spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Lynch <se...@literati.org>
Subject Re: Scoring by registrar?
Date Mon, 01 Jul 2019 22:32:02 GMT


On 7/1/19 3:13 PM, Grant Taylor wrote:
> On 7/1/19 6:44 AM, micah anderson wrote:
>> This sounds like Fast Flux
> 
> How is this fast flux?
> 
> I thought fast flux was rapidly updating A records on the DNS server 
> (for a given qname) or updating NS records with the registrar for a 
> single given domain.
> 
> It sounds to me like Sean was talking about wanting to identify which of 
> many domains were had a common registrar.  This doesn't sound like fast 
> flux—as I understand it—to me.
> 
>> Having such a list would be very helpful for dealing with fast flux.
> 
> How is what the OP's talking about related to fast flux?

I think fast flux came up in reference to a speculation I'd made 
regarding why the spammers were using their own nameservers rather than 
Namecheap's. I don't think it's particularly off-base to refer to rapid 
registration of new domains as fast flux. In fact, I'm pretty sure 
support for this, and slowness in taking down domains (though they do 
often take them down eventually at least), are why Namecheap is so popular.

As I mentioned, filtering using fresh.fmb.la catches about 1/3 of the 
domains. Fortunately, since they're actually using their own servers and 
not a botnet, blocking their netblock catches the rest, though it's not 
my preference since it will cause collateral damage (even though 
registering with dnswl.org is an easy way around that), it's manual, and 
it only helps my 3 users. Incentivizing Namecheap to move faster on 
these would benefit a lot more people.

Mime
View raw message