[SURBL-Discuss] Nonexistent domains

Steven Champeon schampeo at hesketh.com
Wed Sep 8 00:50:50 CEST 2004


on Sat, Sep 04, 2004 at 10:05:20PM -0600, Ryan Thompson wrote:
> 
> What's the deal with nonexistent domains? I've been seeing more of these
> in my corpora. They don't look like typos. Are spammers making up names,
> or are they registering domains and having them deleted later (either by
> their choice, or the registrars'?) Should we even consider listing them,
> or is poisoning not-yet-registered domains too much of a risk?

They're making them up to add noise and unnecessary overhead to systems
that check spam message bodies. Clearly, SURBL and others like it are
having an impact on the response rates of this crud.
 
There's a cialis/levitra spammer who litters his message bodies with
bogus URLs made of the localpart of the target address:

<html><body ><b>
davet: <br> V1l|*AGRA fina||y found a to<sup></sup>ugh compet<em></em>itor --
ClA1||IS & lEV|ITTRA! </b><br><br>
1: 8O+% sa<font></font>vings 0r<a href=http://davet.com>derin</a>g ! <br> 2: no
pres<a href=http://davet.org>cription</a> required . <br> 3: doctor &
F.<b></b>D.A appr<big></big>oved ! <br> 4: Ove<b></b>rnight sh<a
href=http://davet.net>ipping</a> !
<p><b>
 <a href=http://tactful.alton.sssmendbs.com/as>N0W  V1SlT  0UR  WE<i></i>BS|TE :
CI|CK  H<u></u>ERE</a></b>
</P>
</BODY></HTML>

I strip these out into quarantine before subjecting them to surbl.

Here's one with one valid domain and seven bogus ones:

 <html><body ><font color="#0000FF">
X<a href="http://m0367.net">an</a>ax, \/alium ,Cia|is, \/iagra many more...!!
<br> We stand behi<a href="http://92415qe.net">nd</a> 0ur products and ser<a
href="http://tuo5a.net">vi</a>ce. <br> |n fact, we're the first comp<a
href="http://dgj8l.net">any</a> to ever back a <br>phar<a
href="http://xvnwry.net">mac</a>eutica| pr0duct with a 10O% mo<a
href="http://i1ps4.biz">ney</a> back gua<a href="http://fhk7z.biz">rant</a>tee
  <br><br><a href=http://www.reversemeds.biz/>Cl|CK  HE<b></b>RE KN0W
M0RE</a></font><br><br><br><br><br>
PxjEjnNDhaf
 </BODY></HTML>

Seems pretty obvious that their goal is to render SURBLs uselessly
inundated by lookups, no?

That's one reason why I recently started doing a normal NS record lookup
of the hostname before I look it up at multi.surbl.org.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today!
http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/


More information about the Discuss mailing list