spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant Taylor <gtay...@tnetconsulting.net>
Subject Re: Scoring by registrar?
Date Sun, 30 Jun 2019 18:40:27 GMT
On 6/30/19 12:05 PM, John Hardin wrote:
> There's really no infrastructure for it. Somebody would have to hook 
> into the registrar data feeds to collect it and publish it in a usable 
> form, and nobody has done so that I am aware of.

Whois Domain Search has some information.

Link - Whois Domain Search
  - http://whoisds.com/

They provide an API and an ability to download copies of their database.

I'm downloading their free newly registered domain list.  It's only a 
list of domains registered in the last day and they have 10 (?) days 
worth available for download.

> A decade ago I wrote a plugin that used whois to try to do this as an 
> experiment. The big drawback is: actually doing this could easily be 
> considered abuse of the whois system and could easily get you 
> blacklisted. This is *not* recommended for production use.
> 
>    http://www.impsec.org/~jhardin/antispam/registrar_scoring/
> 
> This is just for illustration. I *strongly* discourage using this in 
> anything other than a limited test environment (assuming it even still 
> works).

Interesting.  I'll have to read and assimilate your work.  I'm sure I'll 
learn many things.  Thank you for sharing.  :-)

If I were ever to implement something like this, I would NOT blindly do 
the Whois query directly for each incoming email.  I would query a local 
service that cached information (as in committed to disk) and have that 
service fetch information about domains that it didn't have information on.

I might even make such a system periodically check to see if things like 
DNS servers had changed and then refresh the cache on demand as necessary.

I agree that blindly and directly doing a Whois query for each and every 
incoming email would cause some people to get upset.  Not to mention the 
performance and latency implications.

> If you had access to the registrar feeds you might be able to write 
> something that used that data which would not be considered abusive.

I think that's exactly the type of data that Whois Domain Search is 
selling, and why they are selling it.

> Is there anybody in the SA user community who does have access to the 
> raw registrar feeds?

I don't.  But I think Whois Domain Search offers trial options.

No, I'm not affiliated with Whois Domain Search.  I simply download 
their free list of domains registered yesterday each day.  }:-)  Not 
that I've actually done anything with that data yet.  But that's a 
different problem.



-- 
Grant. . . .
unix || die


Mime
View raw message