RE: Domain ages (was Re: SPAM from a registrar)
If SEM was able to detect newly registered domains more quickly then that would solve the problem. From: John Hardin jhar...@impsec.org Sent: Monday, June 09, 2014 2:24 PM To: users@spamassassin.apache.org Subject: Re: Domain ages (was Re: SPAM from a registrar) On Mon, 9 Jun 2014, David F. Skoll wrote: On Mon, 9 Jun 2014 11:51:21 -0700 (PDT) John Hardin jhar...@impsec.org wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? The clever part is that once lots of sites begin using this in their SA setups, we'll very quickly build up quite an accurate database of newly-seen domains that's completely independent of any registrar for a data source. Ah, ok, that's where I was confused. The proposal is for a distributed network gathering newly-SEEN domain names, rather than newly-REGISTERED domain names. Thanks for the clarification. I was focusing on the latter. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You can't reason a person out of a position if he didn't use reason to get there in the first place. -- Kristopher, at Marko's --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 2:51 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? Yes. Because whois data is hard to get and many whois servers limit lookups, distributing and sharing the lookup load to determine age of domains IMO has merit. Ah, I think there's still two different assumptions occurring in this discussion: newly-seen (David and Patrick) vs. newly-registered (me and Kevin)... Maybe we need to clarify that first. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You can't reason a person out of a position if he didn't use reason to get there in the first place. -- Kristopher, at Marko's --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 3:33 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: On 6/9/2014 2:51 PM, John Hardin wrote: On Mon, 9 Jun 2014, Kevin A. McGrail wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? Yes. Because whois data is hard to get and many whois servers limit lookups, distributing and sharing the lookup load to determine age of domains IMO has merit. Ah, I think there's still two different assumptions occurring in this discussion: newly-seen (David and Patrick) vs. newly-registered (me and Kevin)... Maybe we need to clarify that first. Good clarification. The spam I envision stopping is spammers using things like stolen credit cards or trial accounts to register domains that they then spam and then disappear quite quickly. So this builds a database of domain whois data (initial discussions focused on the creation date) using distributed SA nodes to build the data. And I chose to discuss it here because I get more ideas than I have time and resources to implement. Regards, KAM
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 3:31 PM, David Jones wrote: If SEM was able to detect newly registered domains more quickly then that would solve the problem. That is the crux of the issue, yes. So how do you identify new domains if the registrars/registries won't give you the data? That's the problem my idea solves by monitoring newly seen domains with the idea being that spammers are not going to buy domains and sit on them before using them. Regards, KAM
RE: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014, David Jones wrote: If SEM was able to detect newly registered domains more quickly then that would solve the problem. Oh, agreed. The problem is, a registrar feed of registration changes costs a lot, and this is a free project. That's why I suggested trying to develop relationships with registrars, to maybe get them onboard with providing this data for free for this purpose. It's possible that the Apache name could provide cachet to get registars onboard to provide rsync'able data feeds of domain names registered in the last N days. It might be possible/better to get them to provide the data to URIBL.org (to act as an aggregator) with a license to provide the data free via DNS (i.e. non-bulk access) and at a nominal fee for rsync access (which URIBL already charges for the data they collect). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You can't reason a person out of a position if he didn't use reason to get there in the first place. -- Kristopher, at Marko's --- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Domain ages (was Re: SPAM from a registrar)
On 06/09/2014 09:38 PM, Kevin A. McGrail wrote: That is the crux of the issue, yes. So how do you identify new domains if the registrars/registries won't give you the data? That's the problem my idea solves by monitoring newly seen domains with the idea being that spammers are not going to buy domains and sit on them before using them. You get the TLD zone files... and depending on your budget you get them once/24hrs or hourly diffs (if you can affford a house in The Hamptons, you can afford the diffs .-) Some TLDs won't handout zone, period.
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, Jun 9, 2014 at 8:43 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: I think the core issue is that age of domains is a good indicator of spam. So there is merit in building a distributed look-up system using SA. I have more ideas than resources, of course... I repeat my question: which domain? HELO, MAIL FROM, From:, ...? -- Matthias
Re: Domain ages (was Re: SPAM from a registrar)
On 6/9/2014 4:25 PM, Matthias Leisi wrote: On Mon, Jun 9, 2014 at 8:43 PM, Kevin A. McGrail kmcgr...@pccc.com mailto:kmcgr...@pccc.com wrote: I think the core issue is that age of domains is a good indicator of spam. So there is merit in building a distributed look-up system using SA. I have more ideas than resources, of course... I repeat my question: which domain? HELO, MAIL FROM, From:, ...? I envision it for potentially any and all domains in the email.
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, Jun 9, 2014 at 9:11 PM, David F. Skoll d...@roaringpenguin.com wrote: The clever part is that once lots of sites begin using this in their SA setups, we'll very quickly build up quite an accurate database of newly-seen domains that's completely independent of any registrar for a data source. dnswl.org (and many other DNSxLs) already have some of that data as part of their parsing/handling of DNS logs. For Furthermore, you can ignore all but the first few hundred lookups before you enter the TXT record in the database; this will make it more expensive for spammers to poison the data. Or you could not enter a record in the database until it has been looked up from 100 different IP addresses... I can think of a few other countermeasures. So who's volunteering to do this? :) We had some plans to publish such data. However since it is not really clear what domains to look for, we did not pursue that a lot further. We have at least a primary domain for each DNSWL record, but at least historically we were not strict in what type of domain to put there (we like to use the domain name that most closely links the IPs to the administratively responsible owner, which is admittedly somewhat vague). Based on the useage data we gather, we can pretty accurately extract a last seen date for a particular domain (or, it's associated IPs to be exact). *But*, again: which domains would be queried for such a list? -- Matthias
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Matthias Leisi matth...@leisi.net: On Mon, Jun 9, 2014 at 8:43 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: I think the core issue is that age of domains is a good indicator of spam. So there is merit in building a distributed look-up system using SA. I have more ideas than resources, of course... I repeat my question: which domain? HELO, MAIL FROM, From:, ...? -- Matthias HELO hasn't matched anything in my tests. MAIL FROM has matched many, though the helo's are always a different domain From I have only started doing yesterday, and not sure exactly how I will track them. Likely just wait a few days, and check my ham/spam folders and compare what rules where hit.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/09/2014 10:32 PM, Patrick Domack wrote: Quoting Matthias Leisi matth...@leisi.net: On Mon, Jun 9, 2014 at 8:43 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: I think the core issue is that age of domains is a good indicator of spam. So there is merit in building a distributed look-up system using SA. I have more ideas than resources, of course... I repeat my question: which domain? HELO, MAIL FROM, From:, ...? -- Matthias HELO hasn't matched anything in my tests. MAIL FROM has matched many, though the helo's are always a different domain From I have only started doing yesterday, and not sure exactly how I will track them. Likely just wait a few days, and check my ham/spam folders and compare what rules where hit. LOTS of the recent .us .me will match sender/ptr/A/HELO
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, 9 Jun 2014 22:31:55 +0200 Matthias Leisi matth...@leisi.net wrote: *But*, again: which domains would be queried for such a list? I think MAIL FROM domain. Regards, David.
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, June 9, 2014 15:35, Patrick Domack wrote: I guess what would need to be hammered out, is, the exact info wanted. We know age, and registrar. Though doing the registrar isn't so simple, as the same for just ENOM changes between tld, and even within a single tld (likely from the mergers they had). My investigations of the domains used against us revealed that all of the handful checked were between 4 and 20 hours old when first encountered by our servers. It would suffice I think to have a negative lookup RTBL service where if a domain is not listed therein then may be considered as new, at least insofar as mailing traffic is concerned. The registrar and the age of the domain need not concern us overmuch at the outset of a spam attack. What is more important to know is whether the domain has been seen by others before and how long before so that the information in DOB and SEM can be considered in that light. Lookup domains may be added as and when they are encountered albeit after some delay and only if some threshold of volume and distinct number of enquiring hosts is passed. A graded approach is probably called for with one listing a previously unseen domain only after 24 hours from the first enquiry, one only after 48, and so on. Of course, the domains in question need to be verified before being added. And other precautions are no doubt necessary to avoid poisoning or advance loading subversion attempts. Comments? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, Jun 9, 2014 at 9:11 PM, David F. Skoll d...@roaringpenguin.com wrote: The DNS software that serves the zone newdomain.example.net runs the following pseudo-code when example.org is looked up: [..] So who's volunteering to do this? :) *raises hand* I still have an experimental DNS server (written in Perl) lying around that this more-or-less what is described here. The overall system would need a bit more thought, though. * Distributed over n nodes. Given that data can have pretty long TTL, it does not need a lot of nodes, but still the distributed nature brings some challenges. * Definition of the granularity of data - should a first seen date be returned, or an age (in days?) * Querying whois servers is not practical at that scale. * How would the queries be sent to the nodes? Domain-based BL-type queries? * Would the SA project take on some operational responsibilities? * The dnswl.org project can sponsor resources and take on some operational aspects, but we would welcome some support. -- Matthias
Re: Domain ages (was Re: SPAM from a registrar)
On 06/09/2014 10:43 PM, James B. Byrne wrote: On Mon, June 9, 2014 15:35, Patrick Domack wrote: I guess what would need to be hammered out, is, the exact info wanted. We know age, and registrar. Though doing the registrar isn't so simple, as the same for just ENOM changes between tld, and even within a single tld (likely from the mergers they had). My investigations of the domains used against us revealed that all of the handful checked were between 4 and 20 hours old when first encountered by our servers. It would suffice I think to have a negative lookup RTBL service where if a domain is not listed therein then may be considered as new, at least insofar as mailing traffic is concerned. The registrar and the age of the domain need not concern us overmuch at the outset of a spam attack. What is more important to know is whether the domain has been seen by others before and how long before so that the information in DOB and SEM can be considered in that light. Lookup domains may be added as and when they are encountered albeit after some delay and only if some threshold of volume and distinct number of enquiring hosts is passed. A graded approach is probably called for with one listing a previously unseen domain only after 24 hours from the first enquiry, one only after 48, and so on. Of course, the domains in question need to be verified before being added. And other precautions are no doubt necessary to avoid poisoning or advance loading subversion attempts. Comments? You have a domain reputation method on your drawing board and imo, has some flaws: - Delayed data is good for research, not to efficiently stop spam. - Verifying anything that large needs 40k indians in the basement or huge clusters of cycles doing something - neither is trivial or cheap. - There's a bunch of Passsive DNS projects which do what you're describing and non will work as the FUSSP - they're datapoints which can be combined wiht other stuff to achieve something (aka research)
Re: Domain ages (was Re: SPAM from a registrar)
On 06/09/2014 12:29 PM, Kevin A. McGrail wrote: On 6/9/2014 3:24 PM, Patrick Domack wrote: The point was, I have already done this, and have it in production. I did this cause this subject keeps coming up from time to time, and I was personally interested to see the results of it. And I do agree with Rob McEwen on many points. And I would be hisentant to outright block. But so far, and I doubt much in real usage, and haven't found any yet, any issues with blocking 1day outright. But then the only way to be completely sure of that, will be time. My conjecture is that many people have built this for lower volume. But you can't be doing much volume or your IP gets blocked from whois servers. The twist I want to do is bring more data back centralized from SA installations such as whois data where it can only be done in a distributed manner. regards, KAM A caching whois client (jwhois, for example) can significantly reduce the volume of queries.
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, Jun 9, 2014 at 11:31 PM, Richard Doyle lists...@islandnetworks.com wrote: A caching whois client (jwhois, for example) can significantly reduce the volume of queries. You will need to query potentially hundreds or thousands of domains *per day* - mostly throw away domains from spammers. 1) What are the typical rate limits on public whois servers? 2) How to protect against attackers sending random non-existant domain names your way, thus ensuring you hit rate limites early? 3) How to parse the myriads of formats sent by whois servers? 4) How do you handle TLDs which do not publish registration dates, like eg .de? (At least they did not last time I checked.) Whois is not a feasible data source. -- Matthias
Re: Domain ages (was Re: SPAM from a registrar)
Quoting Matthias Leisi matth...@leisi.net: On Mon, Jun 9, 2014 at 11:31 PM, Richard Doyle lists...@islandnetworks.com wrote: A caching whois client (jwhois, for example) can significantly reduce the volume of queries. You will need to query potentially hundreds or thousands of domains *per day* - mostly throw away domains from spammers. 1) What are the typical rate limits on public whois servers? 2) How to protect against attackers sending random non-existant domain names your way, thus ensuring you hit rate limites early? 3) How to parse the myriads of formats sent by whois servers? 4) How do you handle TLDs which do not publish registration dates, like eg .de? (At least they did not last time I checked.) Whois is not a feasible data source. -- Matthias 1) I dunno, but I am doing around 15k lookups a day, from a single ip, without getting limited/blocked 2) This is hard, and I don't know, currently the postfix reject unknown sender helps solve this for me, but won't for dns based lookups 3) This, while annoying, is solved in my code, not too hard 4) These I just don't bother doing lookups for, there is no solution, other than to let them bypass this system, or rate them via seen before method.
Re: Domain ages (was Re: SPAM from a registrar)
On 06/09/2014 02:42 PM, Matthias Leisi wrote: On Mon, Jun 9, 2014 at 11:31 PM, Richard Doyle lists...@islandnetworks.com mailto:lists...@islandnetworks.com wrote: A caching whois client (jwhois, for example) can significantly reduce the volume of queries. You will need to query potentially hundreds or thousands of domains *per day* - mostly throw away domains from spammers. 1) What are the typical rate limits on public whois servers? Apparently higher than my usage (cached names aren't rechecked) 2) How to protect against attackers sending random non-existant domain names your way, thus ensuring you hit rate limites early? Sender verification 3) How to parse the myriads of formats sent by whois servers? Don't try (see 4) 4) How do you handle TLDs which do not publish registration dates, like eg .de? (At least they did not last time I checked.) I only check .com, .net and .org Whois is not a feasible data source. Whois certainly has limited usefulness, but is a feasible data source within those limits -- Matthias -Richard
Re: SPAM from a registrar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05-06-14 20:54, Andreas Schulze wrote: Tom Hendrikx: but postfix has a feature that can check the MX and NS records of the envelope sender or hostname of the connecting ip. I know and use that. If these are all the same, you could block connections based on those. that's intersting, no idea how to compare something in postfix. Could you post an example? It's a manual process: you'll need to check the whois data of the domains that pass your spam controls, and block the NS hosts if you find consistency, and the OP saw with Enom. Checking whois data could be automated, but is discouraged by whois services (and applying a blanket block based on NS records should not be done without operator review, imho, since the possible huge impact). Postfix cannot compare since it has no concept of multiple messages arriving at the same time: it happens, but the smtpd processes handling them have no knowledge of each other (or their data strcutures). Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTkwvPAAoJEJPfMZ19VO/13W0QAJni1zj4W2C6F6Til1os/AJh 7uzHlfr0ucb0wxt5oLZSJXWHvV2okX9lrsJSHLK/ajzLDXfYtgoejBuGwX3/g7tG Ppl460NyL0ok7r0E73VspeGcpRRQNlB8+l3q31eHSuScawhLEaZQczF0W6AFlF7X +cP8YJWYGyaXxPB8MHHuELT+/ak2AIa9OueEwTTmRhiVhFtpWotBPtWDP5LJrfbB pu0JF9jqglqyw1qeRQl6ppkNDuLpG7CqiIBzse7maFHTUweiabEd55rS5K0TpruK TWTc1KnKtNHRJ5ykPp+2MPM6bKAAxykGWfkSxZ7o6rctNMO4Xb1gtDCkCVPfTUAr ATwIKaDLLV6/FeNAjEIqN/z2/HBZxPF6XGWYqEl20CeFUoc4pMZ8FVFpYa3QFGAc hjZpLXc9UJeOUTU/uqhOxBKeOIRmVBTF13cYy9G3l4vLYclv1JhoGsMVl/E7i4eF Ub5g7ZLSp3nLJGg5YGcvolQ4VT0T9tttx8Xr88oPJ8bi2Z93wOUjyLIGunC1cbJ5 BRN8q4YvhVh+mxSZVOy9yra3JOS5yf2l29xTKgObBVQYa+6wvBEa5YNEBge6ZNaD KgbgyhpQpv7iBp+YKaop62lljo2KuCTyaQQAhyv3ih+uEwRaFLmGapIR1qN2mnTa 6VAghLYDO3HyxGeVtJpH =dUJ1 -END PGP SIGNATURE-
Re: SPAM from a registrar
Tom Hendrikx: but postfix has a feature that can check the MX and NS records of the envelope sender or hostname of the connecting ip. I know and use that. If these are all the same, you could block connections based on those. that's intersting, no idea how to compare something in postfix. Could you post an example? Andreas
RE: SPAM from a registrar
While the number of messages getting through has dropped off to near zero this morning I nonetheless took the time to look into registrars with respect to SPAM and found this interesting web site: http://rss.uribl.com/nic/ As of this morning the top domain registrars with respect to spam origin are these: Top 100 Registrars with Blacklisted Domains for last 5 days RankRegistrar Listed Active Percent 1 ENOM, INC. 3335740345.05% 2 GO DADDY SOFTWARE, INC. 132612718 10.43% 3 GMO INTERNET, INC. D/B/A ONAMAE.COM AND DISCOUNT-DOMAIN.COM 1080169263.83% 4 REGRU-REG-RIPN 592 151539.08% 5 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM 456 166027.47% 6 OVH 321 171018.77% 7 MONIKER ONLINE SERVICES, INC. 233 488 47.75% . . . If I read this correctly then one out of every two recently active Enom registered domains is engaged in SPAM activities. What I cannot tell is whether the total number of active domains refers to recent registrations (5 days old) or number of domains registered with Enom that have evidenced some Internet activity as measured by some indeterminate means. I also note that the 'Privacy' service for the spam site owner contact registered at Enom is Moniker. Who also has a one out of two ratio of spam domains to total active domains. If this information is accurate then it seems to me on the basis of the evidence that it is entirely reasonable to block email from domains registered with either Enom or Moniker; and GMO Internet looks like a good candidate as well. Comments? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: SPAM from a registrar
that’s nice, but useless unless you also take into account the size of the registrar, IOW the number of domains they registered in the same period. Neil Schwartzman Executive Director Coalition Against Unsolicited Commercial Email http://cauce.org Tel : (303) 800-6345 Twitter : @cauce On May 23, 2014, at 12:22 PM, James B. Byrne byrn...@harte-lyne.ca wrote: While the number of messages getting through has dropped off to near zero this morning I nonetheless took the time to look into registrars with respect to SPAM and found this interesting web site: http://rss.uribl.com/nic/ As of this morning the top domain registrars with respect to spam origin are these: Top 100 Registrars with Blacklisted Domains for last 5 days Rank Registrar Listed Active Percent 1 ENOM, INC. 3335740345.05% 2 GO DADDY SOFTWARE, INC. 132612718 10.43% 3 GMO INTERNET, INC. D/B/A ONAMAE.COM AND DISCOUNT-DOMAIN.COM 1080169263.83% 4 REGRU-REG-RIPN 592 151539.08% 5 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM 456 166027.47% 6 OVH 321 171018.77% 7 MONIKER ONLINE SERVICES, INC. 233 488 47.75% . . . If I read this correctly then one out of every two recently active Enom registered domains is engaged in SPAM activities. What I cannot tell is whether the total number of active domains refers to recent registrations (5 days old) or number of domains registered with Enom that have evidenced some Internet activity as measured by some indeterminate means. I also note that the 'Privacy' service for the spam site owner contact registered at Enom is Moniker. Who also has a one out of two ratio of spam domains to total active domains. If this information is accurate then it seems to me on the basis of the evidence that it is entirely reasonable to block email from domains registered with either Enom or Moniker; and GMO Internet looks like a good candidate as well. Comments? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: SPAM from a registrar
On 05/23/2014 06:22 PM, James B. Byrne wrote: While the number of messages getting through has dropped off to near zero this morning I nonetheless took the time to look into registrars with respect to SPAM and found this interesting web site: http://rss.uribl.com/nic/ As of this morning the top domain registrars with respect to spam origin are these: Top 100 Registrars with Blacklisted Domains for last 5 days RankRegistrar Listed Active Percent 1 ENOM, INC. 3335740345.05% 2 GO DADDY SOFTWARE, INC. 132612718 10.43% 3 GMO INTERNET, INC. D/B/A ONAMAE.COM AND DISCOUNT-DOMAIN.COM 1080169263.83% 4 REGRU-REG-RIPN 592 151539.08% 5 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM 456 166027.47% 6 OVH 321 171018.77% 7 MONIKER ONLINE SERVICES, INC. 233 488 47.75% . . . If I read this correctly then one out of every two recently active Enom registered domains is engaged in SPAM activities. What I cannot tell is whether the total number of active domains refers to recent registrations (5 days old) or number of domains registered with Enom that have evidenced some Internet activity as measured by some indeterminate means. I also note that the 'Privacy' service for the spam site owner contact registered at Enom is Moniker. Who also has a one out of two ratio of spam domains to total active domains. If this information is accurate then it seems to me on the basis of the evidence that it is entirely reasonable to block email from domains registered with either Enom or Moniker; and GMO Internet looks like a good candidate as well. Comments? Obviously active domains is what they're seeing in mailflow Don't let such stats misguide you - the're just a snapshot taken off mailflow, but the don't tell you how the ratio between spammy:nonspammy outside that snapshot. If you expect that by detecting new means less spam, you'll be dissapointed. (been there... .-)
Re: SPAM from a registrar
On 2014-05-19 19:39, Ian Zimmerman wrote: Ok, I installed a local bind instance on Saturday. But it is not helping: out of about 100 spams I got today (counting both those that got flagged and those that didn't, but not counting the horrible spams with score 15 that go directly to /dev/null), _none_ scored on URIBL_RHS_DOB. And I know for a fact that most of them contain fresh domains :-( Btw, all those domains are registered with enom. Wth? On 19.05.14 20:17, Dave Warren wrote: Did you leave your local BIND instance acting as a full resolver, or did you set forwarders? If so, removing the forwarder configuration should help. because forwarding defeats the main reason we recommended you having own nameserver for doing lookups from your own IP that won't get blacklisted (with forwarding, the lookups come from your forwarders that may be blocked) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
RE: SPAM from a registrar
That's a bad thing to do. A caching name server is pretty easy to implement (all the distros that I've played with do it automatically just installing bind). Many (most?/all?) RBLs require a subscription (read money) if you exceed a certain number of queries. A public dns server can hammer them quite quickly, and thus get filtered out. A local caching server is definitely recommended. I've never read any posts suggesting reasons not to use one... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -Original Message- From: Ian Zimmerman [mailto:i...@buug.org] Sent: Friday, May 16, 2014 6:38 PM To: users@spamassassin.apache.org Subject: Re: SPAM from a registrar On Sat, 17 May 2014 01:34:58 +0200 Karsten Bräckelmann guent...@rudersport.de wrote: I don't know whether DOB limits DNS queries of a single host. However, if you *never* get that rule firing, the NXDOMAIN result may indicate exceeding a query limit. Do you use a local caching DNS resolver, or does SA use your upstream ISP's one, along with a million other SA instances? Excellent point. I _used to_ run a local DNS cache, but got rid of it a few months ago, in the name of simplicity. Was that a good or bad thing to do in the current context? -- Please *no* private copies of mailing list or newsgroup messages.
RE: SPAM from a registrar
On Mon, 19 May 2014, Kevin Miller wrote: That's a bad thing to do. A caching name server is pretty easy to implement (all the distros that I've played with do it automatically just installing bind). Many (most?/all?) RBLs require a subscription (read money) if you exceed a certain number of queries. A public dns server can hammer them quite quickly, and thus get filtered out. A local caching server is definitely recommended. I've never read any posts suggesting reasons not to use one... ...just don't let world+dog on internet query it. It should only be visible to internal hosts. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XXIX: The enemy of my enemy is my enemy's enemy. No more. No less. --- 718 days since the first successful private support mission to ISS (SpaceX)
Re: SPAM from a registrar
On Mon, 19 May 2014 10:46:25 -0800 Kevin Miller kevin_mil...@ci.juneau.ak.us wrote: Ian Excellent point. I _used to_ run a local DNS cache, but got rid of Ian it a few months ago, in the name of simplicity. Was that a good or Ian bad thing to do in the current context? Kevin That's a bad thing to do. A caching name server is pretty easy Kevin to implement (all the distros that I've played with do it Kevin automatically just installing bind). Many (most?/all?) RBLs Kevin require a subscription (read money) if you exceed a certain Kevin number of queries. A public dns server can hammer them quite Kevin quickly, and thus get filtered out. A local caching server is Kevin definitely recommended. I've never read any posts suggesting Kevin reasons not to use one... Ok, I installed a local bind instance on Saturday. But it is not helping: out of about 100 spams I got today (counting both those that got flagged and those that didn't, but not counting the horrible spams with score 15 that go directly to /dev/null), _none_ scored on URIBL_RHS_DOB. And I know for a fact that most of them contain fresh domains :-( Btw, all those domains are registered with enom. Wth? -- Please *no* private copies of mailing list or newsgroup messages.
Re: SPAM from a registrar
On 2014-05-19 19:39, Ian Zimmerman wrote: Ok, I installed a local bind instance on Saturday. But it is not helping: out of about 100 spams I got today (counting both those that got flagged and those that didn't, but not counting the horrible spams with score 15 that go directly to /dev/null), _none_ scored on URIBL_RHS_DOB. And I know for a fact that most of them contain fresh domains :-( Btw, all those domains are registered with enom. Wth? Have you checked the domains to see if they're listed on DOB? Or can you at least verify that test domains can be queried on DOB? Did you leave your local BIND instance acting as a full resolver, or did you set forwarders? If so, removing the forwarder configuration should help. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: SPAM from a registrar
On Fri, 16 May 2014 16:30:30 -0400 James B. Byrne byrn...@harte-lyne.ca wrote: [snip] Admin Country: US Admin Phone: +1.1115463768 ^^^ Illegal NPA code in North America. They never start with 1 or 0. So far. However, the network allows one to set their caller ID to anything. The domain VVSDATABASEREL.COM is hosted in Denver Co but the contact and mail service are hidden by: Moniker Privacy Services vvsdatabaserel@monikerprivacy.net Moniker Privacy Services 1800 SW 1st Avenue Suite 440 Portland OR 97201 US A word to Moniker making particular note about the phone number should get their private status voided, making their registration public, Privacy services generally take a dim view of being used to hide spammers. I had occasion to contact another privacy service about a customer hiding behind their service to spam confidentially. It was a violation of the service's TOS. Within an hour they had dumped the customer and changed the domain reg records from confidential to public and sent me a copy of the records, which turned out to be of a major spam kingpin in Florida. jd
RE: SPAM from a registrar
Have you looked into Day old bread? http://wiki.apache.org/spamassassin/Rules/URIBL_RHS_DOB ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -Original Message- From: James B. Byrne [mailto:byrn...@harte-lyne.ca] Sent: Wednesday, May 14, 2014 8:52 AM To: users@spamassassin.apache.org Subject: SPAM from a registrar This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: SPAM from a registrar
On 05/15/2014 04:31 PM, James B. Byrne wrote: On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? Unless spameatingmonkey.com pays a LOT for hourly zone diffs they sync zone data once/day so fresh is +- 24h. Doing a regular whois lookups on every URL domain in mail will get you rated very fast and you'll see your queue grow fast. There are paid services which allow you fast bulk whois lookups.
RE: SPAM from a registrar
James, are these botnet or snowshoe spam? When you get a chance, please provide some spamples (pastebin or elsewhere), as Kevin recommended. Please mung JUST the email addresses (e.g. change all email domains to example.com, and change the victim account name to victim). If the victim accounts are NOT spamtraps/honeypots, don't worry about the other headers, since you _DO_ want spammers to listwash you. :) There's a high probability that others are seeing the same campaign and can provide much better advice if we can see exactly what you are seeing. You ARE asking good questions, we just need more a bit more data. Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? http://wiki.apache.org/spamassassin/RelayCountryPlugin I've been using a homebrew equivalent for more than nine years, and it's VERY helpful. The downside is that it can also crank up your FP rate. I only recommend using it if you have a decent quarantine and retesting tool. For example, I score VERY aggressively on IP-to-Nation and on TLD-to-Nation tests, then retest (with a different balance of scores) typically about 1 to 48 hours after initial arrival, at which point more than 99% are on multiple reliable blocklists. I briefly hand check the rest. That takes much of the stress and uncertainty out of filtering. :) - Chip
RE: SPAM from a registrar
On Thu, 15 May 2014, James B. Byrne wrote: I have to wonder how soon after creation new domains are added to the fresh lists. That's a good question. The only way I can see to maintain such a list is if you have a registrar data feed, and I don't know what the latency in that is. I would *assume* it's pretty prompt otherwise you'd see a lot of instances of the two people registering the same domain name at the same time. Of course, if they aren't registrars they may not be able to get a feed like that and may have to use some other means to get notified of new domain registrations, which would increase the latency. Also, a registrar data feed like that probably costs, to the point that a totally-free RBL would *have* to use higher-latency alternate means. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? There is but it's only experimental and its use for more than testing is NOT recommended. Absent a registrar data feed the only way to get that data is via whois, and whois query traffic like that would likely be considered abusive and get you blocked. If you're interested, look here: http://www.impsec.org/~jhardin/antispam/registrar_scoring/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 715 days since the first successful private support mission to ISS (SpaceX)
RE: SPAM from a registrar
On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: SPAM from a registrar
On Thu, 15 May 2014 09:45:21 -0800 Kevin Miller kevin_mil...@ci.juneau.ak.us wrote: Have you looked into Day old bread? http://wiki.apache.org/spamassassin/Rules/URIBL_RHS_DOB Just for the fun of it, I did a manual whois on the domain of one random spam I got today which was not killed by SA. Sure enough, the domain was a day old. Running SA --debug on the spam I can see that URIBL_RHS_DOB lookup is attempted but comes back with NXDOMAIN. So I have to question how effective that rules really is ... I don't know how often the underlying RBL [1] refreshes - could that be the reason? [1] http://www.support-intelligence.com/dob/ -- Please *no* private copies of mailing list or newsgroup messages.
Re: SPAM from a registrar
On 5/15/2014 10:31 AM, James B. Byrne wrote: On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? Enom is a big registrar and in fact owns the registrar I use (BulkRegister). I'm surprised they are having an issue. I'll try and reach out to them if you can give me a list of some of the domains you are seeing problems with spam. Regards, KAM
RE: SPAM from a registrar
We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html From: James B. Byrne byrn...@harte-lyne.ca Sent: Wednesday, May 14, 2014 11:51 AM To: users@spamassassin.apache.org Subject: SPAM from a registrar This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
RE: SPAM from a registrar
On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. SEM does provide value even if it's not completely up to date. That being said, I guess I have the same problem you do and need to do some more research. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? Enom is a very large registrar that has sub-registrars so this could be risky.
Re: SPAM from a registrar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15-05-14 16:31, James B. Byrne wrote: On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? This depends on the actual domains you're seeing, and your setup ofcourse, but postfix has a feature that can check the MX and NS records of the envelope sender or hostname of the connecting ip. If these are all the same, you could block connections based on those. See http://www.postfix.org/postconf.5.html#smtpd_client_restrictions and www.postfix.org/postconf.5.html#smtpd_client_restrictions, especially the check_*_mx_access and check_*_ns_access directives. Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTdlmZAAoJEJPfMZ19VO/1OCwQAN1yS5CAyOJAeYnzbiNAwbmP 4SagnWD6pB3nZysRigqWp3ISchi8L4DAn6Y9ZzI4m0iowdf3UEXmyYDWOADSUu9P amDfRB0Rw1jq/yolMJvzEhLWeFSo0/9WnRipk/v8yaIEae67henSK1TdPxxXIqwO Xzuxs30EYbTuzUgvV9PXvLxHZavhktFT6r+sLOI3rqUTmRLzhwsFEHVb58PwhreF YBtvSOkQqk6z22nUA5lx45gNrZfhrVGhaLhYJ5iNUsqwPSWcIy08hPHt3qMHnZ0R BZDwRbM/1hCglJlhpkuSEExB9+CCxPGBreiMtUGDBMOJ8olACXCidKgjKugZJEJ1 nDA6JhrcF81yBVqDxiM6oHXvobWALEWwd7pLoBK9Y08ukleA+KFJYMsefV5cTykP d56bTkzJTy7kmQGIDCpb0dDYFo9pHzpOmfTMI+D2ZlmEvQf1IDNV0c2X3IjNyrnh 84ek+jyK8qmI3R13RiXKovWFpI9AZnmoc5XsiJYRnkVO3DQtZ1frixoI+MO2IENE QcA6gFsEYJm410a2mIpuqmoYZgi15oDfzaw1qslXBo7dSEyrp1oXW52exSO5tUAc 5nJaI6k18Mhh6aJueRWThLmS5GaKV0FTp36LFQnzn/2ZRXTFVqQtjFkURHw6YxRT IsggecowyypYTacGNK9w =J6v+ -END PGP SIGNATURE-
Re: SPAM from a registrar
On Fri, May 16, 2014 15:50, Kevin A. McGrail wrote: Enom is a big registrar and in fact owns the registrar I use (BulkRegister). I'm surprised they are having an issue. I'll try and reach out to them if you can give me a list of some of the domains you are seeing problems with spam. Regards, KAM Other than the domain names and the registration date they are all identical to this and there are dozens registered every day. Domain Name: EYESUBELL.COM Registry Domain ID: NA Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2014-05-16 12:41:15Z Creation Date: 2014-05-16 19:41:00Z Registrar Registration Expiration Date: 2015-05-16 19:41:00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registrar Abuse Contact Email: ab...@enom.com Registrar Abuse Contact Phone: +1.4252744500 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: ADMIN NOC Registrant Organization: - Registrant Street: 515 OAKLANE Registrant City: MCPHERSON Registrant State/Province: KS Registrant Postal Code: 67460 Registrant Country: US Registrant Phone: +1.1115463768 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: ad...@vvsdatabaserel.com Registry Admin ID: Admin Name: ADMIN NOC Admin Organization: - Admin Street: 515 OAKLANE Admin City: MCPHERSON Admin State/Province: KS Admin Postal Code: 67460 Admin Country: US Admin Phone: +1.1115463768 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: ad...@vvsdatabaserel.com Registry Tech ID: Tech Name: ADMIN NOC Tech Organization: - Tech Street: 515 OAKLANE Tech City: MCPHERSON Tech State/Province: KS Tech Postal Code: 67460 Tech Country: US Tech Phone: +1.1115463768 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: ad...@vvsdatabaserel.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM DNSSEC: unSigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of WHOIS database: 2014-05-16 12:41:15Z Whoever this is they have been doing this using the same address since at least 2014. I found this one by googling the address: Domain Name: ELMVETSHEEP.COM Registry Domain ID: 1847263901_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2014-04-23 08:30:14Z Creation Date: 2014-02-19 16:41:00Z Registrar Registration Expiration Date: 2015-02-19 16:41:00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registrar Abuse Contact Email: ab...@enom.com Registrar Abuse Contact Phone: +1.4252744500 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: ADMIN NOC Registrant Organization: - Registrant Street: 515 OAKLANE Registrant City: MCPHERSON Registrant State/Province: KS Registrant Postal Code: 67460 Registrant Country: US Registrant Phone: +1.1115463768 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: ad...@vvsdatabaserel.com The domain VVSDATABASEREL.COM is hosted in Denver Co but the contact and mail service are hidden by: Moniker Privacy Services vvsdatabaserel@monikerprivacy.net Moniker Privacy Services 1800 SW 1st Avenue Suite 440 Portland OR 97201 US -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: SPAM from a registrar
On Fri, 2014-05-16 at 12:14 -0700, Ian Zimmerman wrote: Just for the fun of it, I did a manual whois on the domain of one random spam I got today which was not killed by SA. Sure enough, the domain was a day old. Running SA --debug on the spam I can see that URIBL_RHS_DOB lookup is attempted but comes back with NXDOMAIN. So I have to question how effective that rules really is ... I don't know how often the underlying RBL [1] refreshes - could that be the reason? Yes, it might be the reason. In which case a subsequent SA debug re-run should eventually hit the DOB rule. I don't know whether DOB limits DNS queries of a single host. However, if you *never* get that rule firing, the NXDOMAIN result may indicate exceeding a query limit. Do you use a local caching DNS resolver, or does SA use your upstream ISP's one, along with a million other SA instances? -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SPAM from a registrar
On Sat, 17 May 2014 01:34:58 +0200 Karsten Bräckelmann guent...@rudersport.de wrote: I don't know whether DOB limits DNS queries of a single host. However, if you *never* get that rule firing, the NXDOMAIN result may indicate exceeding a query limit. Do you use a local caching DNS resolver, or does SA use your upstream ISP's one, along with a million other SA instances? Excellent point. I _used to_ run a local DNS cache, but got rid of it a few months ago, in the name of simplicity. Was that a good or bad thing to do in the current context? -- Please *no* private copies of mailing list or newsgroup messages.
RE: SPAM from a registrar
This is probably what you are looking for: http://wiki.apache.org/spamassassin/Rules/URIBL_RHS_DOB -Message d'origine- De : James B. Byrne [mailto:byrn...@harte-lyne.ca] Envoyé : Wednesday, May 14, 2014 12:52 PM À : users@spamassassin.apache.org Objet : SPAM from a registrar This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3