[SURBL-Discuss] Re: Start an IP list to block?

Justin Mason jm at jmason.org
Fri Sep 10 00:19:49 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Raymond Dijkxhoorn writes:
> >> 1) Spammers can set up multiple ip addresses to an A record.  Whatever
> >> does the reporting should check all A records, from the top down.  i.e.
> >> query each NS multiple times to make sure it's not being round-robined or
> >> reported differently from multiple DNS servers.
> >>
> >> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
> >> thwart this, if we're doing nslookups.
> 
> > they already do.  this also opens a list-washing hole, as a hidden link 
> > to <a href=http://myaddress-rot13-encoded.spammer.com/> will be 
> > resolved, indicating to the spammer that some software at the remote end 
> > is resolving all links in the message.
> 
> SURBL only takes the domain, so thats fine, its only a little feaky for 
> your nameserver, but then again, SA does rely on DNS a lot, so thats now 
> news :)

Yeah.  I was referring to the proposal to lookup IP addresses for
href hostnames directly (instead of looking up the NS'es.)

- --j.

> > If OTOH you choose not to use the exact hostname parts of hrefs to avoid
> > this, instead just resolving "www.spammer.com", they can then ensure that
> > spammer.com and www.spammer.com do not resolve to hostnames and spam using
> > links to notwww.spammer.com/payload.html instead.
> 
> Very true.
> 
> Bye,
> Raymond.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBQNcEQTcbUG5Y7woRAtbTAJ9L6hI4sWLwiLA1mk2yfFdL7NE9UACggt3T
SxYg3JIBYRicQuiWhMORQMY=
=jgSy
-----END PGP SIGNATURE-----



More information about the Discuss mailing list