From jm@jmason.org Fri Sep 10 00:20:05 2004
From: jm@jmason.org
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] Re: Start an IP list to block?
Date: Thu, 09 Sep 2004 15:19:49 -0700
Message-ID: <20040909221949.761C65902BC@radish.jmason.org>
In-Reply-To: <Pine.LNX.4.61.0409100010040.15548@mailbox.prolocation.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1422302157982298532=="

--===============1422302157982298532==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Raymond Dijkxhoorn writes:
> >> 1) Spammers can set up multiple ip addresses to an A record.  Whatever
> >> does the reporting should check all A records, from the top down.  i.e.
> >> query each NS multiple times to make sure it's not being round-robined or
> >> reported differently from multiple DNS servers.
> >>
> >> 2) I can easily forsee spammers doing a wildcard subdomain as an effort =
to
> >> thwart this, if we're doing nslookups.
>=20
> > they already do.  this also opens a list-washing hole, as a hidden link=20
> > to <a href=3Dhttp://myaddress-rot13-encoded.spammer.com/> will be=20
> > resolved, indicating to the spammer that some software at the remote end =

> > is resolving all links in the message.
>=20
> SURBL only takes the domain, so thats fine, its only a little feaky for=20
> your nameserver, but then again, SA does rely on DNS a lot, so thats now=20
> news :)

Yeah.  I was referring to the proposal to lookup IP addresses for
href hostnames directly (instead of looking up the NS'es.)

- --j.

> > If OTOH you choose not to use the exact hostname parts of hrefs to avoid
> > this, instead just resolving "www.spammer.com", they can then ensure that
> > spammer.com and www.spammer.com do not resolve to hostnames and spam using
> > links to notwww.spammer.com/payload.html instead.
>=20
> Very true.
>=20
> Bye,
> Raymond.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBQNcEQTcbUG5Y7woRAtbTAJ9L6hI4sWLwiLA1mk2yfFdL7NE9UACggt3T
SxYg3JIBYRicQuiWhMORQMY=3D
=3DjgSy
-----END PGP SIGNATURE-----


--===============1422302157982298532==--