Jim Maul wrote:
Stream Service || Mark Scholten wrote:
For so far I know it isn't possible to have a TTL that is to low (if I
may believe the RFC files). It is also impossible to have to many
A-records. With both facts in mind I would suggest that you find an
other method off detecting SPAM.
Most SA rules look for spam signs, not RFC violations. Now whether or
not these are good spam signs I do not know...
-Jim
They are good spam signs. Not always spam though, because sometimes a
domain that is changing IP addresses has turned down a TTL temporarily,
so you'd want to combine such a test with other factors, but SA is good
at that! I've noticed some ISPs ignore small TTLs, presumably with a
intended (or unintended) side-effect that they actually fail to resolve
a lot of these fast-flux spam domains. For some interesting reading on
this, see:http://www.honeynet.org/papers/ff/index.html
Ken
--
Ken Anderson
Pacific.Net
