[SURBL-Discuss] Need help checking FP list from Theo

Jeff Chan jeffc at surbl.org
Tue Sep 7 07:43:54 CEST 2004


Looks good.  Did not see the heuristic details documented,
but one thing I would definitely suggest adding is spamhaus
lookups on the resolved www and base domain and on the
domain NS records.  I find that a strong correlator of
spam, though of course no source is perfect.  For example:

> antispam: [198]% ns savingzplus.biz
> Server:  localhost.freeapp.net
> Address:  127.0.0.1
> 
> Name:    savingzplus.biz
> Address:  219.147.198.131
> 
> antispam: [199]% ns www.savingzplus.biz
> Server:  localhost.freeapp.net
> Address:  127.0.0.1
> 
> Name:    www.savingzplus.biz
> Address:  219.147.198.131

(where ns is nslookup)

> antispam: [202]% dig 131.198.147.219.sbl-xbl.spamhaus.org a
> 
> ; <<>> DiG 8.3 <<>> 131.198.147.219.sbl-xbl.spamhaus.org a
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 20797
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14
> ;; QUERY SECTION:
> ;;      131.198.147.219.sbl-xbl.spamhaus.org, type = A, class = IN
> 
> ;; ANSWER SECTION:
> 131.198.147.219.sbl-xbl.spamhaus.org.  1h59m53s IN A  127.0.0.2

Bingo!  Probably a bad guy.

Jeff C.



More information about the Discuss mailing list