What's the deal with nonexistent domains? I've been seeing more of these in my corpora. They don't look like typos. Are spammers making up names, or are they registering domains and having them deleted later (either by their choice, or the registrars'?) Should we even consider listing them, or is poisoning not-yet-registered domains too much of a risk?
Here's an example mail. In this case, the other domain in the email, "netdreamwatches.com", is already in many SURBLs, but "netdreamwatches4.com" does not exist.
My thought is *not* to list the NX'ers if there's another existing domain in the mail fit for SURBL.
------------------------------------------------------------------------- Received: from 250.93.180.0 by 82.181.73.98; Sat, 04 Sep 2004 21:06:45 -0500 Message-ID: COYELLCYZAXZCUMLBQUNZDMH@hotmail.com From: "Everett Dooley" sexdw@yahoo.com Reply-To: "Everett Dooley" sexdw@yahoo.com To: private@email.com Subject: Order now for free shipping on all watches! Date: Sat, 04 Sep 2004 20:09:45 -0600 X-Mailer: AOL 9.0 for Windows US sub 022 MIME-Version: 1.0 Content-Type: text/plain; boundary="--80228313128822712" X-Priority: 3 X-MSMail-Priority: Normal X-IP: 99.152.240.119
hey there!,
Great deals on imitation rolex and etc....
go to http://www.netdreamwatches.com for more info
kind regards Everett Dooley
get out of this sessions http://dreamwatches4.com/beout.asp
-------------------------------------------------------------------------- - Ryan
Hi!
Could be, but could also be that the register terminated the domain. More and more registers dont tolerate massive abuse but indeed its a trend. We also noticed this. Perhaps its in advance, we have also seen that. They assume some part will read the mail later. Would be nice to watch those domains if they come alive lateron this week or so ?
Bye, Raymond.
on Sat, Sep 04, 2004 at 10:05:20PM -0600, Ryan Thompson wrote:
They're making them up to add noise and unnecessary overhead to systems that check spam message bodies. Clearly, SURBL and others like it are having an impact on the response rates of this crud.
There's a cialis/levitra spammer who litters his message bodies with bogus URLs made of the localpart of the target address:
<html><body ><b> davet: <br> V1l|*AGRA fina||y found a to<sup></sup>ugh compet<em></em>itor -- ClA1||IS & lEV|ITTRA! </b><br><br> 1: 8O+% sa<font></font>vings 0r<a href=http://davet.com>derin</a>g ! <br> 2: no pres<a href=http://davet.org>cription</a> required . <br> 3: doctor & F.<b></b>D.A appr<big></big>oved ! <br> 4: Ove<b></b>rnight sh<a href=http://davet.net>ipping</a> ! <p><b> <a href=http://tactful.alton.sssmendbs.com/as>N0W V1SlT 0UR WE<i></i>BS|TE : CI|CK H<u></u>ERE</a></b> </P> </BODY></HTML>
I strip these out into quarantine before subjecting them to surbl.
Here's one with one valid domain and seven bogus ones:
<html><body ><font color="#0000FF"> X<a href="http://m0367.net">an</a>ax, /alium ,Cia|is, /iagra many more...!! <br> We stand behi<a href="http://92415qe.net">nd</a> 0ur products and ser<a href="http://tuo5a.net">vi</a>ce. <br> |n fact, we're the first comp<a href="http://dgj8l.net">any</a> to ever back a <br>phar<a href="http://xvnwry.net">mac</a>eutica| pr0duct with a 10O% mo<a href="http://i1ps4.biz">ney</a> back gua<a href="http://fhk7z.biz">rant</a>tee <br><br><a href=http://www.reversemeds.biz/>Cl|CK HE<b></b>RE KN0W M0RE</a></font><br><br><br><br><br> PxjEjnNDhaf </BODY></HTML>
Seems pretty obvious that their goal is to render SURBLs uselessly inundated by lookups, no?
That's one reason why I recently started doing a normal NS record lookup of the hostname before I look it up at multi.surbl.org.
-
Raymond Dijkxhoorn -
Ryan Thompson -
Steven Champeon