I'm adding the IPs to SpamBouncer anyway; it isn't any more work to add them to SURBL. Since I expire them by default in a month, unless they still appear, and since Jeff is expiring anything he gets from me on the same schedule I do, nobody needs to go back and clean up the database -- in two years or any other time. So I don't see any disadvantage here, especially since a number of decent AVs still aren't listing phish URLs as viruses/dangerous content.
Actually I'm not expiring them, so it's good that you are.
<nod> As I understood it, you were going to expire anything I removed from the list.... Or are you just expiring anything that's more than a certain number of days/weeks/months old, and then just updating the list date based on when it last appears in my list of data? Either way should work fine....
Based on a discussion with Paul, I think we shouldn't expire actual "Phish domains" very fast because, apparently, some phishers re-register these domains if they're deregistered by the registrar. In other words, some of them reappear. :/ My first thoughts on this are that, since these domains are generally typosquatted/deliberately similar to a legitimate domain owned by a phish target, or deliberately mimic elements in the URLs in a phish target's legitimate email, it's unlikely that keeping them listed will hit an innocent bystander. These domains don't seem to have any legitimate uses.
But I'm open to persuasion otherwise. :)
But the key thing is that as long as they keep appearing in live spams/phishes we can keep listing them. After they've been inactive for a while it makes sense to delist them. We can always add them back on if they start appearing again.
<nod> Makes sense.
It is a valid concern that Greg makes about the sizes of lists. The same question comes up for any blacklist; they can't keep adding records indefinitely. Inactive ones need to get purged to keep the sizes reasonable.
But in practical terms, RBL-type lists can grow to at least a few million records before they become impractical if the name servers are using rbldnsd. Right now multi.surbl.org, the combined SURBL list has about 150k records. sbl.spamhaus.org has about 5k records. xbl.spamhaus.org has about 2 million records. So SURBLs are not running up against size limits any time soon.
Thanks -- that is useful information. :)