On Thursday, September 9, 2004, 3:19:49 PM, Justin Mason wrote:
Raymond Dijkxhoorn writes:
- Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e. query each NS multiple times to make sure it's not being round-robined or reported differently from multiple DNS servers.
- I can easily forsee spammers doing a wildcard subdomain as an effort to
thwart this, if we're doing nslookups.
they already do. this also opens a list-washing hole, as a hidden link to <a href=http://myaddress-rot13-encoded.spammer.com/> will be resolved, indicating to the spammer that some software at the remote end is resolving all links in the message.
SURBL only takes the domain, so thats fine, its only a little feaky for your nameserver, but then again, SA does rely on DNS a lot, so thats now news :)
Yeah. I was referring to the proposal to lookup IP addresses for href hostnames directly (instead of looking up the NS'es.)
Yep. Resolving domain names found in spam URIs is slow (especially if timeouts are hit, which can take like what, 20 seconds per domain) and it opens the door to confirming for the spammers which recipient addresses got through. It's a good way for spammers to build a confirmed recipient list.
That's another reason we don't do it with SURBLs.
Jeff C.