On Saturday, September 25, 2004, 7:52:13 AM, Joe Wein wrote:
I would say, domains older than 90 days probably should not be added *unless* they use a blacklisted nameserver.
You really have to look at both the name servers and the date, in that order.
I want to give you some data on domain age for my recent blacklistings (last two weeks):
year count 2004 4165 2003 582 2002 30 2001 6 2000 3 <=1999 12 total: 4830
There is a significant percentage of domains registered in 2003, but most of these still fall within one year of the listing. There are extremely few blacklistings for domains registered before 2003, about 1% of the total.
[...]
About 11% of blacklisted domains were registered within 3 days of detection, 18% within 7 days, 34% within 2 weeks.
Then it gets interesting: I have no records in the set for 13-24 days, then a whole bunch of pill spam domains registered at least 25 days ago. These guys seem to wait a little before they strike.
50% of all blacklisted domains are registered no more than 35 days before listing, 60% within two months, 66% within three months, 70% with four months. As you see, the incremental gain per extra month gets smaller and smaller. Six months cover 80%, 12 months 90%, 24 months 97%.
A few comments in addition to those numbers:
- There's a very small set of hardcore spammer NSs for which I list *all*
domains that use them, regardless of age.
- For other domains with SBL-listed NS, I routinely list them *if* they are
recently registered.
- For domains with SBL-listed NS older than a few months, I list them if
they fit a pattern. Most of these will be porn and gambling sites from usual suspects, i.e. I'll see lots and lots of domains all sharing the same NS, advertised in similar spam mails.
[...]
- I also list sites without SBL records on the NS if they are very recently
registered (usually < 6 weeks) and they fit a pattern with regard to naming or what kind of spam subject lines / sender names are used. That takes care of discardable spam domains registered with Joker.com such as these:
Hi Joe, All your observations and policies seem quite reasonable to me. :-)
There can be some lag in SBL detecting new domains and new spam gang name servers, so it's definitely true that non-inclusion in SBL should not give new domains a "free pass". New domains not matching SBL can be real spammers.
Thanks also for sharing your research into the age of spam domains! It's very useful data, though it might also be interesting to know how long a domain is used after it appears in the first spams we detect. Many are only used for a few days according to a well-placed spam statistician I spoke with before. It's also interesting that some domains don't get used immediately after registration. (Note that I said many spam domains only get used for a few days, not that they only get used for a few days after registration.)
I've updated the domain age guidelines, taking into account your research:
"The older a domain is the less likely it should be listed. Most spam domains are used for 3 days then abandoned. Domains older than 90 days probably should not be added. Domains more than 1 year old usually should not be added. However, domains that use name servers listed in SBL as belonging to known spam operators can be included, regardless of age. (See below.)"
How does that sound?
Jeff C. -- "If it appears in hams, then don't list it."