You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Warren Togami <wt...@redhat.com> on 2009/09/14 19:29:56 UTC
.cn domain age query?
(resend, first attempted about 14 hours ago)
I noticed that many spam (in English) have links like <can't include in
this post because of apache.org's spam filter>.cn where the domains are
not triggering URIBL's. It seems that they have thousands of
<randomword>.cn domains (very cheap to register?), and I very rarely see
them repeat from one spam to the next.
One thing they all have in common is their registration dates are very
young according to whois lookups. It seems in general if we had a
reliable way to lookup domain age we might be able to differentiate spam.
Is there any good way to query for the age of a domain? Unfortunately
it seems whois is too slow and the text format is non-standard.
Warren Togami
wtogami@redhat.com
Re: .cn domain age query?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 14 Sep 2009, Mike Cardwell wrote:
> Chris Owen wrote:
>
>> http://spameatingmonkey.com/lists.html
>>
>> They will tell you domains that are 5, 10 and 15 days old.
>
> That wouldn't help in this particular case:
>
> "All domains registered in the last 5 days under the .BIZ, .COM, .INFO,
> .NAME, .NET and .US TLDs"
>
> Doesn't work for .cn's, or any other country level tld's (apart from .us)
Query sent about adding .cn TLD.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
3 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: .cn domain age query?
Posted by Blaine Fleming <gr...@digital-z.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Let's try this again with sending to the list. Sorry Mike!
Mike Cardwell wrote:
> That wouldn't help in this particular case:
>
> "All domains registered in the last 5 days under the .BIZ, .COM, .INFO,
> .NAME, .NET and .US TLDs"
>
> Doesn't work for .cn's, or any other country level tld's (apart from .us)
Unfortunately, ccTLDs aren't very cooperative in matters such as this.
There are a few exceptions but most of them will ignore requests for
zone file access or outright tell you they can't for "security reasons".
The operators of the .cn TLD are unwilling to work with me at all.
If anyone has any contacts at various ccTLDs that are willing to grant
people access to zone files then please let the list know. I'm sure
there are several others that would like to get access.
- --Blaine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAkqunckACgkQLp9/dJH6k+MKQwCgh+9L8+5edKSwRKUAcelT1BDR
hQUAn2beU0Vy4oFULDaZjh8IQluQ7exT
=ZO2c
-----END PGP SIGNATURE-----
Re: .cn domain age query?
Posted by Mike Cardwell <sp...@lists.grepular.com>.
Chris Owen wrote:
>>> One thing they all have in common is their registration dates are
>>> very young according to whois lookups. It seems in general if we had
>>> a reliable way to lookup domain age we might be able to differentiate
>>> spam.
>>
>> What's the current status of the Day Old Bread BL? Has it moved to
>> subscription-only?
>
> It don't think it has but you can drill down a bit further with the SEM
> lists:
>
> http://spameatingmonkey.com/lists.html
>
> They will tell you domains that are 5, 10 and 15 days old.
That wouldn't help in this particular case:
"All domains registered in the last 5 days under the .BIZ, .COM, .INFO,
.NAME, .NET and .US TLDs"
Doesn't work for .cn's, or any other country level tld's (apart from .us)
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: .cn domain age query?
Posted by Chris Owen <ow...@hubris.net>.
On Sep 14, 2009, at 12:41 PM, John Hardin wrote:
> On Mon, 14 Sep 2009, Warren Togami wrote:
>
>> One thing they all have in common is their registration dates are
>> very young according to whois lookups. It seems in general if we
>> had a reliable way to lookup domain age we might be able to
>> differentiate spam.
>
> What's the current status of the Day Old Bread BL? Has it moved to
> subscription-only?
It don't think it has but you can drill down a bit further with the
SEM lists:
http://spameatingmonkey.com/lists.html
They will tell you domains that are 5, 10 and 15 days old.
Chris
-------------------------------------------------------------------------
Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
President - Wichita (316) 858-3000 - A stupidity tax
Hubris Communications Inc www.hubris.net
-------------------------------------------------------------------------
Re: .cn domain age query?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-09-14 at 19:51 +0100, UxBoD wrote:
> ----- "Karsten Bräckelmann" wrote:
> | grep _DOB *.cf # Part of the stock rule-set.
>
> How dumb me be ;) Thanks Karsten :D
Heh, no problem. :) Just figured I should spare you the time of adding
it, and prevent you from scoring twice.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: .cn domain age query?
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
----- "Karsten Bräckelmann" <gu...@rudersport.de> wrote:
| On Mon, 2009-09-14 at 18:55 +0100, --[ UxBoD ]-- wrote:
| > | Still working fine for me here, 51 hits so far today against DOB.
| >
| > Not come across that RBL before! Thanks :)
|
| grep _DOB *.cf # Part of the stock rule-set.
|
|
| --
| char
| *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
| main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
| c<<=1:
| (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
| putchar(t[s]);h=m;s=0; }}}
|
How dumb me be ;) Thanks Karsten :D
Should have checked ... Been to busy defending a previous naughty OP ;)
Best Regards,
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
SplatNIX IT Services :: Innovation through collaboration
Re: .cn domain age query?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-09-14 at 18:55 +0100, --[ UxBoD ]-- wrote:
> | Still working fine for me here, 51 hits so far today against DOB.
>
> Not come across that RBL before! Thanks :)
grep _DOB *.cf # Part of the stock rule-set.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: .cn domain age query?
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
----- "Bill Landry" <bi...@inetmsg.com> wrote:
| > On Mon, 14 Sep 2009, Warren Togami wrote:
| >
| >> One thing they all have in common is their registration dates are
| very
| >> young according to whois lookups. It seems in general if we had a
| >> reliable way to lookup domain age we might be able to
| differentiate
| >> spam.
| >
| > What's the current status of the Day Old Bread BL? Has it moved to
| > subscription-only?
|
| Still working fine for me here, 51 hits so far today against DOB.
|
| Bill
|
Not come across that RBL before! Thanks :)
Best Regards,
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
SplatNIX IT Services :: Innovation through collaboration
Re: .cn domain age query?
Posted by Bill Landry <bi...@inetmsg.com>.
> On Mon, 14 Sep 2009, Warren Togami wrote:
>
>> One thing they all have in common is their registration dates are very
>> young according to whois lookups. It seems in general if we had a
>> reliable way to lookup domain age we might be able to differentiate
>> spam.
>
> What's the current status of the Day Old Bread BL? Has it moved to
> subscription-only?
Still working fine for me here, 51 hits so far today against DOB.
Bill
Re: .cn domain age query?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 14 Sep 2009, Warren Togami wrote:
> One thing they all have in common is their registration dates are very
> young according to whois lookups. It seems in general if we had a
> reliable way to lookup domain age we might be able to differentiate
> spam.
What's the current status of the Day Old Bread BL? Has it moved to
subscription-only?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #12: Have a plan.
USMC Rules of Gunfighting #13: Have a back-up plan, because the
first one won't work.
-----------------------------------------------------------------------
3 days until the 222nd anniversary of the signing of the U.S. Constitution