[SURBL-Discuss] Re: Start an IP list to block?

Raymond Dijkxhoorn raymond at prolocation.net
Fri Sep 10 00:11:25 CEST 2004


Hi!

>> 1) Spammers can set up multiple ip addresses to an A record.  Whatever
>> does the reporting should check all A records, from the top down.  i.e.
>> query each NS multiple times to make sure it's not being round-robined or
>> reported differently from multiple DNS servers.
>>
>> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
>> thwart this, if we're doing nslookups.

> they already do.  this also opens a list-washing hole, as a hidden link 
> to <a href=http://myaddress-rot13-encoded.spammer.com/> will be 
> resolved, indicating to the spammer that some software at the remote end 
> is resolving all links in the message.

SURBL only takes the domain, so thats fine, its only a little feaky for 
your nameserver, but then again, SA does rely on DNS a lot, so thats now 
news :)

> If OTOH you choose not to use the exact hostname parts of hrefs to avoid
> this, instead just resolving "www.spammer.com", they can then ensure that
> spammer.com and www.spammer.com do not resolve to hostnames and spam using
> links to notwww.spammer.com/payload.html instead.

Very true.

Bye,
Raymond.


More information about the Discuss mailing list