[SURBL-Discuss] RE: Adding SpamBouncer phishing data to
ariel at spambouncer.org
Mon Aug 1 20:35:13 CEST 2005
> > I'm adding the IPs to SpamBouncer anyway; it isn't any more work to
> > add them to SURBL. Since I expire them by default in a month, unless
> > they still appear, and since Jeff is expiring anything he gets from
> > me on the same schedule I do, nobody needs to go back and clean up the
> > database -- in two years or any other time. So I don't see any disadvantage
> > here, especially since a number of decent AVs still aren't listing
> > phish URLs as viruses/dangerous content.
> Actually I'm not expiring them, so it's good that you are.
<nod> As I understood it, you were going to expire anything I
removed from the list.... Or are you just expiring anything
that's more than a certain number of days/weeks/months old,
and then just updating the list date based on when it last
appears in my list of data? Either way should work fine....
Based on a discussion with Paul, I think we shouldn't expire
actual "Phish domains" very fast because, apparently, some
phishers re-register these domains if they're deregistered
by the registrar. In other words, some of them reappear. :/
My first thoughts on this are that, since these domains are
generally typosquatted/deliberately similar to a legitimate
domain owned by a phish target, or deliberately mimic elements
in the URLs in a phish target's legitimate email, it's
unlikely that keeping them listed will hit an innocent
bystander. These domains don't seem to have any legitimate
But I'm open to persuasion otherwise. :)
> But the key thing is that as long as they keep appearing in live
> spams/phishes we can keep listing them. After they've been
> inactive for a while it makes sense to delist them. We can
> always add them back on if they start appearing again.
<nod> Makes sense.
> It is a valid concern that Greg makes about the sizes of lists.
> The same question comes up for any blacklist; they can't
> keep adding records indefinitely. Inactive ones need to
> get purged to keep the sizes reasonable.
> But in practical terms, RBL-type lists can grow to at least a few
> million records before they become impractical if the name
> servers are using rbldnsd. Right now multi.surbl.org, the
> combined SURBL list has about 150k records. sbl.spamhaus.org has
> about 5k records. xbl.spamhaus.org has about 2 million records.
> So SURBLs are not running up against size limits any time soon.
Thanks -- that is useful information. :)
Catherine Hampton <ariel at spambouncer.org>
The SpamBouncer * <http://www.spambouncer.org/>
Personal Home Page * <http://www.devsite.org/>
More information about the Discuss