[SURBL-Discuss] RE: Adding SpamBouncer phishing data to ph.surbl.org

Catherine Hampton ariel at spambouncer.org
Mon Aug 1 20:35:13 CEST 2005

> > I'm adding the IPs to SpamBouncer anyway; it isn't any more work to
> > add them to SURBL.  Since I expire them by default in a month, unless
> > they still appear, and since Jeff is expiring anything he gets from 
> > me on the same schedule I do, nobody needs to go back and clean up the
> > database -- in two years or any other time.  So I don't see any disadvantage
> > here, especially since a number of decent AVs still aren't listing 
> > phish URLs as viruses/dangerous content.  

> Actually I'm not expiring them, so it's good that you are.

<nod>  As I understood it, you were going to expire anything I
removed from the list....  Or are you just expiring anything
that's more than a certain number of days/weeks/months old,
and then just updating the list date based on when it last
appears in my list of data?  Either way should work fine....

Based on a discussion with Paul, I think we shouldn't expire
actual "Phish domains" very fast because, apparently, some 
phishers re-register these domains if they're deregistered
by the registrar.  In other words, some of them reappear. :/
My first thoughts on this are that, since these domains are
generally typosquatted/deliberately similar to a legitimate
domain owned by a phish target, or deliberately mimic elements
in the URLs in a phish target's legitimate email, it's 
unlikely that keeping them listed will hit an innocent
bystander.  These domains don't seem to have any legitimate

But I'm open to persuasion otherwise. :)

> But the key thing is that as long as they keep appearing in live
> spams/phishes we can keep listing them.  After they've been
> inactive for a while it makes sense to delist them.  We can
> always add them back on if they start appearing again.

<nod>  Makes sense.

> It is a valid concern that Greg makes about the sizes of lists.
> The same question comes up for any blacklist; they can't
> keep adding records indefinitely.  Inactive ones need to
> get purged to keep the sizes reasonable.

> But in practical terms, RBL-type lists can grow to at least a few
> million records before they become impractical if the name
> servers are using rbldnsd.  Right now multi.surbl.org, the
> combined SURBL list has about 150k records.  sbl.spamhaus.org has
> about 5k records.  xbl.spamhaus.org has about 2 million records.
> So SURBLs are not running up against size limits any time soon.

Thanks -- that is useful information. :)

Catherine Hampton <ariel at spambouncer.org>
The SpamBouncer         *     <http://www.spambouncer.org/>
Personal Home Page      *         <http://www.devsite.org/>

More information about the Discuss mailing list