Re: Using sender e-mail address or message content data in WHOIS search

Fri, 07 Nov 2008 11:52:11 -0800 

On Fri, 7 Nov 2008, FractalBob wrote:


Thanks, Mouss, for the pointers, but I still don't understand where the
addresses and phone numbers in 70_sare_evilnum come from. Can SpamAssassin
be configured to scan a message, pick up a domain and then do a WHOIS
search, or did someone go through a few e-mails by hand, query WHOIS using
the domain names found and add the phone #/address info to 70_sare_evilnum?
I kind of doubt the second possibility, but had to ask ;-)



Those rules have nothing to do with WHOIS or the domain registration data 
of the sender. From the rules page:


  70_sare_evilnum*.cf
  Description:  Addresses and phone numbers harvested from spam


Somebody went through a spam corpus and pulled out addresses and phone 
numbers that were common. How often do you see a phone number or contact 
address in a spam any more? That is information that can be used to 
identify and prosecute the spammer. That's why they use hacked or 
fast-flux DNS websites these days.



(Is anybody willing to do a hit analysis of the evilnum rules to see if 
they indeed do have any value any more?)



A much better way to do that sort of thing now is to subscribe to the 
SOUGHT ruleset, which is dynamically generated from recent spam traffic.



A SA plugin can certainly be written to perform WHOIS lookups on 
information derived from a message - as an experiment I wrote one that 
would look up the sending domain's registrar and compare it to a list of 
registrars known to be spam-friendly. However, this is likely to be 
considered abusive of the whois system and if put into production will 
likely not work for long - the whois providers will likely block your 
MTA's IP address fairly soon.


So in other words, SA WHOIS lookups = bad idea.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]    FALaholic #11174     pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...to announce there must be no criticism of the President or to
  stand by the President right or wrong is not only unpatriotic and
  servile, but is morally treasonous to the American public.
                                          -- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
 4 days until Veterans Day






















					Reply via email to