You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by ram <ra...@netcore.co.in> on 2007/09/05 08:33:52 UTC

Is there a test on blacklisted nameservers

I am using SA 3.2.3 and very few spam get thru
But I can still see some spam with urls because the the urls are not yet
listed in uribls 

I tried to do some analysis on my quarantine, I found atleast some
spammer domains have the same NS records. 

Now in my spamassassin can I do a DNS check (on all domains in body-urls
or mail-from, reply-to etc)  to find their NS records and score them on
bad NS servers. 
What is the risk of FP's because innocent DNS providers may see
themselves getting list 


Thanks
Ram

Re: Is there a test on blacklisted nameservers

Posted by mouss <mo...@netoyen.net>.

ram wrote:
> On Wed, 2007-09-05 at 10:50 +0200, mouss wrote:
>   
>
> But if his DNS points to your server and you dont host DNS for him, his
> domain will not get resolved. I could easily check for such domains
> then. 
>   

well. they can also hack a machine and use its real hostname. Note that 
owned machine is not necessarily under administrative control of the DNS 
manager.

Re: Is there a test on blacklisted nameservers

Posted by ram <ra...@netcore.co.in>.

On Wed, 2007-09-05 at 10:50 +0200, mouss wrote:
> ram wrote:
> > I am using SA 3.2.3 and very few spam get thru
> > But I can still see some spam with urls because the the urls are not yet
> > listed in uribls 
> >
> > I tried to do some analysis on my quarantine, I found atleast some
> > spammer domains have the same NS records. 
> >
> > Now in my spamassassin can I do a DNS check (on all domains in body-urls
> > or mail-from, reply-to etc)  to find their NS records and score them on
> > bad NS servers. 
> > What is the risk of FP's because innocent DNS providers may see
> > themselves getting list 
> >   
> 
> 
> better show an example so that we can see.
> if the NS belongs to a spam organization, then it's ok. otherwise, just 
> because a spammer configures his dns to point to my domain doesn't mean 
> you can block me!
> 



But if his DNS points to your server and you dont host DNS for him, his
domain will not get resolved. I could easily check for such domains
then.

Re: Is there a test on blacklisted nameservers

Posted by Steve Freegard <st...@fsl.com>.

Hi,

Yet Another Ninja wrote:
> On 9/5/2007 5:27 PM, Marc Perkel wrote:
>>
>>
>> mouss wrote:
>>> ram wrote:
>>>> I am using SA 3.2.3 and very few spam get thru
>>>> But I can still see some spam with urls because the the urls are not 
>>>> yet
>>>> listed in uribls
>>>> I tried to do some analysis on my quarantine, I found atleast some
>>>> spammer domains have the same NS records.
>>>> Now in my spamassassin can I do a DNS check (on all domains in 
>>>> body-urls
>>>> or mail-from, reply-to etc)  to find their NS records and score them on
>>>> bad NS servers. What is the risk of FP's because innocent DNS 
>>>> providers may see
>>>> themselves getting list   
>>>
>>>
>>> better show an example so that we can see.
>>> if the NS belongs to a spam organization, then it's ok. otherwise, 
>>> just because a spammer configures his dns to point to my domain 
>>> doesn't mean you can block me!
>>>
>>>
>>
>> I have to say that the idea of having a blacklist of name servers used 
>> by spammers is interesting. Something to investigate.
>>
> one, and its a good one, is already in use :-)
> 
> uridnsbl        URIBL_SBL       sbl.spamhaus.org.       TXT
> 

Yes - true, but the SBL lists the IP of the nameservers.

I think Ram has seen the same thing as me in the past, I've had stuff 
that has slipped past the URIBL_* tests and upon investigation of the 
FNs - the *domain name* of the nameservers for the referenced domain is 
already listed in either SURBL or URIBL, so therefore if the URIBL_* 
tests were expanded to lookup the nameservers hostnames, strip of the 
domains and test those against the URIBL_* lists, then it might yield 
some good results.

Cheers,
Steve.

Re: Is there a test on blacklisted nameservers

Posted by Yet Another Ninja <sa...@alexb.ch>.

On 9/5/2007 5:27 PM, Marc Perkel wrote:
> 
> 
> mouss wrote:
>> ram wrote:
>>> I am using SA 3.2.3 and very few spam get thru
>>> But I can still see some spam with urls because the the urls are not yet
>>> listed in uribls
>>> I tried to do some analysis on my quarantine, I found atleast some
>>> spammer domains have the same NS records.
>>> Now in my spamassassin can I do a DNS check (on all domains in body-urls
>>> or mail-from, reply-to etc)  to find their NS records and score them on
>>> bad NS servers. What is the risk of FP's because innocent DNS 
>>> providers may see
>>> themselves getting list   
>>
>>
>> better show an example so that we can see.
>> if the NS belongs to a spam organization, then it's ok. otherwise, 
>> just because a spammer configures his dns to point to my domain 
>> doesn't mean you can block me!
>>
>>
> 
> I have to say that the idea of having a blacklist of name servers used 
> by spammers is interesting. Something to investigate.
> 
one, and its a good one, is already in use :-)

uridnsbl        URIBL_SBL       sbl.spamhaus.org.       TXT

Re: Is there a test on blacklisted nameservers

Posted by Marc Perkel <ma...@perkel.com>.


mouss wrote:
> ram wrote:
>> I am using SA 3.2.3 and very few spam get thru
>> But I can still see some spam with urls because the the urls are not yet
>> listed in uribls
>> I tried to do some analysis on my quarantine, I found atleast some
>> spammer domains have the same NS records.
>> Now in my spamassassin can I do a DNS check (on all domains in body-urls
>> or mail-from, reply-to etc)  to find their NS records and score them on
>> bad NS servers. What is the risk of FP's because innocent DNS 
>> providers may see
>> themselves getting list   
>
>
> better show an example so that we can see.
> if the NS belongs to a spam organization, then it's ok. otherwise, 
> just because a spammer configures his dns to point to my domain 
> doesn't mean you can block me!
>
>

I have to say that the idea of having a blacklist of name servers used 
by spammers is interesting. Something to investigate.

Re: Is there a test on blacklisted nameservers

Posted by mouss <mo...@netoyen.net>.

ram wrote:
> I am using SA 3.2.3 and very few spam get thru
> But I can still see some spam with urls because the the urls are not yet
> listed in uribls 
>
> I tried to do some analysis on my quarantine, I found atleast some
> spammer domains have the same NS records. 
>
> Now in my spamassassin can I do a DNS check (on all domains in body-urls
> or mail-from, reply-to etc)  to find their NS records and score them on
> bad NS servers. 
> What is the risk of FP's because innocent DNS providers may see
> themselves getting list 
>   


better show an example so that we can see.
if the NS belongs to a spam organization, then it's ok. otherwise, just 
because a spammer configures his dns to point to my domain doesn't mean 
you can block me!