On Thursday, September 9, 2004, 3:57:46 PM, Ryan Thompson wrote:
Jeff Chan wrote to Justin Mason:
Yeah. I was referring to the proposal to lookup IP addresses for href hostnames directly (instead of looking up the NS'es.)
Yep. Resolving domain names found in spam URIs is slow
Aha. Key word = "domain names".
All the world's a host. Spammers are already using random subdomains in their emails, and there is absolutely *no* guarantee whatsoever that these subdomains resolve to the same IP(s) as the registrar domain (or even as the rest of the subdomains). It's basic DNS, and, in this case, it means we're basically screwed before we start. :-)
There *may* be some benefit to the idea, but I'm betting it would be extremely short-term, because spammers would too easily thwart it by pointing their TLDs A record to somewhere else.
Unless we started keeping more host information...but then we're effectively DoSsed by the sheer number of subdomains in use. There are a few ways I could think to greatly optimize that, but, so far, I don't see a big win.
On the other hand, we can resolve (FQDNs) on the data side (not the client side) and see if any IPs consistently emerge. If so we can certainly use them. If not, they're noise and get ignored automatically.
Given that hosting and redirection are not zombied (yet), the pool of hosting IPs available to bad guys is probably sufficiently small and concentrated to be potentially useful. (It's not the same as the pool of *sending* IPs, which is as large as can be zombied.)
Yeah, yeah, I know it sounds like I'm arguing against my prior position against IPs, but I'm not. I'm just putting a finer point on it.
Jeff C.