On Thursday, September 9, 2004, 2:48:51 PM, System Dan Mahoney wrote:
On Thu, 9 Sep 2004, Matt Kettler wrote:
If it's blacklisting based on resolved ip, it should probably be noted that there are a couple of caveats:
- Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e. query each NS multiple times to make sure it's not being round-robined or reported differently from multiple DNS servers.
Good point.
- I can easily forsee spammers doing a wildcard subdomain as an effort to
thwart this, if we're doing nslookups.
Code using SURBLs attempts reduce domains to the base (registrar) domains before comparing to SURBLs. In other words we ignore the subdomains, host portion, etc.
http://www.surbl.org/faq.html#random
- It's a common case that spammers use disposable landing sites, such as
the forwarding services offered by tinyurl, zoneedit, and the like, or will put an HTTP redirect on a hotmail or geocities page. Should those be exempt from this, since they have a fair number of legitimate domains as well?
Please see:
http://www.surbl.org/faq.html#redirect
and the rest of the FAQ. :-)
Jeff C.