On Thu, 23 Oct 1997, Walter Dnes wrote:
The problem with your idea is that sleazy spammers will simply
forge domain names. Just ask the innocent people at "flowers.com"
and "live.com", who got bombarded with hate mail and threatening
Tell me about it. Two of the domains I host where I work are perv.com
(no, it's the initials of the company) and itsforyou.com. Both of those
have been in forged spam return addresses lately, and I'm definitely
seeing the backlash.
Anyway, of course we can't go by the return address. In _some_ cases they
use a real return address served by one of those servers, so we can, but
in most they don't. But there are other addresses one can go on.
I wrote the following Perl regexp (note: still needs tweaking):
s/.*[\.|\@|\/|\ |\>|\<|\t](\S+)\.(com|org|net).*/$1\.$2/;
The above regexp will extract a domain name (stripping off anything before
it, like a hostname, "http://";, *@, etc.). I don't claim to be a regexp
writer of any note, so I'm sure that's not the most stylish way to do it,
but it _does_ work (only for .net, .org, and .com domains, sorry - someone
else is welcome to rewrite the concept better).
For example (stuff from my own mail spool):
Received: from server1.vonl.com (server1.vonl.com [209.94.224.3]) by
insync.net (8.8.7/8.7.1) with ESMTP id VAA06534 for
<aos(_at_)insync(_dot_)net>; Mon,
29 Sep 1997 21:3 1:29 -0500 (CDT)
Received: from galt-int ([209.94.227.12]) by server1.vonl.com (post.office
MTA v2.0 0813 ID# 28-12254) with SMTP id AAA312 for
<aos(_at_)insync(_dot_)net>; Mon,
29 Sep 1997 21:27:53 -0500
Feeding the above two lines to the regexp (then uniqing) yields:
insync.net
vonl.com
Voila... we have the two domain names in the header. Now we ask our
nameserver for the NS records:
insync.net nameserver = vellocet.insync.net
insync.net nameserver = ns.uu.net
vonl.com nameserver = NS3.vonl.com
vonl.com nameserver = NS1.vonl.com
And *there* are the names we'll check against the known spam servers list.
Here's another example, this time from a real spam:
Received: from poboxer.pobox.com (poboxer.pobox.com [208.210.124.21]) by
insync.net (8.8.7/8.7.1) with ESMTP id NAA14120 for
<aos(_at_)insync(_dot_)net>;
Thu, 23 Oct 1997 13:43:14 -0500 (CDT)
From: bio(_at_)money-group(_dot_)net
Received: from baghdad.savoynet.com (root(_at_)baghdad(_dot_)savoynet(_dot_)com
[204.157.255.21]) by poboxer.pobox.com (8.8.5/8.8.5) with ESMTP id
OAA05733; Thu, 23 Oct 1997 14:42:37 -0400
Feed those lines to the regexp, uniq, and get:
insync.net
money-group.net
savoynet.com
pobox.com
Again, query the nameservers:
insync.net nameserver = vellocet.insync.net
insync.net nameserver = ns.uu.net
money-group.net nameserver = MAIL.ICSINC.NET
money-group.net nameserver = NS1.ICSINC.NET
savoynet.com nameserver = ns1.savoynet.com
pobox.com nameserver = ICG.FDEMOCRACY.ORG
pobox.com nameserver = NS2.ICGROUP.COM
pobox.com nameserver = NS1.ICGROUP.COM
Now, of course, I already know savoynet.com is a spam source (that's why
this particular mail got trashed), but what if it was one of savoynet's
new domains? infopax.com perhaps? That one's probably missing from a lot
of lists. BUT, if we query nameservers:
infopax.com nameserver = NS2.SAVOYNET.COM
infopax.com nameserver = NS1.SAVOYNET.COM
Voila. Trashola. Now, with my nameserver having no cached knowledge of
infopax.com, it took it about 0.2 seconds to get that answer. Not bad.
But now it's got it cached, so it'll respond instantly on future queries
(from any user too, big bonus) for the same domain.
I've gotten a bit too verbose on this, but I think it's a damn good idea.
It's a lot easier than keeping up with all the domains when they register
them every day. This way we automagically maintain our list without
having to ask the NIC.
--
Andrew O. Smith - aos(_at_)insync(_dot_)net | "Reality is that which, when
you stop
Sysadmin, Insync Internet Services | believing in it, doesn't go away."
BOFH, Wielder of the sacred LART | -- Philip K. Dick