Detecting the Registrar of the sending host?

Is there an easy way to detect the registrar of a domain through DNS?
For example - can I easilly figure out if an email I'm processing is
hosted by GoDaddy or Tucows?

Here's what I'm thinking. I think there's some expensive and highly
secure registrars out there who are the registrar of expensive domains
and probably have no spam domains at all. This could be used to create
white rules.

Can this be done?

On Wed, 2 Jul 2008, Marc Perkel wrote:

> Is there an easy way to detect the registrar of a domain through DNS? For
> example - can I easilly figure out if an email I'm processing is hosted by
> GoDaddy or Tucows?

Registrar != hosted by.

> Here's what I'm thinking. I think there's some expensive and highly secure
> registrars out there who are the registrar of expensive domains and probably
> have no spam domains at all. This could be used to create white rules.
>
> Can this be done?

This has been discussed before, at least from the POV of identifying *bad*
domains, and it sounds like a fairly good idea if someone is willing and
able to get a realtime ICANN feed of domain/registrar data and create a
URIBL from it.

There's also the problem of determining which registrars are "spam
friendly". Here might be a good start:

    http://www.knujon.com/registrars/

I wrote a plugin that does this check against whois, but that's likely to
be considered abusive. Look under here:

    http://www.impsec.org/~jhardin/antispam/

I'm not currently maintaining it, and the "evil registrar" list is stale
and certainly not comprehensive.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Taking my gun away because I *might* shoot someone is like cutting
   my tongue out because I *might* yell "Fire!" in a crowded theater.
                                                   -- Peter Venetoklis
-----------------------------------------------------------------------
  2 days until the 232nd anniversary of the Declaration of Independence

On 7/2/2008 6:05 PM, Marc Perkel wrote:
you sure there are major registrars you can whitelist?

http://rss.uribl.com/nic/

Even EUrid is happily supporting pillz spammers on .eu

John Hardin wrote:
Actually I'm not looking for spam friendly registrars. I'm looking for
registrars that banks use that are really expensive and spammers never
use. This is for white listing - not black listing.

For example, I noticed that Wells Fargo Bank and bank of America both
use a registrar called markmonitor.com. I'm guessing that this is a
highly secure and expensive registrar than only banks and really big
customers use. So if the FCrDNS of the sending host resolves to a domain
that is registered with markmonitor.com then it's not spam. (Less of
course ISPs and Freemail providers)

On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
> Is there an easy way to detect the registrar of a domain through DNS?
> For example - can I easilly figure out if an email I'm processing is
> hosted by GoDaddy or Tucows?
>
Even if it was possible I don't think its would be at all useful.
Spammers don't generally register domains to sent spam from. They're not
that stupid.

Unfortunately some PC users ARE that stupid. If a PC can receive mail
there's a sporting chance it may be infected no matter who the domain
registrar might be.

Martin

Martin Gregorie wrote:

On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
  

Is there an easy way to detect the registrar of a domain through DNS?
For example - can I easilly figure out if an email I'm processing is
hosted by GoDaddy or Tucows?

    

Even if it was possible I don't think its would be at all useful.
Spammers don't generally register domains to sent spam from. They're not
that stupid. 

Unfortunately some PC users ARE that stupid. If a PC can receive mail
there's a sporting chance it may be infected no matter who the domain
registrar might be.

Martin


  

Again - this is not something to find spammers. It's to find non-spammers. It's a white rule.

On Wed, 2008-07-02 at 18:46, Marc Perkel wrote: OK, but it still won't work. A lot of spam comes from botnets: hence my
comment about PC users. There's certainly no correlation between the
location of infected PCs and the reputation of the domain registrar of
the domain the infected PC is posting from.

Martin
 

Martin Gregorie wrote:

On Wed, 2008-07-02 at 18:46, Marc Perkel wrote:
  

Martin Gregorie wrote: 
    

On Wed, 2008-07-02 at 17:05, Marc Perkel wrote:
  
      

Is there an easy way to detect the registrar of a domain through DNS?
For example - can I easilly figure out if an email I'm processing is
hosted by GoDaddy or Tucows?

    
        

Even if it was possible I don't think its would be at all useful.
Spammers don't generally register domains to sent spam from. They're not
that stupid. 

Unfortunately some PC users ARE that stupid. If a PC can receive mail
there's a sporting chance it may be infected no matter who the domain
registrar might be.

Martin


  
      

Again - this is not something to find spammers. It's to find
non-spammers. It's a white rule.

    

OK, but it still won't work. A lot of spam comes from botnets: hence my
comment about PC users. There's certainly no correlation between the
location of infected PCs and the reputation of the domain registrar of
the domain the infected PC is posting from.

Martin
 

  

Again - it's not to figure out where spam comes from. It's figuring out where non-spam comes from. I think there are registrars out there that don't have any spam domains registered.

On Wed, 2 Jul 2008, Martin Gregorie wrote:

> OK, but it still won't work. A lot of spam comes from botnets: hence my
> comment about PC users. There's certainly no correlation between the
> location of infected PCs and the reputation of the domain registrar of
> the domain the infected PC is posting from.

But it may tell you something useful about URIs within the message.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   USMC Rules of Gunfighting #20: The faster you finish the fight,
   the less shot you will get.
-----------------------------------------------------------------------
  2 days until the 232nd anniversary of the Declaration of Independence

On Wed, 2 Jul 2008, Marc Perkel wrote:

The URIBL-based-on-registrar solution doesn't change, just (1) which
registrars you choose to use to populate your URIBL, and (2) the score is
negative rather than positive.

The data can be useful in either direction - reputation works both ways.

> For example, I noticed that Wells Fargo Bank and bank of America both
> use a registrar called markmonitor.com. I'm guessing that this is a
> highly secure and expensive registrar than only banks and really big
> customers use. So if the FCrDNS of the sending host resolves to a domain
> that is registered with markmonitor.com then it's not spam. (Less of
> course ISPs and Freemail providers)

Does SA support checking the FCrDNS domain of the sending host against a
URIBL?

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Men by their constitutions are naturally divided in to two parties:
   1. Those who fear and distrust the people and wish to draw all
   powers from them into the hands of the higher classes. 2. Those who
   identify themselves with the people, have confidence in them,
   cherish and consider them as the most honest and safe, although not
   the most wise, depository of the public interests.
           -- Thomas Jefferson
-----------------------------------------------------------------------
  2 days until the 232nd anniversary of the Declaration of Independence

On Wed, 2 Jul 2008, Marc Perkel wrote:

> Again - it's not to figure out where spam comes from. It's figuring out
> where non-spam comes from. I think there are registrars out there that
> don't have any spam domains registered.

Right, but how do you guarantee a host with a whitelisted RDNS domain name
doesn't get infected with a smapbot?

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Men by their constitutions are naturally divided in to two parties:
   1. Those who fear and distrust the people and wish to draw all
   powers from them into the hands of the higher classes. 2. Those who
   identify themselves with the people, have confidence in them,
   cherish and consider them as the most honest and safe, although not
   the most wise, depository of the public interests.
           -- Thomas Jefferson
-----------------------------------------------------------------------
  2 days until the 232nd anniversary of the Declaration of Independence

On 7/2/2008 6:05 PM, Marc Perkel wrote:
you sure there are major registrars you can whitelist?

http://rss.uribl.com/nic/

Even EUrid is happily supporting pill spammers on .eu

On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote:
> On Wed, 2 Jul 2008, Marc Perkel wrote:
>
>> Again - it's not to figure out where spam comes from. It's figuring out
>> where non-spam comes from. I think there are registrars out there that  
>> don't have any spam domains registered.
>
> Right, but how do you guarantee a host with a whitelisted RDNS domain
> name doesn't get infected with a smapbot?

What's that got to do with anything? If there's a 0.5% chance, who cares.
You should always scan for viruses, but it's trivial to skip SA for such
cases. Are you saying that we shouldn't take advantage of DNSWL data either,
since it's possible that some spam may come?

On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote:
No, I was simply responding to Marc's apparent contention that a host
with an RDNS domain name from a trustworthy registrar won't be a source
of spam.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Phobias should not be the basis for laws.
-----------------------------------------------------------------------
 2 days until the 232nd anniversary of the Declaration of Independence

On Wed, Jul 02, 2008 at 09:18:41PM -0700, John Hardin wrote:
I doubt you have any statistics about this, so why speculate? No one has to
_guarantee_ anything. If Marc is able to find some good correlation for
(almost) spamless sources, it will help everyone.

On Thu, 2008-07-03 at 06:32, Henrik K wrote: I really don't see how it will help. Here's my reason for saying that.

If there's even a small chance that somebody behind a corporate firewall
got complacent and didn't keep the AV software up to date and/or got
caught by an infected website, then we still have to scan mail from them
regardless of who registered their domain. This makes checking the
registrar an extra and needless task since, like white/black listing,
its something we need to do for for every piece of mail we receive.

I'd be happy to know I'm wrong about this, but so far none of the domain
lookup advocates have produced hard evidence of its benefits. Also,
nobody has explained how to automate the job apart from the possibly
abusive use of whois lookups. A manually maintained list doesn't cut it
for me: its far too easy for list maintenance to get out of date, which
is why I won't use a personal white list until I can automate its
maintenance.

Martin

On 2 Jul 2008, at 19:56, Marc Perkel wrote:
>>
>
> Again - it's not to figure out where spam comes from. It's figuring  
> out where non-spam comes from. I think there are registrars out  
> there that don't have any spam domains registered.
>


What are you trying to prove?

Your logic completely escapes me

I also fail to see how the registrar is of much importance

There are over 900 ICANN accredited registrars

Of those about 200 odd are active

Of the 200 a handful account for the bulk of all domains registered /  
managed

Statistically this means you're going to see spam from domains  
registered with enom, godaddy, directi, tucows and a few others. It  
doesn't mean anything

In fact it's totally meaningless


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59  9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business  
Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845

On Thu, Jul 03, 2008 at 11:09:15AM +0100, Michele Neylon wrote:
So does yours.

If lesser registrar means that it's probably ham, why couldn't someone use
that to add some negative scores or use it as a part of whitelist
trustworthiness? Even if it's handful of domains, it's useful. If you could
get the registrar data without expensive lookups..