From raymond@prolocation.net Fri Sep 10 00:11:25 2004
From: Raymond Dijkxhoorn <raymond@prolocation.net>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] Re: Start an IP list to block?
Date: Fri, 10 Sep 2004 00:11:25 +0200
Message-ID: <Pine.LNX.4.61.0409100010040.15548@mailbox.prolocation.net>
In-Reply-To: <20040909214957.EE7C5590019@radish.jmason.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0816546262922433493=="

--===============0816546262922433493==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi!

>> 1) Spammers can set up multiple ip addresses to an A record.  Whatever
>> does the reporting should check all A records, from the top down.  i.e.
>> query each NS multiple times to make sure it's not being round-robined or
>> reported differently from multiple DNS servers.
>>
>> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
>> thwart this, if we're doing nslookups.

> they already do.  this also opens a list-washing hole, as a hidden link 
> to <a href=http://myaddress-rot13-encoded.spammer.com/> will be 
> resolved, indicating to the spammer that some software at the remote end 
> is resolving all links in the message.

SURBL only takes the domain, so thats fine, its only a little feaky for 
your nameserver, but then again, SA does rely on DNS a lot, so thats now 
news :)

> If OTOH you choose not to use the exact hostname parts of hrefs to avoid
> this, instead just resolving "www.spammer.com", they can then ensure that
> spammer.com and www.spammer.com do not resolve to hostnames and spam using
> links to notwww.spammer.com/payload.html instead.

Very true.

Bye,
Raymond.

--===============0816546262922433493==--