You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ram <ra...@netcore.co.in> on 2007/09/05 08:33:52 UTC
Is there a test on blacklisted nameservers
I am using SA 3.2.3 and very few spam get thru
But I can still see some spam with urls because the the urls are not yet
listed in uribls
I tried to do some analysis on my quarantine, I found atleast some
spammer domains have the same NS records.
Now in my spamassassin can I do a DNS check (on all domains in body-urls
or mail-from, reply-to etc) to find their NS records and score them on
bad NS servers.
What is the risk of FP's because innocent DNS providers may see
themselves getting list
Thanks
Ram
Re: Is there a test on blacklisted nameservers
Posted by mouss <mo...@netoyen.net>.
ram wrote:
> On Wed, 2007-09-05 at 10:50 +0200, mouss wrote:
>
>
> But if his DNS points to your server and you dont host DNS for him, his
> domain will not get resolved. I could easily check for such domains
> then.
>
well. they can also hack a machine and use its real hostname. Note that
owned machine is not necessarily under administrative control of the DNS
manager.
Re: Is there a test on blacklisted nameservers
Posted by ram <ra...@netcore.co.in>.
On Wed, 2007-09-05 at 10:50 +0200, mouss wrote:
> ram wrote:
> > I am using SA 3.2.3 and very few spam get thru
> > But I can still see some spam with urls because the the urls are not yet
> > listed in uribls
> >
> > I tried to do some analysis on my quarantine, I found atleast some
> > spammer domains have the same NS records.
> >
> > Now in my spamassassin can I do a DNS check (on all domains in body-urls
> > or mail-from, reply-to etc) to find their NS records and score them on
> > bad NS servers.
> > What is the risk of FP's because innocent DNS providers may see
> > themselves getting list
> >
>
>
> better show an example so that we can see.
> if the NS belongs to a spam organization, then it's ok. otherwise, just
> because a spammer configures his dns to point to my domain doesn't mean
> you can block me!
>
But if his DNS points to your server and you dont host DNS for him, his
domain will not get resolved. I could easily check for such domains
then.
Re: Is there a test on blacklisted nameservers
Posted by Steve Freegard <st...@fsl.com>.
Hi,
Yet Another Ninja wrote:
> On 9/5/2007 5:27 PM, Marc Perkel wrote:
>>
>>
>> mouss wrote:
>>> ram wrote:
>>>> I am using SA 3.2.3 and very few spam get thru
>>>> But I can still see some spam with urls because the the urls are not
>>>> yet
>>>> listed in uribls
>>>> I tried to do some analysis on my quarantine, I found atleast some
>>>> spammer domains have the same NS records.
>>>> Now in my spamassassin can I do a DNS check (on all domains in
>>>> body-urls
>>>> or mail-from, reply-to etc) to find their NS records and score them on
>>>> bad NS servers. What is the risk of FP's because innocent DNS
>>>> providers may see
>>>> themselves getting list
>>>
>>>
>>> better show an example so that we can see.
>>> if the NS belongs to a spam organization, then it's ok. otherwise,
>>> just because a spammer configures his dns to point to my domain
>>> doesn't mean you can block me!
>>>
>>>
>>
>> I have to say that the idea of having a blacklist of name servers used
>> by spammers is interesting. Something to investigate.
>>
> one, and its a good one, is already in use :-)
>
> uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
>
Yes - true, but the SBL lists the IP of the nameservers.
I think Ram has seen the same thing as me in the past, I've had stuff
that has slipped past the URIBL_* tests and upon investigation of the
FNs - the *domain name* of the nameservers for the referenced domain is
already listed in either SURBL or URIBL, so therefore if the URIBL_*
tests were expanded to lookup the nameservers hostnames, strip of the
domains and test those against the URIBL_* lists, then it might yield
some good results.
Cheers,
Steve.
Re: Is there a test on blacklisted nameservers
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 9/5/2007 5:27 PM, Marc Perkel wrote:
>
>
> mouss wrote:
>> ram wrote:
>>> I am using SA 3.2.3 and very few spam get thru
>>> But I can still see some spam with urls because the the urls are not yet
>>> listed in uribls
>>> I tried to do some analysis on my quarantine, I found atleast some
>>> spammer domains have the same NS records.
>>> Now in my spamassassin can I do a DNS check (on all domains in body-urls
>>> or mail-from, reply-to etc) to find their NS records and score them on
>>> bad NS servers. What is the risk of FP's because innocent DNS
>>> providers may see
>>> themselves getting list
>>
>>
>> better show an example so that we can see.
>> if the NS belongs to a spam organization, then it's ok. otherwise,
>> just because a spammer configures his dns to point to my domain
>> doesn't mean you can block me!
>>
>>
>
> I have to say that the idea of having a blacklist of name servers used
> by spammers is interesting. Something to investigate.
>
one, and its a good one, is already in use :-)
uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
Re: Is there a test on blacklisted nameservers
Posted by Marc Perkel <ma...@perkel.com>.
mouss wrote:
> ram wrote:
>> I am using SA 3.2.3 and very few spam get thru
>> But I can still see some spam with urls because the the urls are not yet
>> listed in uribls
>> I tried to do some analysis on my quarantine, I found atleast some
>> spammer domains have the same NS records.
>> Now in my spamassassin can I do a DNS check (on all domains in body-urls
>> or mail-from, reply-to etc) to find their NS records and score them on
>> bad NS servers. What is the risk of FP's because innocent DNS
>> providers may see
>> themselves getting list
>
>
> better show an example so that we can see.
> if the NS belongs to a spam organization, then it's ok. otherwise,
> just because a spammer configures his dns to point to my domain
> doesn't mean you can block me!
>
>
I have to say that the idea of having a blacklist of name servers used
by spammers is interesting. Something to investigate.
Re: Is there a test on blacklisted nameservers
Posted by mouss <mo...@netoyen.net>.
ram wrote:
> I am using SA 3.2.3 and very few spam get thru
> But I can still see some spam with urls because the the urls are not yet
> listed in uribls
>
> I tried to do some analysis on my quarantine, I found atleast some
> spammer domains have the same NS records.
>
> Now in my spamassassin can I do a DNS check (on all domains in body-urls
> or mail-from, reply-to etc) to find their NS records and score them on
> bad NS servers.
> What is the risk of FP's because innocent DNS providers may see
> themselves getting list
>
better show an example so that we can see.
if the NS belongs to a spam organization, then it's ok. otherwise, just
because a spammer configures his dns to point to my domain doesn't mean
you can block me!