North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: no whois info ?

  • From: william(at)
  • Date: Fri Dec 10 06:21:53 2004

On Fri, 10 Dec 2004, Elmar K. Bins wrote:

> > william(at) <[email protected]> wrote:
> > [...]
> > > Read NANOG archives - Verisign now allows immediate (well, within
> > > about 10 minutes) updates of .com/.net zones (also same for .biz)
> > > while whois data is still updated once or twice a day. That means if
> > > spammer registers new domain he'll be able to use it immediatly and
> > > it'll not yet show up in whois (and so not be immediatly
> > > identifiable to spam reporting tools) - and spammers are in fact
> > > using this "feature" more and more!
> > 
> > This tempts me to hack something into Exim that does a whois on
> > previously-unseen sender domains, and give a deferral if the whois
> > denies existence of the domain. Is this likely to have any meaningful
> > effect?
> No. It depends too much on
>   (a) the registry and registrar for the domain
>   (b) overall whois availability to that TLD (not everybody uses whois)
>   (c) your connectivity to the whois servers involved (possibly more 
> than one)

I disagree, I think this may be ok, but its specifically because its
for .com/.net whois (not ok for general TLD). Reasons are:
 1. / CRSNIC whois has no limit set on number of queries
    client from particular ip can make before queries are denied (or
    it may have limit but its set very high) and its data is almost
    always available and quite fast (but there were some outages).
 2. data is very brief listing only when domain was
    registered and which registrar and status 
 3. If there is a problem getting whois data at the moment, SMTP
    connection would not be denied but only deferred

I think what should be done based on data is:
 1. Check creation data and if the domain is very new (not even in
    whois or in whois but registration date is today or yesterday)
    then defer it for 48 hours but count the connection and report
    to some central system. If after one day from that new domain
    came way too many attempts to send email, then it maybe assumed
    fairly safely the domain is being setup by spammer. Additionally
    if there are spam reports that came about the domain then a 
    responsible registrar (like godaddy) would put it on hold and this 
    would be reflected in the domain status. I'll also note that 
    registar has 72 hours in which they can delete newly registered
    domain if they believe the registration was fraudelent (i.e. stolen
    credit card) and not have to pay registrar for it - in fact that is 
    quite often what happens to spammer used domains.
 2. You probably should not accept email from domains that have any kind
    of HOLD status (this is the same as domain not deligated in dns) but
    again this should not be outright denial but deferral (in case its
    just that somebody forgot to pay registration feee).
 3. By checking Internic whois you get a name of the registrar (i.e. 
    opensrs, enom, etc) and can decide that if the registrar is too
    "dirty" you do not want to accept email from domain. If enough
    people do it, this may cause registrar to become more responsible
    towards who they let register domains.

It maybe quite good if several of us come together and create a project
to create such whois filtering library for SMTP. This library can then
be called from extensions for Sendmail, Postfix, Exim and other popular 
mailers. I certainly will be willing to help with my whois programming 
skills but I have no experience (yet) writing extensions for MTAs.

William Leibzon
Elan Networks
[email protected]