[SURBL-Discuss] Re: Start an IP list to block?

Jeff Chan jeffc at surbl.org
Fri Sep 10 00:27:29 CEST 2004

On Thursday, September 9, 2004, 3:19:49 PM, Justin Mason wrote:
> Raymond Dijkxhoorn writes:
>> >> 1) Spammers can set up multiple ip addresses to an A record.  Whatever
>> >> does the reporting should check all A records, from the top down.  i.e.
>> >> query each NS multiple times to make sure it's not being round-robined or
>> >> reported differently from multiple DNS servers.
>> >>
>> >> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to
>> >> thwart this, if we're doing nslookups.
>> > they already do.  this also opens a list-washing hole, as a hidden link 
>> > to <a href=http://myaddress-rot13-encoded.spammer.com/> will be 
>> > resolved, indicating to the spammer that some software at the remote end 
>> > is resolving all links in the message.
>> SURBL only takes the domain, so thats fine, its only a little feaky for 
>> your nameserver, but then again, SA does rely on DNS a lot, so thats now 
>> news :)

> Yeah.  I was referring to the proposal to lookup IP addresses for
> href hostnames directly (instead of looking up the NS'es.)

Yep.  Resolving domain names found in spam URIs is slow
(especially if timeouts are hit, which can take like what,
20 seconds per domain) and it opens the door to confirming for
the spammers which recipient addresses got through.  It's a
good way for spammers to build a confirmed recipient list.

That's another reason we don't do it with SURBLs.

Jeff C.

More information about the Discuss mailing list