[Mimedefang] Enlisting registrars in fighting phishing and other scams

Jan-Pieter Cornet johnpc at xs4all.nl
Wed Aug 22 12:44:38 EDT 2007

On Wed, Aug 22, 2007 at 11:02:00AM -0500, Jim McCullars wrote:
> > During the body tests, find url like http :
> > //cheapdrugzhere.tld/something/somethingelse
> > whois cheapdrugzhere.tld -> parse for registrar
> > If registrar not listed, continue.  If listed, reject.
>    I've thought about doing something similar, like maybe seeing when the
> domain was registered and if it was within the past few days, refuse it.
> Problem is, not all registrars run a decent whois server (which itself
> might be a candidate for refusal).

Another point is, as someone (RfG) on another mailinglist found out
the hard way... if you "whois" every new domain that you see in email,
even if you just run "whois" once for every domain, you are likely to
hit query threshholds for whois services, and you are blacklisted as
an abuser.

Having a large botnet available that can do the whois lookups for you
certainly helps here... :-/

(I suspect some registrars are actively blocking any attempt to have an
easily searchable domain->registrar lookup available, because I suspect
some registrars have drawers full of contracts that are so pink that
they can easily wallpaper cinderella's dreamcastle with it, and they
don't want an easy way to tie them to the deluge of spam. But that's
just my speculation.)

Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!

More information about the MIMEDefang mailing list