[dns-operations] negative caching of throwaway spam domains

Rick Wesson wessorh at ar.com
Thu Jun 22 16:39:24 UTC 2006 

I've created a DNSRBL called day-old-bread (ok you think of a good name 
for it) that contains a running list of domains registered in the last 5 
days. It lives at dob.sibl.support-intelligence.net.

a test point is at 
test.dob.sibl.support-intelligence.com.dob.sibl.support-intelligence.net.

the data set currently has just the last 2 days worth of domain 
registrations.

The run rate will be around 5M domains for 5 days worth of registrations.

I appreciate any thoughts on how useful this might be, and feel free to 
let others know the lists exists.


-rick


paul at vix.com wrote:
> is there?
> 
> re:
> 
>> From: Ken A <ka at pacific.net>
>> Newsgroups: comp.protocols.dns.bind
>> Subject: negative caching of throwaway spam domains
>> Date: Wed, 21 Jun 2006 09:51:15 -0700
>> Organization: none
>> Sender: news at isc.org
>> X-Original-Message-ID: <44997903.9000402 at pacific.net>
>> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
>>
>> Hi,
>>
>> We have 3 spam filtering machines that each run a bind caching 
>> nameserver to help with rbl lookups, etc..
>> After mail passes through these machines it goes to our mail hub.
>>
>> Every so often, a spam from a throwaway spam domain will get through the 
>> spam filtering machines to the mailserver hub. The caching nameserver on 
>> the spam filtering machine will be able to lookup the sender's hostname, 
>> so sendmail accepts it.
>>
>> But, sendmail, on the mailserver hub will bounce it back to the spam 
>> filtering machine with an error.. 'Domain of sender address 
>> jthlhiyue at halosalbum.com does not exist'. (that one is from this am.. 
>> registered yesterday by a spammer).
>>
>> The question is, is there something I can do to, other than telling the 
>> mail filter machines to all use the same instance of bind to avoid this 
>> happening?
>>
>> Also, a bit off topic, but it occurs to me that this kind of information 
>> is useful in spam fighting. Are there any rbls out there that list all 
>> domains registered in the last 48 hrs?
>>
>> Thanks for any ideas!
>>
>> Ken A
>> Pacific.Net
>>
>>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list