On Fri, 10 Dec 2004, Elmar K. Bins wrote:
william(at)elan.net <william@elan.net> wrote: [...]
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
This tempts me to hack something into Exim that does a whois on previously-unseen sender domains, and give a deferral if the whois denies existence of the domain. Is this likely to have any meaningful effect?
No. It depends too much on
(a) the registry and registrar for the domain (b) overall whois availability to that TLD (not everybody uses whois) (c) your connectivity to the whois servers involved (possibly more than one)
I disagree, I think this may be ok, but its specifically because its for .com/.net whois (not ok for general TLD). Reasons are: 1. Internic.net / CRSNIC whois has no limit set on number of queries client from particular ip can make before queries are denied (or it may have limit but its set very high) and its data is almost always available and quite fast (but there were some outages). 2. Internic.net data is very brief listing only when domain was registered and which registrar and status 3. If there is a problem getting whois data at the moment, SMTP connection would not be denied but only deferred I think what should be done based on data is: 1. Check creation data and if the domain is very new (not even in whois or in whois but registration date is today or yesterday) then defer it for 48 hours but count the connection and report to some central system. If after one day from that new domain came way too many attempts to send email, then it maybe assumed fairly safely the domain is being setup by spammer. Additionally if there are spam reports that came about the domain then a responsible registrar (like godaddy) would put it on hold and this would be reflected in the domain status. I'll also note that registar has 72 hours in which they can delete newly registered domain if they believe the registration was fraudelent (i.e. stolen credit card) and not have to pay registrar for it - in fact that is quite often what happens to spammer used domains. 2. You probably should not accept email from domains that have any kind of HOLD status (this is the same as domain not deligated in dns) but again this should not be outright denial but deferral (in case its just that somebody forgot to pay registration feee). 3. By checking Internic whois you get a name of the registrar (i.e. opensrs, enom, etc) and can decide that if the registrar is too "dirty" you do not want to accept email from domain. If enough people do it, this may cause registrar to become more responsible towards who they let register domains. It maybe quite good if several of us come together and create a project to create such whois filtering library for SMTP. This library can then be called from extensions for Sendmail, Postfix, Exim and other popular mailers. I certainly will be willing to help with my whois programming skills but I have no experience (yet) writing extensions for MTAs. -- William Leibzon Elan Networks william@elan.net