On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
|
| With regard to whois, or using it to score throw-away domain detection,
| I advise against it. That's not what the whois database is designed
| for and they simply were not built with the performance considerations
| that this would require.
|
Suggestions that we use "whois" are on the right track but there are
better technical approaches; specifically, the RHSBL.
from http://www.securitysage.com/guides/postfix_uce_rhsbl.html
An RHSBL, like an RBL, is usually available via DNS, but contains a list
of domain names (as opposed to IP addresses) that can be checked against
the client domain of an email, as well as the domain portion (after the
@) of the sender and recipient addresses.
Here's how they work:
20031009-12:22:17 mengwong(_at_)dumbo:~% dnsip
amazingoffersdirect.net.spamdomains.blackholes.easynet.nl
127.0.0.2
20031009-12:22:24 mengwong(_at_)dumbo:~% dnsip
yahoo.com.spamdomains.blackholes.easynet.nl
20031009-12:22:33 mengwong(_at_)dumbo:~%
See the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html for a number
of RHSBLs. They will gain in prominence as SPF is adopted.
To date, RHSBLs return either a DECLINE or NEGATIVE opinion. In the
future I predict we will see RHSBLs published by major ISPs that return
KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak reputation
scheme. Even finer grain is possible with "started sending mail N days
ago".
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡