Three signs that a URL points to a spammer’s domain
Published by rich on Thursday, December 27, 2007 - 08:08:51
More and more at SpamButcher we’ve been focusing on domains linked to by URLs contained within emails to determine if they’re spam or not.
There are plenty of ways to research how problematic a URL might be without going to the site. Simply doing a DNS lookup on the hostname yields the IP address. The IP can then be compared against a database of IP addresses and networks that might signify a problem. The SpamButcher spam blocking software currently does this much.
We’ve also turned up a bunch of other sure-fire indications that something smells like a link to a spam domain. Unfortunately, implementing some of them would require significant new code and testing. They aren’t in the product yet, but may be soon.
Here’s some of what we’ve noticed:
1. The URL is hosted in a “known problem” country, or other network known to host spammers.
www.wehasbigfun47.com maps to 218.201.49.157 218.201.49.157 is located in China
2. The URL doesn’t have any MX records.
Sure, someone might setup a domain to host a website - but not bother setting it up to handle email. Realistically, this doesn’t happen that often.
> set type=mx > yvojoxyzfff.com Server: dns.sea1.speakeasy.net Address: 66.93.87.2 *** No mail exchange (MX) records available for yvojoxyzfff.com
3. The domain’s whois data has name servers located in a problem country.
Domain Name: YVOJOXYZff.COM Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Name Server: NS1.TOPNS.RU Name Server: NS2.TOPNS.RU
