no whois info ?
william(at)elan.net
william at elan.net
Fri Dec 10 11:48:07 UTC 2004
On Fri, 10 Dec 2004, Elmar K. Bins wrote:
> > william(at)elan.net <william at elan.net> wrote:
> > [...]
> > > Read NANOG archives - Verisign now allows immediate (well, within
> > > about 10 minutes) updates of .com/.net zones (also same for .biz)
> > > while whois data is still updated once or twice a day. That means if
> > > spammer registers new domain he'll be able to use it immediatly and
> > > it'll not yet show up in whois (and so not be immediatly
> > > identifiable to spam reporting tools) - and spammers are in fact
> > > using this "feature" more and more!
> >
> > This tempts me to hack something into Exim that does a whois on
> > previously-unseen sender domains, and give a deferral if the whois
> > denies existence of the domain. Is this likely to have any meaningful
> > effect?
>
> No. It depends too much on
>
> (a) the registry and registrar for the domain
> (b) overall whois availability to that TLD (not everybody uses whois)
> (c) your connectivity to the whois servers involved (possibly more
> than one)
I disagree, I think this may be ok, but its specifically because its
for .com/.net whois (not ok for general TLD). Reasons are:
1. Internic.net / CRSNIC whois has no limit set on number of queries
client from particular ip can make before queries are denied (or
it may have limit but its set very high) and its data is almost
always available and quite fast (but there were some outages).
2. Internic.net data is very brief listing only when domain was
registered and which registrar and status
3. If there is a problem getting whois data at the moment, SMTP
connection would not be denied but only deferred
I think what should be done based on data is:
1. Check creation data and if the domain is very new (not even in
whois or in whois but registration date is today or yesterday)
then defer it for 48 hours but count the connection and report
to some central system. If after one day from that new domain
came way too many attempts to send email, then it maybe assumed
fairly safely the domain is being setup by spammer. Additionally
if there are spam reports that came about the domain then a
responsible registrar (like godaddy) would put it on hold and this
would be reflected in the domain status. I'll also note that
registar has 72 hours in which they can delete newly registered
domain if they believe the registration was fraudelent (i.e. stolen
credit card) and not have to pay registrar for it - in fact that is
quite often what happens to spammer used domains.
2. You probably should not accept email from domains that have any kind
of HOLD status (this is the same as domain not deligated in dns) but
again this should not be outright denial but deferral (in case its
just that somebody forgot to pay registration feee).
3. By checking Internic whois you get a name of the registrar (i.e.
opensrs, enom, etc) and can decide that if the registrar is too
"dirty" you do not want to accept email from domain. If enough
people do it, this may cause registrar to become more responsible
towards who they let register domains.
It maybe quite good if several of us come together and create a project
to create such whois filtering library for SMTP. This library can then
be called from extensions for Sendmail, Postfix, Exim and other popular
mailers. I certainly will be willing to help with my whois programming
skills but I have no experience (yet) writing extensions for MTAs.
--
William Leibzon
Elan Networks
william at elan.net
More information about the NANOG
mailing list