"Jeff Chan" jeffc@surbl.org

Thanks for the heads up. Looks like a legitimate, old (1995) ISP. I've whitelisted it.

WS folks, please find a way to keep ones like this off the list.

Hi guys,

here's an outline of the procedures I've been following for identifying spam domains since last December:

1) My spam filter analyzes mails for suspicious facts (e.g. blacklisted IPs in received history, bulk mailer software in X-Mailer, direct-to-MX delivery, referencing known spam domains). Only unknown domains mentioned in mails that have a sufficient spam score or match specific fingerprints are analyzed any further. I try to keep unlikely candiates out of the line of fire.

2) My software performs WHOIS queries and parses the results, looking at registrar, registration date, name servers, registering email address, etc. The vast majority of spam domains are very recently registered using a cheap registrar and resolved via a dodgy name server. From these parameters the software derives the preliminary "spammyness" of the domain.

3) Before I publish the data, I look at the three most interesting sublists (somewhat suspicious, very suspicious, certainly spam) using a tool I wrote, which shows me the suspect categories on their own.

For every domain I can then click on the entry and get to see the most important WHOIS parameters, the From- and Subject-lines of the triggering email (which I can manually call up from my archive too), etc. and can toss it either way.

Age is a critical factor, so is the name server.

There are some sites that make it into the blacklist that were registered before 2003, but they are quite rare. OTOH, most spam domains are two weeks old or less. Most name servers used show up with many / show up only with spam sites.

A Google search for

domain.com spam

tends to yield interesting data too, if the site is not brand new.

The older the site, the more evidence it takes to convince me to list it: - older sites that do spam should have had time to accumulate evidence on the web - older sites have more to lose by spamming

For the most part I advise against publishing any domain blacklist data from purely automated processes: Too many things can go wrong.

I would make an exeception though for specific, well identified high volume spam operations, e.g with a name server domain of airmaramba.biz or guper.com -- these are shoot on sight as far as I'm concerned :-)

Hope this helps.

Joe Wein

"Jeff Chan" jeffc@surbl.org

Was ya.com in your data? If so can you explain how it got on? :-)

No, it wasn't me who let it slip in :-)

Occasionally I do add quite old domains:

cardvend.com (bl=2004-08-08, whois=whois.moniker.com, ns=ns1.mpgfree.net, created=1996-07-20) lovingzoo.com (bl=2004-07-19, whois=whois.bulkregister.com, ns=ns1.ehostinginc.com, created=1999-07-09) realtimevideos.com (bl=2004-07-19, rogue-ns=ns1.rackhosters.com, created=1997-04-24)

to name but a few, but in such cases I always confirm the content of the page is the type of content you would find advertised via spam, to exclude Joe Jobs, fake sender addresses, webmailers, etc.

Joe