Since last winter I've been using a variation on Gordon Messmer's ratelimit pythonfilter module to bump up rate limiting params on emails for which the helo DN could be identified as using one of a rather limited number of name servers. This has worked quite well until recently. I've begun to see a new trend. Spammers are using DNs with a much larger variety of domain name servers with DNs such as "pinkpiglethousing.com" and "superhappycatshowl.co". This could be an inevitable result of the proliferation of new TLDs.
What seems to be characteristic of these new name servers is that if one applies a NS lookup recursively to these names one comes back to name servers on the "short list". i.e. (ddig is my CLI script which looks up name servers for a DN): # ddig babybubbly.faith [this is a helo DN from a multi-IP spam] ns1.pinkpiglethousing.com. # ddig pinkpiglethousing.com dns2.registrar-servers.com. dns5.registrar-servers.com. dns3.registrar-servers.com. dns4.registrar-servers.com. dns1.registrar-servers.com. # ddig registrar-servers.com dns1.name-services.com. dns2.name-services.com. dns5.name-services.com. dns4.name-services.com. dns3.name-services.com. # ddig name-services.com dns4.name-services.com. dns5.name-services.com. dns2.name-services.com. dns3.name-services.com. dns1.name-services.com. Both name-services.com and registrar-servers.com are on my short list of suspect spammer name servers, and have been for some time. What's needed now, apparently, is a _recursive_ analysis of the helo host DN, or as Gordon suggests, the envelope from address DN. Recursion should continue until one reaches a name server that's self-referencing, as is name-services.com in this example. One of my colleagues here in Austin is Brad Knowles, one of the Mailman mailing list developers who worked for AOL for some time, some years ago, helping them develop algorithms for identifying spam. He's the one who pointed out to me that looking at the name servers used to resolve spam DNs is an excellent tool for identifying spam, since this seems to be a rather limited pool of servers, probably associated with the practice of domain name tasting. Gordon, your thoughts? -- Lindsay Haisley | "UNIX is user-friendly, it just FMP Computer Services | chooses its friends." 512-259-1190 | -- Andreas Bogk http://www.fmp.com | ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
