[spambayes-dev] DNS TTL clues OK, but not very good
Matthew Dixon Cowles
matt at mondoinfo.com
Wed Jul 28 20:27:30 CEST 2004
A few days ago, someone on the NANOG list mentioned that spammers
routinely use very low time-to-live values for their DNS records.
Once I'd heard that, it seemed obvious; a spammer would want to make
his spamvertized URL resolve to new a new server quickly if the
original server was shut down.
Since I'm already using the IP address of the host part of a
spamvertized URL as a synthetic token, it was easy enough to generate
tokens for the TTL value. As an easy way of putting the values into
buckets, I used the log (I tried both base 10 and base e) of the
value, rounded to the nearest integer.
Alas, it didn't work all that well. Still, I thought I'd post the
results here in case someone else had the same idea.
On my mail, it was somewhat better than all-defaults and almost as
good as turning on mine_received_headers. But it wasn't as good as
using the IP address of the server (the address itself and the value
masked at /8, /16, /24). Using both the address and the TTL wasn't
any better than using the address alone.
Regards,
Matt
More information about the spambayes-dev
mailing list