3rd level domains Re: [SURBL-Discuss] Re: Spam Honeypot identification through SURBL

Jeff Chan jeffc at surbl.org
Tue Mar 15 06:22:35 CET 2005


On Monday, March 14, 2005, 8:00:58 PM, George Georgalis wrote:
> but today, a spam came through with a low score, it had a domain in the
> form something.com.au but might as well have been notrandom.co.uk or
> similar.

> In these cases it would seem reasonable to check the 3rd level name in
> surbl.

> I don't know exactly how SA (which is what I use) modules send the query
> but it occurs to me that if "co.uk" is sent to surbl, the response
> might should be a code ip for "give me another level" which would be
> cached locally and a subsequent "site.co.uk" surbl query sent, which
> would be evaluated like 2nd level domain normally are.

> Is this something that could or has been worked in?

> // George

Yep, we thought of that.  :-)

  http://www.surbl.org/faq.html#cctlds
  http://www.surbl.org/implementation.html

Cctld domains are processed at either 2 or 3 levels depending on
whether registrars for that country allow second or third level
registrations or some combination of those levels.  The easiest
way to do this seemed to be a table lookup, so applications using
SURBLs and the SURBL data engine have a list of reserved second
level cctlds that will get checked at at the third level:

  http://spamcheck.freeapp.net/two-level-tlds

Since the two level cctld list has "co.uk", it means that any
domain ending in .co.uk is checked at the third level foo.co.uk.
But any second level cctld that's not in the list will be checked
at the second level.  IIRC .uk doesn't allow direct registrations
under their top level, but if they did, this table lookup would
still work as long as that second level wasn't listed.  So if
they changed their policy and allowed foo.uk, foo.uk would
still get checked and could be listed.  Therefore this also
works with countries that do allow second level registrations
like .fr .  "com.fr" is in the list but "somedomain.fr" isn't,
so otherdomain.com.fr and somedomain.fr would both get checked
and either or both could be blacklisted.

It's possible that we should have a more generalized way to
handle cctlds, but so far spammers have not seemed to use
geographic domains very often, other than .us.

Jeff C.
--
"If it appears in hams, then don't list it."



More information about the Discuss mailing list