You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2008/07/02 18:05:41 UTC
Detecting the Registrar of the sending host?
Is there an easy way to detect the registrar of a domain through DNS?
For example - can I easilly figure out if an email I'm processing is
hosted by GoDaddy or Tucows?
Here's what I'm thinking. I think there's some expensive and highly
secure registrars out there who are the registrar of expensive domains
and probably have no spam domains at all. This could be used to create
white rules.
Can this be done?
Re: Detecting the Registrar of the sending host?
Posted by Ken A <ka...@pacific.net>.
Marc Perkel wrote:
>
>
> Yet Another Ninja wrote:
>> On 7/2/2008 6:05 PM, Marc Perkel wrote:
>>> Is there an easy way to detect the registrar of a domain through DNS?
>>> For example - can I easilly figure out if an email I'm processing is
>>> hosted by GoDaddy or Tucows?
>>>
>>> Here's what I'm thinking. I think there's some expensive and highly
>>> secure registrars out there who are the registrar of expensive
>>> domains and probably have no spam domains at all. This could be used
>>> to create white rules.
>>>
>>> Can this be done?
>>
>> you sure there are major registrars you can whitelist?
>>
>> http://rss.uribl.com/nic/
>>
>> Even EUrid is happily supporting pillz spammers on .eu
>>
>>
>
> Not major registrars, minor ones. There's one called markmonitor.com
> that seems to have clients like banks and major corporations. My guess
> is that this is an extremely expensive registrar where security means
> everything and no one is going to accidentally mess with anything. The
> idea here is that if the registrar is this expensive and restrictive
> then only the good guys will be using them. At least that was what I
> would test if there were a way to test it. Apparently there is not.
>
Not reliably & securely. Parsing whois data is messy, there's no
standard format, clients are blocked frequently, and data can be quite
stale (dns servers ips are often old). The best you can do is a static
list that is part of an SA rule to add a point or so if you are also
happy with the dns....if you really think it's worth it. DKIM does a
better job with most of these domains anyway, imo.
fwiw, markmonitor 'monitors' 'marks' - they are in the intellectual
property protection business. Too bad ICANN wasn't using them.
http://www.icann.org/en/announcements/announcement-03jul08-en.htm
ooops!
Ken
--
Ken Anderson
Pacific.Net
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
Yet Another Ninja wrote:
> On 7/2/2008 6:05 PM, Marc Perkel wrote:
>> Is there an easy way to detect the registrar of a domain through DNS?
>> For example - can I easilly figure out if an email I'm processing is
>> hosted by GoDaddy or Tucows?
>>
>> Here's what I'm thinking. I think there's some expensive and highly
>> secure registrars out there who are the registrar of expensive
>> domains and probably have no spam domains at all. This could be used
>> to create white rules.
>>
>> Can this be done?
>
> you sure there are major registrars you can whitelist?
>
> http://rss.uribl.com/nic/
>
> Even EUrid is happily supporting pillz spammers on .eu
>
>
Not major registrars, minor ones. There's one called markmonitor.com
that seems to have clients like banks and major corporations. My guess
is that this is an extremely expensive registrar where security means
everything and no one is going to accidentally mess with anything. The
idea here is that if the registrar is this expensive and restrictive
then only the good guys will be using them. At least that was what I
would test if there were a way to test it. Apparently there is not.
Re: Detecting the Registrar of the sending host?
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
On 2 Jul 2008, at 17:30, Yet Another Ninja wrote:
>
>
> Even EUrid is happily supporting pillz spammers on .eu
Eurid is a registry NOT a registrar
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
US: 213-233-1612
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 7/2/2008 6:05 PM, Marc Perkel wrote:
> Is there an easy way to detect the registrar of a domain through DNS?
> For example - can I easilly figure out if an email I'm processing is
> hosted by GoDaddy or Tucows?
>
> Here's what I'm thinking. I think there's some expensive and highly
> secure registrars out there who are the registrar of expensive domains
> and probably have no spam domains at all. This could be used to create
> white rules.
>
> Can this be done?
you sure there are major registrars you can whitelist?
http://rss.uribl.com/nic/
Even EUrid is happily supporting pillz spammers on .eu
Re: Detecting the Registrar of the sending host?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 2 Jul 2008, Marc Perkel wrote:
> John Hardin wrote:
>> On Wed, 2 Jul 2008, Marc Perkel wrote:
>>
>> > Is there an easy way to detect the registrar of a domain through DNS?
>> > For example - can I easilly figure out if an email I'm processing is
>> > hosted by GoDaddy or Tucows?
>>
>> Registrar != hosted by.
>>
>> > Here's what I'm thinking. I think there's some expensive and highly
>> > secure registrars out there who are the registrar of expensive domains
>> > and probably have no spam domains at all. This could be used to create
>> > white rules.
>> >
>> > Can this be done?
>>
>> This has been discussed before, at least from the POV of identifying *bad*
>> domains, and it sounds like a fairly good idea if someone is willing and
>> able to get a realtime ICANN feed of domain/registrar data and create a
>> URIBL from it.
>
> Actually I'm not looking for spam friendly registrars. I'm looking for
> registrars that banks use that are really expensive and spammers never use.
> This is for white listing - not black listing.
The URIBL-based-on-registrar solution doesn't change, just (1) which
registrars you choose to use to populate your URIBL, and (2) the score is
negative rather than positive.
The data can be useful in either direction - reputation works both ways.
> For example, I noticed that Wells Fargo Bank and bank of America both
> use a registrar called markmonitor.com. I'm guessing that this is a
> highly secure and expensive registrar than only banks and really big
> customers use. So if the FCrDNS of the sending host resolves to a domain
> that is registered with markmonitor.com then it's not spam. (Less of
> course ISPs and Freemail providers)
Does SA support checking the FCrDNS domain of the sending host against a
URIBL?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
John Hardin wrote:
> On Wed, 2 Jul 2008, Marc Perkel wrote:
>
>> Is there an easy way to detect the registrar of a domain through DNS?
>> For example - can I easilly figure out if an email I'm processing is
>> hosted by GoDaddy or Tucows?
>
> Registrar != hosted by.
>
>> Here's what I'm thinking. I think there's some expensive and highly
>> secure registrars out there who are the registrar of expensive
>> domains and probably have no spam domains at all. This could be used
>> to create white rules.
>>
>> Can this be done?
>
> This has been discussed before, at least from the POV of identifying
> *bad* domains, and it sounds like a fairly good idea if someone is
> willing and able to get a realtime ICANN feed of domain/registrar data
> and create a URIBL from it.
>
> There's also the problem of determining which registrars are "spam
> friendly". Here might be a good start:
>
> http://www.knujon.com/registrars/
>
> I wrote a plugin that does this check against whois, but that's likely
> to be considered abusive. Look under here:
>
> http://www.impsec.org/~jhardin/antispam/
>
> I'm not currently maintaining it, and the "evil registrar" list is
> stale and certainly not comprehensive.
>
Actually I'm not looking for spam friendly registrars. I'm looking for
registrars that banks use that are really expensive and spammers never
use. This is for white listing - not black listing.
For example, I noticed that Wells Fargo Bank and bank of America both
use a registrar called markmonitor.com. I'm guessing that this is a
highly secure and expensive registrar than only banks and really big
customers use. So if the FCrDNS of the sending host resolves to a domain
that is registered with markmonitor.com then it's not spam. (Less of
course ISPs and Freemail providers)
Re: Detecting the Registrar of the sending host?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 2 Jul 2008, Marc Perkel wrote:
> Is there an easy way to detect the registrar of a domain through DNS? For
> example - can I easilly figure out if an email I'm processing is hosted by
> GoDaddy or Tucows?
Registrar != hosted by.
> Here's what I'm thinking. I think there's some expensive and highly secure
> registrars out there who are the registrar of expensive domains and probably
> have no spam domains at all. This could be used to create white rules.
>
> Can this be done?
This has been discussed before, at least from the POV of identifying *bad*
domains, and it sounds like a fairly good idea if someone is willing and
able to get a realtime ICANN feed of domain/registrar data and create a
URIBL from it.
There's also the problem of determining which registrars are "spam
friendly". Here might be a good start:
http://www.knujon.com/registrars/
I wrote a plugin that does this check against whois, but that's likely to
be considered abusive. Look under here:
http://www.impsec.org/~jhardin/antispam/
I'm not currently maintaining it, and the "evil registrar" list is stale
and certainly not comprehensive.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 2 Jul 2008, Martin Gregorie wrote:
> OK, but it still won't work. A lot of spam comes from botnets: hence my
> comment about PC users. There's certainly no correlation between the
> location of infected PCs and the reputation of the domain registrar of
> the domain the infected PC is posting from.
But it may tell you something useful about URIs within the message.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #20: The faster you finish the fight,
the less shot you will get.
-----------------------------------------------------------------------
2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Thu, 2008-07-03 at 06:32, Henrik K wrote:
> On Wed, Jul 02, 2008 at 09:18:41PM -0700, John Hardin wrote:
> >
> > On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote:
> > > On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote:
> > > > On Wed, 2 Jul 2008, Marc Perkel wrote:
> > > >
> > > >> Again - it's not to figure out where spam comes from. It's figuring out
> > > >> where non-spam comes from. I think there are registrars out there that
> > > >> don't have any spam domains registered.
> > > >
> > > > Right, but how do you guarantee a host with a whitelisted RDNS domain
> > > > name doesn't get infected with a smapbot?
> > >
> > > What's that got to do with anything? If there's a 0.5% chance, who cares.
> > > You should always scan for viruses, but it's trivial to skip SA for such
> > > cases. Are you saying that we shouldn't take advantage of DNSWL data either,
> > > since it's possible that some spam may come?
> >
> > No, I was simply responding to Marc's apparent contention that a host
> > with an RDNS domain name from a trustworthy registrar won't be a source
> > of spam.
>
> I doubt you have any statistics about this, so why speculate? No one has to
> _guarantee_ anything. If Marc is able to find some good correlation for
> (almost) spamless sources, it will help everyone.
>
I really don't see how it will help. Here's my reason for saying that.
If there's even a small chance that somebody behind a corporate firewall
got complacent and didn't keep the AV software up to date and/or got
caught by an infected website, then we still have to scan mail from them
regardless of who registered their domain. This makes checking the
registrar an extra and needless task since, like white/black listing,
its something we need to do for for every piece of mail we receive.
I'd be happy to know I'm wrong about this, but so far none of the domain
lookup advocates have produced hard evidence of its benefits. Also,
nobody has explained how to automate the job apart from the possibly
abusive use of whois lookups. A manually maintained list doesn't cut it
for me: its far too easy for list maintenance to get out of date, which
is why I won't use a personal white list until I can automate its
maintenance.
Martin
Re: Detecting the Registrar of the sending host?
Posted by Henrik K <he...@hege.li>.
On Wed, Jul 02, 2008 at 09:18:41PM -0700, John Hardin wrote:
>
> On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote:
> > On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote:
> > > On Wed, 2 Jul 2008, Marc Perkel wrote:
> > >
> > >> Again - it's not to figure out where spam comes from. It's figuring out
> > >> where non-spam comes from. I think there are registrars out there that
> > >> don't have any spam domains registered.
> > >
> > > Right, but how do you guarantee a host with a whitelisted RDNS domain
> > > name doesn't get infected with a smapbot?
> >
> > What's that got to do with anything? If there's a 0.5% chance, who cares.
> > You should always scan for viruses, but it's trivial to skip SA for such
> > cases. Are you saying that we shouldn't take advantage of DNSWL data either,
> > since it's possible that some spam may come?
>
> No, I was simply responding to Marc's apparent contention that a host
> with an RDNS domain name from a trustworthy registrar won't be a source
> of spam.
I doubt you have any statistics about this, so why speculate? No one has to
_guarantee_ anything. If Marc is able to find some good correlation for
(almost) spamless sources, it will help everyone.
Re: Detecting the Registrar of the sending host?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote:
> On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote:
> > On Wed, 2 Jul 2008, Marc Perkel wrote:
> >
> >> Again - it's not to figure out where spam comes from. It's figuring out
> >> where non-spam comes from. I think there are registrars out there that
> >> don't have any spam domains registered.
> >
> > Right, but how do you guarantee a host with a whitelisted RDNS domain
> > name doesn't get infected with a smapbot?
>
> What's that got to do with anything? If there's a 0.5% chance, who cares.
> You should always scan for viruses, but it's trivial to skip SA for such
> cases. Are you saying that we shouldn't take advantage of DNSWL data either,
> since it's possible that some spam may come?
No, I was simply responding to Marc's apparent contention that a host
with an RDNS domain name from a trustworthy registrar won't be a source
of spam.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Phobias should not be the basis for laws.
-----------------------------------------------------------------------
2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
Posted by Henrik K <he...@hege.li>.
On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote:
> On Wed, 2 Jul 2008, Marc Perkel wrote:
>
>> Again - it's not to figure out where spam comes from. It's figuring out
>> where non-spam comes from. I think there are registrars out there that
>> don't have any spam domains registered.
>
> Right, but how do you guarantee a host with a whitelisted RDNS domain
> name doesn't get infected with a smapbot?
What's that got to do with anything? If there's a 0.5% chance, who cares.
You should always scan for viruses, but it's trivial to skip SA for such
cases. Are you saying that we shouldn't take advantage of DNSWL data either,
since it's possible that some spam may come?
Re: Detecting the Registrar of the sending host?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 2 Jul 2008, Marc Perkel wrote:
> Again - it's not to figure out where spam comes from. It's figuring out
> where non-spam comes from. I think there are registrars out there that
> don't have any spam domains registered.
Right, but how do you guarantee a host with a whitelisted RDNS domain name
doesn't get infected with a smapbot?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
2 days until the 232nd anniversary of the Declaration of Independence
Re: Detecting the Registrar of the sending host?
Posted by Michele Neylon <mi...@blacknight.ie>.
On 3 Jul 2008, at 11:22, Henrik K wrote:
>>
>> Your logic completely escapes me
>
> So does yours.
Diddums
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland Company No.: 370845
RE: Detecting the Registrar of the sending host?
Posted by Robert - elists <li...@abbacomm.net>.
The registrars I'm talking about are extremely expensive and very exclusive.
Spammers couldn't afford it.
Hmmmmmm, check out markmonitor.com
The really interesting point is this.
Since so much spam is about getting brand recognition in the peoples faces
and not necessarily getting them to click on anything, this is an
interesting concept.
Protect your brand.
Makes you wonder if the some, or many big brands are two faced.
Wanna look good on one side, protect the brand, look good to the public, yet
have back room deals with spammers to get the brand name out there at almost
any cost.
Doesn't everyone see tons of spam from "big brands" that is just totally
tasteless emails from scum you know you wouldn't touch based upon our
technological view of email and it's content?
hmmmmmmmm
- rh
Re: Detecting the Registrar of the sending host?
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Marc Perkel wrote:
>
>
> Matus UHLAR - fantomas wrote:
>> On 03.07.08 13:22, Henrik K wrote:
>>
>>> If lesser registrar means that it's probably ham, why couldn't someone use
>>> that to add some negative scores or use it as a part of whitelist
>>> trustworthiness? Even if it's handful of domains, it's useful. If you could
>>> get the registrar data without expensive lookups..
>>>
>> what if spammers start register domains using those registrars?
>>
> The registrars I'm talking about are extremely expensive and very
> exclusive. Spammers couldn't afford it.
>
What if they just use the domains of those that do it? Or what if they
compromise the accounts of those that use these exclusive registrars
(like .edu)? I don't see any performance gain as it would have to be
handled at MTA, which can suffer from spoofing.
Re: Detecting the Registrar of the sending host?
Posted by Andrzej Adam Filip <an...@onet.eu>.
Marc Perkel <ma...@perkel.com> wrote:
> Matus UHLAR - fantomas wrote:
>
> On 03.07.08 13:22, Henrik K wrote:
>
>
> If lesser registrar means that it's probably ham, why couldn't someone use
> that to add some negative scores or use it as a part of whitelist
> trustworthiness? Even if it's handful of domains, it's useful. If you could
> get the registrar data without expensive lookups..
>
>
> what if spammers start register domains using those registrars?
>
>
> The registrars I'm talking about are extremely expensive and very exclusive.
> Spammers couldn't afford it.
Big sloppy/lousy corporation can afford it.
--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Most people can't understand how others can blow their noses differently
than they do.
-- Turgenev
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
Matus UHLAR - fantomas wrote:
> On 03.07.08 13:22, Henrik K wrote:
>
>> If lesser registrar means that it's probably ham, why couldn't someone use
>> that to add some negative scores or use it as a part of whitelist
>> trustworthiness? Even if it's handful of domains, it's useful. If you could
>> get the registrar data without expensive lookups..
>>
>
> what if spammers start register domains using those registrars?
>
The registrars I'm talking about are extremely expensive and very
exclusive. Spammers couldn't afford it.
Re: Detecting the Registrar of the sending host?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 03.07.08 13:22, Henrik K wrote:
> If lesser registrar means that it's probably ham, why couldn't someone use
> that to add some negative scores or use it as a part of whitelist
> trustworthiness? Even if it's handful of domains, it's useful. If you could
> get the registrar data without expensive lookups..
what if spammers start register domains using those registrars?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
Re: Detecting the Registrar of the sending host?
Posted by Henrik K <he...@hege.li>.
On Thu, Jul 03, 2008 at 11:09:15AM +0100, Michele Neylon wrote:
>
> On 2 Jul 2008, at 19:56, Marc Perkel wrote:
>>>
>>
>> Again - it's not to figure out where spam comes from. It's figuring
>> out where non-spam comes from. I think there are registrars out there
>> that don't have any spam domains registered.
>>
>
>
> What are you trying to prove?
>
> Your logic completely escapes me
So does yours.
> I also fail to see how the registrar is of much importance
>
> There are over 900 ICANN accredited registrars
>
> Of those about 200 odd are active
>
> Of the 200 a handful account for the bulk of all domains registered /
> managed
>
> Statistically this means you're going to see spam from domains
> registered with enom, godaddy, directi, tucows and a few others. It
> doesn't mean anything
>
> In fact it's totally meaningless
If lesser registrar means that it's probably ham, why couldn't someone use
that to add some negative scores or use it as a part of whitelist
trustworthiness? Even if it's handful of domains, it's useful. If you could
get the registrar data without expensive lookups..
Re: Detecting the Registrar of the sending host?
Posted by Michele Neylon <mi...@blacknight.ie>.
On 3 Jul 2008, at 16:26, Marc Perkel wrote:
>>
>
> It's interesting how the concept of white rules seems to be beyond
> comprehension here. There is a registrar called markmonitor.com that
> looks like a very high end and expensive registrar that only services
> big companies like banks and such. So domains who are registered
> through
> Markmonitor would not be spammers and would likely be all ham. This
> isn't about spam detection - it's about ham detection.
Markmonitor is used by big brands - yes
Big brands don't send spam?? -= Dangerous assumption
gmail.com is owned by a big brand is registered with Mark Monitor and
is a source of spam
Domain Name: gmail.com
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Posted by Magnus Holmgren <ho...@lysator.liu.se>.
On fredagen den 4 juli 2008, Michele Neylon wrote:
> On 3 Jul 2008, at 22:06, Marc Perkel wrote:
> > You can't spoof Forward Confirmed rDNS.
>
> But you can't stop $bigcorporations PCs getting compromised either
You don't have to. As long as there is a non-zero correlation coefficient
between some property of a mail message and its spamminess, you can assign a
score. The correlation coefficient doesn't have to be 1 or -1 - in other
words, the property, in this example the registrar of the domain of the
remote host, doesn't have to be a perfect indicator of spam or ham. It's
enough that mail from domains registered with some registrars are less likely
to emit spam than others.
> And I really love the way you completely ignored my example of
> gmail.com ....
Exceptions are possible to handle. After all, SpamAssassin is all about
combining and adding many various rules.
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
Re: Detecting the Registrar of the sending host?
Posted by ram <ra...@netcore.co.in>.
> You can't spoof Forward Confirmed rDNS.
If we could find registrar of domain then I can write a rule
if( Expensive_registrar && Not_spoofed && Not_freemail ) we can give
a negative score I would not like to whitelist the entire stuff though
That means I would have to maintain a list of Expensive_registrars as
well as a list of Freemail domains. I wonder if such lists are available
though
But you could have big corporates , with weak password policies and
accounts getting compromised. So spam does come from these accounts
Thanks
Ram
Re: Detecting the Registrar of the sending host?
Posted by Henrik K <he...@hege.li>.
On Fri, Jul 04, 2008 at 12:38:49PM +0100, Michele Neylon wrote:
>
> On 3 Jul 2008, at 22:06, Marc Perkel wrote:
>>>
>>
>> You can't spoof Forward Confirmed rDNS.
>
> But you can't stop $bigcorporations PCs getting compromised either
>
> And I really love the way you completely ignored my example of gmail.com
> ....
>
>
> You may have good intentions, but your idea is seriously flawed
>
>
>
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> http://www.blacknight.com/
> http://blog.blacknight.com/
> Intl. +353 (0) 59 9183072
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Fax. +353 (0) 1 4811 763
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
> Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Posted by Michele Neylon <mi...@blacknight.ie>.
On 3 Jul 2008, at 22:06, Marc Perkel wrote:
>>
>
> You can't spoof Forward Confirmed rDNS.
But you can't stop $bigcorporations PCs getting compromised either
And I really love the way you completely ignored my example of
gmail.com ....
You may have good intentions, but your idea is seriously flawed
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
Richard Frovarp wrote:
> Marc Perkel wrote:
>>
>>
>> Michele Neylon wrote:
>>>
>>> On 2 Jul 2008, at 19:56, Marc Perkel wrote:
>>>>>
>>>>
>>>> Again - it's not to figure out where spam comes from. It's figuring
>>>> out where non-spam comes from. I think there are registrars out
>>>> there that don't have any spam domains registered.
>>>>
>>>
>>>
>>> What are you trying to prove?
>>>
>>> Your logic completely escapes me
>>>
>>> I also fail to see how the registrar is of much importance
>>>
>>> There are over 900 ICANN accredited registrars
>>>
>>> Of those about 200 odd are active
>>>
>>> Of the 200 a handful account for the bulk of all domains registered
>>> / managed
>>>
>>> Statistically this means you're going to see spam from domains
>>> registered with enom, godaddy, directi, tucows and a few others. It
>>> doesn't mean anything
>>>
>>> In fact it's totally meaningless
>>>
>>
>> It's interesting how the concept of white rules seems to be beyond
>> comprehension here. There is a registrar called markmonitor.com that
>> looks like a very high end and expensive registrar that only services
>> big companies like banks and such. So domains who are registered
>> through Markmonitor would not be spammers and would likely be all
>> ham. This isn't about spam detection - it's about ham detection.
>>
>>
> The question is, how do you reliably tell that the mail actually came
> from the from company in question? It can be spoofed, or they can end
> up with compromised systems.
>
You can't spoof Forward Confirmed rDNS.
Re: Detecting the Registrar of the sending host?
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Marc Perkel wrote:
>
>
> Michele Neylon wrote:
>>
>> On 2 Jul 2008, at 19:56, Marc Perkel wrote:
>>>>
>>>
>>> Again - it's not to figure out where spam comes from. It's figuring
>>> out where non-spam comes from. I think there are registrars out
>>> there that don't have any spam domains registered.
>>>
>>
>>
>> What are you trying to prove?
>>
>> Your logic completely escapes me
>>
>> I also fail to see how the registrar is of much importance
>>
>> There are over 900 ICANN accredited registrars
>>
>> Of those about 200 odd are active
>>
>> Of the 200 a handful account for the bulk of all domains registered /
>> managed
>>
>> Statistically this means you're going to see spam from domains
>> registered with enom, godaddy, directi, tucows and a few others. It
>> doesn't mean anything
>>
>> In fact it's totally meaningless
>>
>
> It's interesting how the concept of white rules seems to be beyond
> comprehension here. There is a registrar called markmonitor.com that
> looks like a very high end and expensive registrar that only services
> big companies like banks and such. So domains who are registered
> through Markmonitor would not be spammers and would likely be all ham.
> This isn't about spam detection - it's about ham detection.
>
>
The question is, how do you reliably tell that the mail actually came
from the from company in question? It can be spoofed, or they can end up
with compromised systems.
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
Michele Neylon wrote:
>
> On 2 Jul 2008, at 19:56, Marc Perkel wrote:
>>>
>>
>> Again - it's not to figure out where spam comes from. It's figuring
>> out where non-spam comes from. I think there are registrars out there
>> that don't have any spam domains registered.
>>
>
>
> What are you trying to prove?
>
> Your logic completely escapes me
>
> I also fail to see how the registrar is of much importance
>
> There are over 900 ICANN accredited registrars
>
> Of those about 200 odd are active
>
> Of the 200 a handful account for the bulk of all domains registered /
> managed
>
> Statistically this means you're going to see spam from domains
> registered with enom, godaddy, directi, tucows and a few others. It
> doesn't mean anything
>
> In fact it's totally meaningless
>
It's interesting how the concept of white rules seems to be beyond
comprehension here. There is a registrar called markmonitor.com that
looks like a very high end and expensive registrar that only services
big companies like banks and such. So domains who are registered through
Markmonitor would not be spammers and would likely be all ham. This
isn't about spam detection - it's about ham detection.
Re: Detecting the Registrar of the sending host?
Posted by Michele Neylon <mi...@blacknight.ie>.
On 2 Jul 2008, at 19:56, Marc Perkel wrote:
>>
>
> Again - it's not to figure out where spam comes from. It's figuring
> out where non-spam comes from. I think there are registrars out
> there that don't have any spam domains registered.
>
What are you trying to prove?
Your logic completely escapes me
I also fail to see how the registrar is of much importance
There are over 900 ICANN accredited registrars
Of those about 200 odd are active
Of the 200 a handful account for the bulk of all domains registered /
managed
Statistically this means you're going to see spam from domains
registered with enom, godaddy, directi, tucows and a few others. It
doesn't mean anything
In fact it's totally meaningless
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
Martin Gregorie wrote:
> On Wed, 2008-07-02 at 18:46, Marc Perkel wrote:
>
>> Martin Gregorie wrote:
>>
>>> On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
>>>
>>>
>>>> Is there an easy way to detect the registrar of a domain through DNS?
>>>> For example - can I easilly figure out if an email I'm processing is
>>>> hosted by GoDaddy or Tucows?
>>>>
>>>>
>>>>
>>> Even if it was possible I don't think its would be at all useful.
>>> Spammers don't generally register domains to sent spam from. They're not
>>> that stupid.
>>>
>>> Unfortunately some PC users ARE that stupid. If a PC can receive mail
>>> there's a sporting chance it may be infected no matter who the domain
>>> registrar might be.
>>>
>>> Martin
>>>
>>>
>>>
>>>
>> Again - this is not something to find spammers. It's to find
>> non-spammers. It's a white rule.
>>
>>
> OK, but it still won't work. A lot of spam comes from botnets: hence my
> comment about PC users. There's certainly no correlation between the
> location of infected PCs and the reputation of the domain registrar of
> the domain the infected PC is posting from.
>
> Martin
>
>
>
Again - it's not to figure out where spam comes from. It's figuring out
where non-spam comes from. I think there are registrars out there that
don't have any spam domains registered.
Re: Detecting the Registrar of the sending host?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2008-07-02 at 18:46, Marc Perkel wrote:
>
> Martin Gregorie wrote:
> > On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
> >
> > > Is there an easy way to detect the registrar of a domain through DNS?
> > > For example - can I easilly figure out if an email I'm processing is
> > > hosted by GoDaddy or Tucows?
> > >
> > >
> > Even if it was possible I don't think its would be at all useful.
> > Spammers don't generally register domains to sent spam from. They're not
> > that stupid.
> >
> > Unfortunately some PC users ARE that stupid. If a PC can receive mail
> > there's a sporting chance it may be infected no matter who the domain
> > registrar might be.
> >
> > Martin
> >
> >
> >
>
> Again - this is not something to find spammers. It's to find
> non-spammers. It's a white rule.
>
OK, but it still won't work. A lot of spam comes from botnets: hence my
comment about PC users. There's certainly no correlation between the
location of infected PCs and the reputation of the domain registrar of
the domain the infected PC is posting from.
Martin
Re: Detecting the Registrar of the sending host?
Posted by Marc Perkel <ma...@perkel.com>.
Martin Gregorie wrote:
> On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
>
>> Is there an easy way to detect the registrar of a domain through DNS?
>> For example - can I easilly figure out if an email I'm processing is
>> hosted by GoDaddy or Tucows?
>>
>>
> Even if it was possible I don't think its would be at all useful.
> Spammers don't generally register domains to sent spam from. They're not
> that stupid.
>
> Unfortunately some PC users ARE that stupid. If a PC can receive mail
> there's a sporting chance it may be infected no matter who the domain
> registrar might be.
>
> Martin
>
>
>
Again - this is not something to find spammers. It's to find
non-spammers. It's a white rule.
Re: Detecting the Registrar of the sending host?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
> Is there an easy way to detect the registrar of a domain through DNS?
> For example - can I easilly figure out if an email I'm processing is
> hosted by GoDaddy or Tucows?
>
Even if it was possible I don't think its would be at all useful.
Spammers don't generally register domains to sent spam from. They're not
that stupid.
Unfortunately some PC users ARE that stupid. If a PC can receive mail
there's a sporting chance it may be infected no matter who the domain
registrar might be.
Martin
Re: Detecting the Registrar of the sending host?
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
On 7 Jul 2008, at 14:40, Richard Frovarp wrote:
>>
>
> Fortune 500's suffer from botnet infections as well.
Exactly
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
US: 213-233-1612
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Detecting the Registrar of the sending host?
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Yet Another Ninja wrote:
> On 7/2/2008 6:05 PM, Marc Perkel wrote:
>> Is there an easy way to detect the registrar of a domain through DNS?
>> For example - can I easilly figure out if an email I'm processing is
>> hosted by GoDaddy or Tucows?
>>
>> Here's what I'm thinking. I think there's some expensive and highly
>> secure registrars out there who are the registrar of expensive
>> domains and probably have no spam domains at all. This could be used
>> to create white rules.
>>
>> Can this be done?
>
> you sure there are major registrars you can whitelist?
>
> http://rss.uribl.com/nic/
>
> Even EUrid is happily supporting pill spammers on .eu
>
>
>
Fortune 500's suffer from botnet infections as well.
Re: Detecting the Registrar of the sending host?
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 7/2/2008 6:05 PM, Marc Perkel wrote:
> Is there an easy way to detect the registrar of a domain through DNS?
> For example - can I easilly figure out if an email I'm processing is
> hosted by GoDaddy or Tucows?
>
> Here's what I'm thinking. I think there's some expensive and highly
> secure registrars out there who are the registrar of expensive domains
> and probably have no spam domains at all. This could be used to create
> white rules.
>
> Can this be done?
you sure there are major registrars you can whitelist?
http://rss.uribl.com/nic/
Even EUrid is happily supporting pill spammers on .eu