Three signs that a URL points to a spammer’s domain

Published by rich on Thursday, December 27, 2007 - 08:08:51

More and more at SpamButcher we’ve been focusing on domains linked to by URLs contained within emails to determine if they’re spam or not.

There are plenty of ways to research how problematic a URL might be without going to the site. Simply doing a DNS lookup on the hostname yields the IP address. The IP can then be compared against a database of IP addresses and networks that might signify a problem. The SpamButcher spam blocking software currently does this much.

We’ve also turned up a bunch of other sure-fire indications that something smells like a link to a spam domain. Unfortunately, implementing some of them would require significant new code and testing. They aren’t in the product yet, but may be soon.

Here’s some of what we’ve noticed:

1. The URL is hosted in a “known problem” country, or other network known to host spammers.

www.wehasbigfun47.com maps to 218.201.49.157
218.201.49.157 is located in China

2. The URL doesn’t have any MX records.

Sure, someone might setup a domain to host a website - but not bother setting it up to handle email. Realistically, this doesn’t happen that often.

	> set type=mx
	> yvojoxyzfff.com
	Server:  dns.sea1.speakeasy.net
	Address:  66.93.87.2
	
	*** No mail exchange (MX) records available for yvojoxyzfff.com
	

3. The domain’s whois data has name servers located in a problem country.

   Domain Name: YVOJOXYZff.COM
   Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com
   Name Server: NS1.TOPNS.RU
   Name Server: NS2.TOPNS.RU

Spamkiller - Spam Control for Outlook Express