What is "Spammy Looking" rDNS?

Discussion in 'Mail Chat' started by DaMadHatter, May 20, 2011.

  1. DaMadHatter

    DaMadHatter Active Member

    Joined:
    Mar 1, 2011
    Messages:
    720
    Likes Received:
    51
    Trophy Points:
    28
    Location:
    In the Void
    I have seen others make reference to their rDNS being refused from some of their ISP's and this question comes up from time to time as to what is "spammy looking" and runs you the risk of getting Cloudmarked right out of the gate, versus solid rDNS. When I've seen that "spammy rDNS" remark made. It appears to be auto generated through some sort of program. However, I could be mistaken. ;) Feel free to give your 'best practices' or recommendation.

    Fire away ladies.
    :thrasher:
     
  2. mx10

    mx10 VIP

    Joined:
    Mar 30, 2011
    Messages:
    535
    Likes Received:
    18
    Trophy Points:
    18
    multiple things

    1) a bunch of "mx" or "mail" in a row

    mx1.blah.com
    mx2.blah.com
    mx3.blah.com

    2)

    dynamic reverse dns or place holder reverse dns assigned by an isp

    fe.e8.7aae.static.theplanet.com
    dyn-13847.dns.ma.blah.com

    3) gibberish domain names

    fishsorcery223.net
    grapesofcarpetxa.net

    4) call to action type of domains

    clickherforfreeipods.net
    fastcashinyourbank.net

    5) having reverse dns for every ip in the range is suspicious, especially if it's 1 domain for the entire range
     
  3. DKPMO

    DKPMO VIP

    Joined:
    Mar 31, 2011
    Messages:
    1,452
    Likes Received:
    68
    Trophy Points:
    48
    Location:
    Elaborate Underground Base
    Just don't be an idiot!

    Just put yourself in the shoes of a manual reviewer and ask yourself: "Does it look suspicious"? That would cover all cases mx10 mentioned plus a lot more you might think of.

    To fully appreciate what I am talking about watch this video: http://www.youtube.com/watch?v=bVVsDIv98TA

    So just ask yourself: "Would an idiot do that?".
     
  4. mx10

    mx10 VIP

    Joined:
    Mar 30, 2011
    Messages:
    535
    Likes Received:
    18
    Trophy Points:
    18
    fucking righteous.
     
  5. roundabout

    roundabout VIP

    Joined:
    Feb 17, 2011
    Messages:
    2,713
    Likes Received:
    154
    Trophy Points:
    63
    Does anybody have a tool which allows you to view the rdns on an entire /24 at once, or does everyone scan 1 ip at a time?
     
  6. mx10

    mx10 VIP

    Joined:
    Mar 30, 2011
    Messages:
    535
    Likes Received:
    18
    Trophy Points:
    18
    i'm sure there are more elegant ways to do this but off the top of my head heres a bash command line:

    for i in `seq 2 254` ; do host 174.122.232.$i ; done
     
  7. DaMadHatter

    DaMadHatter Active Member

    Joined:
    Mar 1, 2011
    Messages:
    720
    Likes Received:
    51
    Trophy Points:
    28
    Location:
    In the Void
    Excellente!
    :top:
     
  8. PushSend

    PushSend VIP

    Joined:
    Apr 12, 2011
    Messages:
    1,927
    Likes Received:
    141
    Trophy Points:
    63
    Location:
    Paradise
    I always seemed to have issues when I was running .info's too...I think in general those are looked at as spam extentions by everyone.

    :smokin:
     
  9. mx10

    mx10 VIP

    Joined:
    Mar 30, 2011
    Messages:
    535
    Likes Received:
    18
    Trophy Points:
    18
    Well, there's a few different concerns. One is raising suspicions with IT staff on a network you're being incognito on, a more serious one is spamhaus scanning the network because there are other mailers on it or nearby who drew their attention.

    They see the rdns entries, they look up the ips on senderbase, they see multiple ips have mail traffic on the range, they sbl with "suspected snoeshow spam range, we will consider removing this listing when we learn the identity of the owner of this ip space".

    I think hatter may have also been asking because he wanted to know what kind of rdns entries get you rejected by mail servers when you try and connect, which is caused by having rnds that looks like dynamic dns that a broadband connection would have, some isps block anything that looks similiar to that format to protect against bots/zombies.
     
  10. DKPMO

    DKPMO VIP

    Joined:
    Mar 31, 2011
    Messages:
    1,452
    Likes Received:
    68
    Trophy Points:
    48
    Location:
    Elaborate Underground Base
    Exactly.


    Senderbase, though it would only show you rDNS for IPs that mailed something within the last month.
    http://www.senderbase.org/senderbas...arch_string=208.85.16.246/24&which_others=/24

    You can review even bigger ranges than /24 if you like.
     
  11. roundabout

    roundabout VIP

    Joined:
    Feb 17, 2011
    Messages:
    2,713
    Likes Received:
    154
    Trophy Points:
    63
    Yeah I know, thats the problem...

    @mx10 - code looks cool will try it! thx.
     
  12. DaMadHatter

    DaMadHatter Active Member

    Joined:
    Mar 1, 2011
    Messages:
    720
    Likes Received:
    51
    Trophy Points:
    28
    Location:
    In the Void
    Looking good top notch.
    :439:
     
  13. DaMadHatter

    DaMadHatter Active Member

    Joined:
    Mar 1, 2011
    Messages:
    720
    Likes Received:
    51
    Trophy Points:
    28
    Location:
    In the Void
    Most of those I have seen (although I am sure there are more out there) generate pure junk easy to pick off.

    :sheep:
     

Share This Page