At 02:20 24-5-2005, you wrote:
A similar idea, without the "back-channel" flaw is to test the
domain for either 'CNAME' or 'A' record `wildcards' (as in the command
"dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname").
This is an excellent spam sign (the host portion of the name is often
mapped back into a database to determine the actual recipient). Legitimate
domains will use wildcards for 'NS', 'MX' and even occasionally for some
more obscure records, but an 'A' or 'CNAME' record is nearly always a
spammer.
I don't agree.
I know of a few popular hosting solutions that create wildcard A entries.
H-Sphere (www.hsphere.com) for example is a very popular one used by many
large webhosts. There is currently NO way for an end user to remove the
wildcard A entry pointing back to their webserver IP.
Basically this means that many smaller companies (not yet using dedicated
webservers) would be a victim of this scanning method.
Marcel Veldhuizen
The Netherlands
