Quoting Jonas Eckerman <[EMAIL PROTECTED]>: > (The idea below is not mine, someone else (I'm sorry, but I > forgot who) wrote about it here (I think) before.) > > Giampaolo Tomassoni wrote: > > > brand-new domains, > > Something that could work for this without the problems inherent > in using whois or registry databases is to simply check how long > ago a domain was first seen beeing used for sending mail or in > URIs in mail. (People might allready be doing this locally, but > doing it centralized could work better.) > > A specialized DNS server could be done for this. It'd work > something like this: > > 1: It receives a query. > > 2: It checks in it's database. > > 3.a, found in database: > * Return result indicating how long ago domain was added. > > 3.b: not found: > * Adds the domain to the database. > * Return result indicating new domain.
This is a very good idea, and could be used as a partial substitute for the Day Old Bread list. I particularly like that it could be relatively lightweight and automatic. Naturally there are some complications: 1. What happens if the domain is re-registered before it's delisted? 2. What happens with tasting (kited) domains that get used for 5 days, then unregistered, re-registered, etc. 3. It wouldn't distinguish good domains from bad (but nor does DOB). As Giamoaolo points out, it could be fairly trivially poisoned by the bad guys submitting misleading queries. Remember that many spam URI domains appear before they exist in the whois data or are even delegated from the TLD zones. (The former is a problem for URIWhois too, it would seem.) The quick answer to these issues is that whois is only partially useful. 1. The contact information on spam domains is often false, misleading or stolen as part of identity theft, so it's not always useful. (That said, there are sometimes useful patterns in the contact info.) 2. As mentioned above the whois data is sometimes populated *after* the domains start appearing in spams. Remember that the whois data is still mostly batch processed once or twice a day. Many of the TLD zone files (where the DNS delegations actually come from) are updated in near real time. IOW the whois data can significantly lag usable domains. 3. Nameserver information in whois can be misleading: A. The nameservers and/or their IPs are sometimes changed after the domain is initially registered, either before or after the domain appears in messages. B. The nameservers in the whois are not always the ones that finally resolve a domain. There can be long chains of delegations before getting a final answer. Sometimes only 1 of the whois-listed nameservers actually works. Sometimes none of them work or exist only in DNS caches. C. Spam nameservers have been known to give misleading responses or block access to anti-spammers, malware researchers, etc. There are many other factors besides domain age that can be used to help identify spam domains, and SURBL does use many of them, though we expect to use them more effectively going forward. This is largely without reference to the whois data which for some of the reasons mentioned above are not always reliable or useful. Domain age is only one factor, and considering other factors can make for a significantly more useful blacklist. Cheers, Jeff C.
