Because they don't take to kindly to anyone doing tons of whois looksups an hour. Trust me ;)
--Chris
-----Original Message----- From: Matthew Wilson [mailto:matthew@boomer.com] Sent: Monday, May 09, 2005 9:44 AM To: SURBL Discussion list Subject: RE: [SURBL-Discuss] newly registered domains
Why not integrate a whois date lookup directly into SURBL or URIBL? Design an encoding system whereby suspectedspammydomain.spammertld.dr.surbl.org (or uribl.com) would return the date somehow regex encoded in the IP address. Then write a nice SA rule that decodes it, also using regex. Are there any regex geniuses out there that could encode a date in an IP address?
-Matthew
Well this has been brought up before. It is a very good idea, however difficult to implement. Unfortunetly the date returned by a whois querey comes in a wide variety of flavors. We (SARE) thought we had all of the returned date codes figured out. Nope. New ones still keep coming.
uribl.com has some ideas on how to attack this very issue, but not sure it is worth it yet.
In short, it would be wonderful to start doing whois lookups for every domain in an email. Lots of things could be flagged off of it. Think of a sort of baysien whois DB. But the traffic would be pretty dam big.
--Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Assuming a centralized system was doing this, it could cache the results and reduce the lookups/hr.
John Delisle, CISA Senior Network Analyst, Network and Security Team Information Systems & Technology Management Dept. Ceridian Canada Ltd 600 - 125 Garry St Winnipeg, MB R3C 3P2 204-975-5909
Chris Santerre csanterre@MerchantsOverseas.com Sent by: discuss-bounces@lists.surbl.org 05/09/2005 09:20 AM Please respond to SURBL Discussion list discuss@lists.surbl.org
To "'SURBL Discussion list'" discuss@lists.surbl.org cc
Subject RE: [SURBL-Discuss] newly registered domains
Because they don't take to kindly to anyone doing tons of whois looksups an hour. Trust me ;)
--Chris
-----Original Message----- From: Matthew Wilson [mailto:matthew@boomer.com] Sent: Monday, May 09, 2005 9:44 AM To: SURBL Discussion list Subject: RE: [SURBL-Discuss] newly registered domains
Why not integrate a whois date lookup directly into SURBL or URIBL? Design an encoding system whereby suspectedspammydomain.spammertld.dr.surbl.org (or uribl.com) would return the date somehow regex encoded in the IP address. Then write a nice SA rule that decodes it, also using regex. Are there any regex geniuses out there that could encode a date in an IP address?
-Matthew
Well this has been brought up before. It is a very good idea, however difficult to implement. Unfortunetly the date returned by a whois querey comes in a wide variety of flavors. We (SARE) thought we had all of the returned date codes figured out. Nope. New ones still keep coming.
uribl.com has some ideas on how to attack this very issue, but not sure it is worth it yet.
In short, it would be wonderful to start doing whois lookups for every domain in an email. Lots of things could be flagged off of it. Think of a sort of baysien whois DB. But the traffic would be pretty dam big.
--Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
_______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Monday, May 9, 2005, 11:18:51 AM, John Delisle wrote:
Assuming a centralized system was doing this, it could cache the results and reduce the lookups/hr.
John Delisle, CISA Senior Network Analyst, Network and Security Team Information Systems & Technology Management Dept. Ceridian Canada Ltd 600 - 125 Garry St Winnipeg, MB R3C 3P2 204-975-5909
If you build a centralized database of whois data, then I'm sure Chris and I (and others) would like to use it. :-)
Jeff C. -- Don't harm innocent bystanders.
-
Chris Santerre -
Jeff Chan -
John_Delisle@ceridian.ca