On Aug 27, 2007, at 11:39 AM, Kelson wrote:
Jason Bertoch wrote:
Is it wise to blacklist both, or is this yet another case where
SPF has failed
to meet projections?
It's a case where the spammer has just handed you useful
information: You know for sure that the domain name is, indeed, the
spammer's domain name, and not an innocent third-party's.
Blacklist it without hesitation!
Yes, that usage was exactly the design intent of SPF.
Once you move from IP to domain reputation, you can do many
interesting things.
For example, you can go from the known-bad domain to its nameservers.
You can then go from those nameservers to detect other bad domains.
The URIBL plugin associates URL -> domain -> IP -> reputation lookup.
I am writing a similar plugin that associates domain -> NS ->
reputation lookup.
