My SPF based reputation system is working really well. I just added a
greylisting feature for domains with no reputation, and spam dropped so
much that several customers called complaining that something was wrong
with email since they weren't getting the steady trickle of spam they
were used to. The other filters were already cutting the spam from about
2000 per day per user to less than 20 per day per user. The greylisting
has dropped that to about 2 per day per user - but growing.
The surviving spammers have evolved. They register dozens
of new domains every day, with names like "strangecosmos.com" or
"lacerun.org" - random words glued together by a script. My system auto blocks
the domains after 20 spams - but those 20 annoy 20 users for each domain they
register. Each freshly registered domain has a valid and reasonable SPF
record. All identical - usually "v=spf1 a -all", and all such spam is SPF
pass. Their spam software has a state machine which retries after greylisting,
just like a real sender. There is a valid DomainKeys header for the 2822 From
field. The IP address is from a different part of the world for each freshly
registered domain. The message is presented as an image - making bayesian
filters rely on headers and meta-info for recognition. As this new breed of
spam software gets adopted, the spam that makes it through grows.
If you do a whois on these throwaway domains, the registrant is always
a front company, like "Protected Domain Services" or "Domains by Proxy".
My idea is to start tracking reputation by domain registrant.
I would like to reject all mail from the above two registrants, for instance,
regardless of domain name du jour. What are the restrictions on using
whois? Can I simply script running it for every domain, with a cache
to remember results? Or will reigstrars start blocking me for abuse?
What is the most efficient way to obtain whois info on a domain?
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com