negative caching of throwaway spam domains

Ken A ka at
Wed Jun 21 18:16:03 UTC 2006

Dan Mahoney, System Admin wrote:
> On Wed, 21 Jun 2006, Ken A wrote:
>> Hi,
>> We have 3 spam filtering machines that each run a bind caching
>> nameserver to help with rbl lookups, etc..
>> After mail passes through these machines it goes to our mail hub.
>> Every so often, a spam from a throwaway spam domain will get through the
>> spam filtering machines to the mailserver hub. The caching nameserver on
>> the spam filtering machine will be able to lookup the sender's hostname,
>> so sendmail accepts it.
>> But, sendmail, on the mailserver hub will bounce it back to the spam
>> filtering machine with an error.. 'Domain of sender address
>> jthlhiyue at does not exist'. (that one is from this am..
>> registered yesterday by a spammer).
>> The question is, is there something I can do to, other than telling the
>> mail filter machines to all use the same instance of bind to avoid this
>> happening?

Any ideas on this DNS question?

>> Also, a bit off topic, but it occurs to me that this kind of information
>> is useful in spam fighting. Are there any rbls out there that list all
>> domains registered in the last 48 hrs?
> I would ask on the SpamAssassin mailing list, as those guys seem to be 
> most aware of what's available (even if it's not SpamAssassin you're 
> using, this is not a bad idea for a plugin and/or blacklist) -- however, 
> generically RBL's work on IP address, not domains.  Given an IP address 
> a.b.c.d, the domains is looked up, and if 
> it returns a certain value, it's considered listed.
> What you'd be more likely to look at is a SURBL -- which looks to block 
> url's embedded in emails, and works on actual hostnames as opposed to ips.

Yes, we use SURBL and uribl in S.A. to help score spam. rbldnsd uses 
these 'dnsets' to define hostnames in a rbl that are looked up via dns. 
DNS can be used for all sorts of things, not the least of which is 
spyware, which is why I worry when some newly installed software likes 
to do a DNS lookup for no apparent reason. Now we are way off topic..

> Also, I should note that parsing the information with regard to how long 
> ago a domain was registered is somewhat difficult, as at this point 
> we're out of the realm of DNS and into the realm of WHOIS.  And whomever 
> conceived WHOIS apparently did not feel that things like standardization 
> and formatting (or even date-field order) were things that needed to be 
> agreed upon.

I have a rather lengthy perl script that does this to check expiration 
dates for domains we host, but I agree, it's a parsing nightmare! :-\

Ken A.

> There is a long-out-of-date perl module which was written by the GANDI 
> registrar that was supposed to parse these things, and had a modular 
> plug-in architecture, however even that has broken majorly on .org since 
> that registry no longer uses referrals.
> -- 
> "There is no right and wrong, there is only fun and boring."
> -Fisher Stevens, "Hackers"
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:
> ---------------------------

More information about the bind-users mailing list