[dns-operations] negative caching of throwaway spam domains
Paul Vixie
paul at vix.com
Thu Jul 6 20:09:34 UTC 2006
> I've created a DNSRBL called day-old-bread (ok you think of a good name for
> it) that contains a running list of domains registered in the last 5 days.
> It lives at dob.sibl.support-intelligence.net.
i've been running with this for a few weeks. here's the last 7 days, noting
that my mta stops after the first reputation-server hit (rather than trying
them all; i know there's a postfix patch out there to OR them all together
but i don't know where it is and i'm not running it.) my config is approx:
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unauth_destination,
check_policy_service inet:204.152.187.1:2501, # greylister
reject_rhsbl_client dob.sibl.support-intelligence.net,
reject_rhsbl_sender dob.sibl.support-intelligence.net,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client nonconfirm.mail-abuse.org,
reject_unknown_client,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname,
reject_rbl_client reject-all.vix.com
so, it's first-one-wins, and wessorh's new d-o-b services get first whack.
in the first display, SIBL shows respectable results, on par with SORBS in
most cases. in the second display, i'll include a detailed report of just
the SIBL hits across the full timespan. (and before anyone asks, reject-all
is private, and won't be exported to anyone under any circumstances.)
as far as i'm concerned, the early results from rejecting all e-mail from
domains under 5 days old are quite good, and i encourage wessorh to take it
forward (out of dns-operations and into the anti-spam community somewhere.)
--------
rejects #/host #/from #/to #/helo (Jul 6 00:00:00 - Jul 6 19:57:18)
516 257 338 218 259 dnsbl.sorbs.net
335 123 62 61 268 dob.sibl.support-intelligence.net
4181 2368 3128 1257 1481 rbl-plus.mail-abuse.org
961 693 582 369 674 reject-all.vix.com
1388 741 916 496 560 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jul 5 00:00:00 - Jul 6 00:00:00)
638 339 427 279 325 dnsbl.sorbs.net
330 117 55 67 280 dob.sibl.support-intelligence.net
3 2 3 3 2 nonconfirm.mail-abuse.org
6429 3578 4691 1499 2370 rbl-plus.mail-abuse.org
983 692 628 393 680 reject-all.vix.com
2811 786 1090 500 664 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jul 4 00:00:00 - Jul 5 00:00:00)
563 380 421 298 337 dnsbl.sorbs.net
301 109 57 51 251 dob.sibl.support-intelligence.net
3 2 3 3 2 nonconfirm.mail-abuse.org
4973 3160 3903 1376 2018 rbl-plus.mail-abuse.org
905 617 572 412 625 reject-all.vix.com
2280 520 737 429 513 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jul 3 00:00:00 - Jul 4 00:00:00)
506 258 349 198 282 dnsbl.sorbs.net
417 204 71 70 336 dob.sibl.support-intelligence.net
1 1 1 1 1 nonconfirm.mail-abuse.org
4420 3017 3729 1229 1840 rbl-plus.mail-abuse.org
849 607 618 397 600 reject-all.vix.com
1178 509 794 404 533 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jul 2 00:00:00 - Jul 3 00:00:00)
329 213 231 194 183 dnsbl.sorbs.net
382 101 61 64 310 dob.sibl.support-intelligence.net
3999 2506 3057 1175 1395 rbl-plus.mail-abuse.org
859 604 550 360 599 reject-all.vix.com
928 486 671 339 455 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jul 1 00:00:00 - Jul 2 00:00:00)
410 140 160 132 120 dnsbl.sorbs.net
93 56 24 40 82 dob.sibl.support-intelligence.net
2933 2073 2495 1051 897 rbl-plus.mail-abuse.org
895 428 422 305 421 reject-all.vix.com
727 447 584 357 325 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jun 30 00:00:00 - Jul 1 00:00:00)
317 214 250 170 181 dnsbl.sorbs.net
382 148 72 71 318 dob.sibl.support-intelligence.net
3949 2773 3259 1182 1469 rbl-plus.mail-abuse.org
894 610 616 372 604 reject-all.vix.com
1208 803 916 452 573 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jun 29 00:00:00 - Jun 30 00:00:00)
334 229 257 192 194 dnsbl.sorbs.net
335 102 65 62 270 dob.sibl.support-intelligence.net
4109 2877 3641 1251 1271 rbl-plus.mail-abuse.org
875 612 684 420 601 reject-all.vix.com
2119 730 1244 555 824 sbl-xbl.spamhaus.org
rejects #/host #/from #/to #/helo (Jun 28 00:00:00 - Jun 29 00:00:00)
400 216 279 188 220 dnsbl.sorbs.net
320 125 97 60 205 dob.sibl.support-intelligence.net
1 1 1 1 1 nonconfirm.mail-abuse.org
5349 3633 4628 1367 1767 rbl-plus.mail-abuse.org
884 628 638 401 612 reject-all.vix.com
1277 842 1002 498 595 sbl-xbl.spamhaus.org
--------
rejects #/host #/from #/to #/helo (Jun 28 00:25:44 - Jul 6 20:00:51)
2896 922 557 124 1652 dob.sibl.support-intelligence.net
dob.sibl.support-intelligence.net (2896 total)
hosts:
57 dwltdrl at antidotaltreatment.com
56 cle at chromosomal-environment.com
56 shp at budgetary-calculator.com
54 Eat4free at forwarder-hitman.com
53 fgs at unstoppable-customer.com
48 ptv at conceptual-nightmare.com
41 agfc at undiscovered-greatness.com
40 ntq at eternaltrickster.com
40 LaptopVoucher at classical-pursuit.com
senders:
57 dwltdrl at antidotaltreatment.com
56 cle at chromosomal-environment.com
56 shp at budgetary-calculator.com
54 Eat4free at forwarder-hitman.com
53 fgs at unstoppable-customer.com
48 ptv at conceptual-nightmare.com
46 LaptopVoucher at eighties-floruit.com
46 LaptopVoucher at successivehearing.com
45 Eatfree at fraudulent-handwriting.com
recips:
119 curlymo at cix.net
109 crodriguez5 at cix.net
108 dee10609 at cix.net
105 loser35 at cix.net
104 mikeycool at cix.net
103 anasia at cix.net
103 bluebirdcjs at cix.net
97 frogsintheusa at cix.net
73 khajkshdjkas at cix.net
hellos:
16 playsecondfiddletofashionable.net
14 patronglossary.net
12 ruggedlinguistic.net
11 mail.hostngrp.com
10 perforatevigorous.net
9 softsellfinancial.com
8 pastsaid.net
8 webmail01.musksplat.com
7 mssql2.gallanthair-line.com
--------
More information about the dns-operations
mailing list