[dns-operations] negative caching of throwaway spam domains
william(at)elan.net
william at elan.net
Thu Jul 6 21:13:34 UTC 2006
On Thu, 6 Jul 2006, Rick Jones wrote:
> Rick Jones wrote:
>> Rick Wesson wrote:
>>
>>> I've created a DNSRBL called day-old-bread (ok you think of a good name
>>> for it) that contains a running list of domains registered in the last 5
>>> days.
>>
>>
>> Some ideas :)
>
> Seeing Paul's message repeating the 5 days old bit got me to thinking
> about nursery rhymes, so another idea:
>
> *) peas-porridge because some like it hot, some like it cold and some
> like it in the pot, five (ok, nine) days old.
I actually not exactly sure what you mean above. But in the same space
for complex email filtering systems (that don't just do pass/fail), the
total domain time of registration of the domain (i.e. creation date from
whois) is a good input, i.e. while < 1 day old might be viewed as -2
negative score, > 3 years old might be viewed as +2 positive input score.
DNS zone parsing is not a good parameter for this, but as I mentioned on
nanog long ago internic whois is (although its not really designed for
high-rate tests with caching it works).
--
William Leibzon
Elan Networks
william at elan.net
More information about the dns-operations
mailing list