jeffc at surbl.org
Sun Apr 11 09:47:44 CEST 2004
On Sunday, April 11, 2004, 6:52:56 AM, William Stearns wrote:
> On Sat, 10 Apr 2004, Jeff Chan wrote:
>> It's so simple that I might be tempted to call it elegant:
>> 1. Resolve the incoming spam domains from SC into A and
>> perhaps NS records.
> NS is a little tougher. I could see us hurting people that left
> their name service with their registrar or large ISP's that simply host a
> lot of domains. It would also be possible for a spammer to simply claim
> that ns1.earthlink.net and ns2.aol.com are their secondary and tertiary
> when they aren't. It's not possible - or at least tougher - to fake A
Indeed, that's a strong argument for using A records only.
I really appreciate your feedback!
>> 2. Keep a persistent tally counting those IPs. (a history)
>> 3. For As or NSes of incoming domains that match many identical
>> or nearby IP tallies (i.e., the new domains use known bad old IPs),
>> drop their inclusion thresholds in some statistically cool and
>> relevant way.
Update: I'm thinking of storing class C sized bins for the
tallies. That's very quick and gets "nearness" automatically.
(In other words, any IPs in the same /24 could be counted
together initially.) How does that sound? Do I lose much
by that deliberate imprecision? How much do the spammers move
IPs? Would numerical nearness matter/help in detecting them?
> The approach made sense to me as well.
> http://www.stearns.org/sa-blacklist/spamip.current.txt is the report
> created from the A record harvesting.
> I'd be glad to provide the raw data collected over the past 5
> months. I also have SOA and whois data for the entire sa-blacklist.
Thanks for the reference! Checking the list of IPs will probably
answer some of my questions about numbers above, though I kind of
want to get not-invented-here :-) in terms of the engine operation
so I can prove the merits of using the SC data alone.
That said, I will check out the IPs!
mailto:jeffc at surbl.org
More information about the Discuss