[SURBL-Discuss] RE: Adding SpamBouncer phishing data to ph.surbl.org

Jeff Chan jeffc at surbl.org
Tue Aug 2 01:02:18 CEST 2005

On Monday, August 1, 2005, 11:35:13 AM, Catherine Hampton wrote:
>> > I'm adding the IPs to SpamBouncer anyway; it isn't any more work to
>> > add them to SURBL.  Since I expire them by default in a month, unless
>> > they still appear, and since Jeff is expiring anything he gets from 
>> > me on the same schedule I do, nobody needs to go back and clean up the
>> > database -- in two years or any other time.  So I don't see any disadvantage
>> > here, especially since a number of decent AVs still aren't listing 
>> > phish URLs as viruses/dangerous content.  

>> Actually I'm not expiring them, so it's good that you are.

> <nod>  As I understood it, you were going to expire anything I
> removed from the list....  Or are you just expiring anything
> that's more than a certain number of days/weeks/months old,
> and then just updating the list date based on when it last
> appears in my list of data?  Either way should work fine....

Actually I'm just using your list.  Whatever is in it gets added
to ph.surbl.org.  If it comes out of your list (and the other
sources) then it's no longer on ph.surbl.org.   There is no
formal expiration procedure.

I should ask the other data sources to expire their data on their
end also so that the list does not grow indefinitely with old

> Based on a discussion with Paul, I think we shouldn't expire
> actual "Phish domains" very fast because, apparently, some 
> phishers re-register these domains if they're deregistered
> by the registrar.  In other words, some of them reappear. :/
> My first thoughts on this are that, since these domains are
> generally typosquatted/deliberately similar to a legitimate
> domain owned by a phish target, or deliberately mimic elements
> in the URLs in a phish target's legitimate email, it's 
> unlikely that keeping them listed will hit an innocent
> bystander.  These domains don't seem to have any legitimate
> uses.


Consider expiring spam domains after 1 year perhaps, since
spammers often don't renew them.  Most spammers seem to only use
a domain for a few weeks.  The ones that get re-used just before
the registrations expire may be somewhat unusual.

Jeff C.
Don't harm innocent bystanders.

More information about the Discuss mailing list