on Sat, Sep 04, 2004 at 10:05:20PM -0600, Ryan Thompson wrote:
What's the deal with nonexistent domains? I've been seeing more of these in my corpora. They don't look like typos. Are spammers making up names, or are they registering domains and having them deleted later (either by their choice, or the registrars'?) Should we even consider listing them, or is poisoning not-yet-registered domains too much of a risk?
They're making them up to add noise and unnecessary overhead to systems that check spam message bodies. Clearly, SURBL and others like it are having an impact on the response rates of this crud.
There's a cialis/levitra spammer who litters his message bodies with bogus URLs made of the localpart of the target address:
<html><body ><b> davet: <br> V1l|*AGRA fina||y found a to<sup></sup>ugh compet<em></em>itor -- ClA1||IS & lEV|ITTRA! </b><br><br> 1: 8O+% sa<font></font>vings 0r<a href=http://davet.com>derin</a>g ! <br> 2: no pres<a href=http://davet.org>cription</a> required . <br> 3: doctor & F.<b></b>D.A appr<big></big>oved ! <br> 4: Ove<b></b>rnight sh<a href=http://davet.net>ipping</a> ! <p><b> <a href=http://tactful.alton.sssmendbs.com/as>N0W V1SlT 0UR WE<i></i>BS|TE : CI|CK H<u></u>ERE</a></b> </P> </BODY></HTML>
I strip these out into quarantine before subjecting them to surbl.
Here's one with one valid domain and seven bogus ones:
<html><body ><font color="#0000FF"> X<a href="http://m0367.net">an</a>ax, /alium ,Cia|is, /iagra many more...!! <br> We stand behi<a href="http://92415qe.net">nd</a> 0ur products and ser<a href="http://tuo5a.net">vi</a>ce. <br> |n fact, we're the first comp<a href="http://dgj8l.net">any</a> to ever back a <br>phar<a href="http://xvnwry.net">mac</a>eutica| pr0duct with a 10O% mo<a href="http://i1ps4.biz">ney</a> back gua<a href="http://fhk7z.biz">rant</a>tee <br><br><a href=http://www.reversemeds.biz/>Cl|CK HE<b></b>RE KN0W M0RE</a></font><br><br><br><br><br> PxjEjnNDhaf </BODY></HTML>
Seems pretty obvious that their goal is to render SURBLs uselessly inundated by lookups, no?
That's one reason why I recently started doing a normal NS record lookup of the hostname before I look it up at multi.surbl.org.