Three signs that a URL points to a spammer’s domain

Published by rich on Thursday, December 27, 2007 - 08:08:51

More and more at SpamButcher we’ve been focusing on domains linked to by URLs contained within emails to determine if they’re spam or not.

There are plenty of ways to research how problematic a URL might be without going to the site. Simply doing a DNS lookup on the hostname yields the IP address. The IP can then be compared against a database of IP addresses and networks that might signify a problem. The SpamButcher spam blocking software currently does this much.

We’ve also turned up a bunch of other sure-fire indications that something smells like a link to a spam domain. Unfortunately, implementing some of them would require significant new code and testing. They aren’t in the product yet, but may be soon.

Here’s some of what we’ve noticed:

1. The URL is hosted in a “known problem” country, or other network known to host spammers. maps to is located in China

2. The URL doesn’t have any MX records.

Sure, someone might setup a domain to host a website - but not bother setting it up to handle email. Realistically, this doesn’t happen that often.

	> set type=mx
	*** No mail exchange (MX) records available for

3. The domain’s whois data has name servers located in a problem country.

   Domain Name: YVOJOXYZff.COM
   Whois Server:
   Referral URL:
   Name Server: NS1.TOPNS.RU
   Name Server: NS2.TOPNS.RU

Spamkiller - Spam Control for Outlook Express