On Thu, 2016-09-08 at 13:44 +0000, Chip M. wrote: > On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote: > > > > i get a diff-output per mail each time the mailserver configs > > are changing > That's a completely valid approach, and I am a big fan of > pre-emptive first strike (only as applied to potentially evil > email). > > However, the vast majority of those TLDs will never > "go rogue", so I prefer to block on actual abuse > (Jason's approach), or likelihood of abuse, specifically, very > low cost. Jason appears to have much higher volume than I do, > so he'd be a good source of data for me and others.
The issue is much more nuanced. There are registrars who offer what's called "domain name tasting", on newly created TLDs. Under this policy, a name may be registered and put into service _before_ payment is made for the registration. At one time Network Solutions had this policy even for the common TLDs, .com, .org, etc. Spammers pay nothing for the use of such a name, and discard it for a new one before payment for the name is required. One of the choke-points for commercial spammers is the provision of an authoritative name server for their domain names, and I've found it very effective to do a recursive sequence of server look-ups on the DN in the helo or ehelo addresses until a name server is found with a DN for which the authoritative name server has the same DN. This boils down to a list of less than 10 domain names. I apply a rather strict form of rate limiting to messages originating from the same /24 IP address group if the helo DN gets resolved to a name on this list. This has so far been 100% effective with no evidence of false positives. This may be out of the realm of SA. I apply this test using a python program written to work with Gordon Messmer's courier-pythonfilter for Courier-MTA. -- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com |