antispam at khopis
Aug 22, 2011, 4:52 PM
Post #2 of 9
On 08/22/2011 04:13 PM, Noah Meyerhans wrote:
Re: blacklist based on authoritative nameservers of sender domain
[In reply to]
> I've recently observed a fair amount of spam from domains that all
> share the same set of authoritative nameservers. It occurred to me
> that it might be nice to be able to blacklist mail from all domains
> sharing these nameservers, or maybe to simply have that trait count
> toward the spam score.
You can't do whois en-masse (I'd love that, but ...), so this means an
NS host lookup. To determine if they are authoritative, that's another
lookup (which I don't believe is necessary). A blocklist would also be
another lookup (if using a BL, it could check the authoritativeness),
but I don't think that's completely necessary either.
Your plugin should create enough information for bayes and rules to
access the data, say through a pseudoheader that can be explicitly added
via template tags.
Thus, you'd be able to write a rule that checks the pseudoheader for a
problematic name server. Here's a mockup pseudoheader and matching rule
for an email that links spamassassin.org and example.net:
X-Spam-Uri-NS: [ dom=spamassassin.org ns=c.auth-ns.sonic.net
ns=ns.hyperreal.org ns=b.auth-ns.sonic.net ns=a.auth-ns.sonic.net ] [
dom=example.net ns=b.iana-servers.net. ns=a.iana-servers.net ]
header LOCAL_USES_DNS_EXAMPLE_NET X-Spam-Uri-NS =~ /
I left out NS server IPs because that's even more DNS lookups. URIs are
in order of appearance. NS order is not predictable (though I suppose
we could asciibetize).
> I don't believe there's currently a plugin to allow this sort of
> thing. Is that correct? If so, would anybody be interested in one
> if I was to write it? Or am I missing something obvious that makes
> this not worth doing? I realize that the potential for collateral
> damage is high, so I don't think it'd be wise to try and publish any
> sort of data for such a plugin, but it seems like the plugin itself
> might be occasionally useful...
It might be useful, but we'd have to test it to know.