[dns-operations] negative caching of throwaway spam domains

william(at)elan.net william at elan.net
Thu Jul 6 21:13:34 UTC 2006

On Thu, 6 Jul 2006, Rick Jones wrote:

> Rick Jones wrote:
>> Rick Wesson wrote:
>>> I've created a DNSRBL called day-old-bread (ok you think of a good name
>>> for it) that contains a running list of domains registered in the last 5
>>> days.
>> Some ideas :)
> Seeing Paul's message repeating the 5 days old bit got me to thinking
> about nursery rhymes, so another idea:
> *) peas-porridge  because some like it hot, some like it cold and some
> like it in the pot, five (ok, nine) days old.

I actually not exactly sure what you mean above. But in the same space
for complex email filtering systems (that don't just do pass/fail), the 
total domain time of registration of the domain (i.e. creation date from 
whois) is a good input, i.e. while < 1 day old might be viewed as -2 
negative score, > 3 years old  might be viewed as +2 positive input score.

DNS zone parsing is not a good parameter for this, but as I mentioned on
nanog long ago internic whois is (although its not really designed for
high-rate tests with caching it works).

William Leibzon
Elan Networks
william at elan.net

More information about the dns-operations mailing list