-----Original Message----- From: Matthew Wilson [mailto:matthew@boomer.com] Sent: Sunday, May 08, 2005 9:29 PM To: Jeff Chan; SURBL Discussion list Subject: [SURBL-Discuss] newly registered domains
Does anyone know of a SA rule to check how recently a domain name has been registered?
The various uri lookups catch the vast majority of spammy urls during the day, but from 2-5 a.m. CST, my servers get hit with tons of spam with urls that aren't in SURBL yet. All of the domains are newly registered domains (registered in the past week or so).
I know that the SARE ninjas have some private tools to do this kind of lookup for their feeds and manual lookups, but I'm wondering if this kind of thing could be worked directly into a SA rule.
Well this has been brought up before. It is a very good idea, however difficult to implement. Unfortunetly the date returned by a whois querey comes in a wide variety of flavors. We (SARE) thought we had all of the returned date codes figured out. Nope. New ones still keep coming.
uribl.com has some ideas on how to attack this very issue, but not sure it is worth it yet.
In short, it would be wonderful to start doing whois lookups for every domain in an email. Lots of things could be flagged off of it. Think of a sort of baysien whois DB. But the traffic would be pretty dam big.
--Chris
Perhaps a centralized system could provide a whois date check, allowing the client side of the implementaion to not need constant updating.
John Delisle, CISA Senior Network Analyst, Network and Security Team Information Systems & Technology Management Dept. Ceridian Canada Ltd 600 - 125 Garry St Winnipeg, MB R3C 3P2 204-975-5909
Chris Santerre csanterre@MerchantsOverseas.com Sent by: discuss-bounces@lists.surbl.org 05/09/2005 08:34 AM Please respond to SURBL Discussion list discuss@lists.surbl.org
To "'SURBL Discussion list'" discuss@lists.surbl.org cc
Subject RE: [SURBL-Discuss] newly registered domains
-----Original Message----- From: Matthew Wilson [mailto:matthew@boomer.com] Sent: Sunday, May 08, 2005 9:29 PM To: Jeff Chan; SURBL Discussion list Subject: [SURBL-Discuss] newly registered domains
Does anyone know of a SA rule to check how recently a domain name has been registered?
The various uri lookups catch the vast majority of spammy urls during the day, but from 2-5 a.m. CST, my servers get hit with tons of spam with urls that aren't in SURBL yet. All of the domains are newly registered domains (registered in the past week or so).
I know that the SARE ninjas have some private tools to do this kind of lookup for their feeds and manual lookups, but I'm wondering if this kind of thing could be worked directly into a SA rule.
Well this has been brought up before. It is a very good idea, however difficult to implement. Unfortunetly the date returned by a whois querey comes in a wide variety of flavors. We (SARE) thought we had all of the returned date codes figured out. Nope. New ones still keep coming.
uribl.com has some ideas on how to attack this very issue, but not sure it is worth it yet.
In short, it would be wonderful to start doing whois lookups for every domain in an email. Lots of things could be flagged off of it. Think of a sort of baysien whois DB. But the traffic would be pretty dam big.
--Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
-
Chris Santerre -
John_Delisle@ceridian.ca