On Saturday, April 23, 2005, 2:59:29 AM, Raymond Dijkxhoorn wrote:
Hi!
Yes, I agree too. :-) When I announced the list for testing I said we'd start conservative to get a feeling for the data.
Could we maybe, just for testing, have two or more lists to test with different percentiles? 97.xs.surbl.org 98.xs.surbl.org etc...
Patrik
Probably we'll try XS at the 98th percentile next, take out the SURBL hits, and try to list only domains that are less than a year old.
How toes this sound to folks?
It might be usefull info that if you allready block with DSBL on MTA level the XS is rather useless. We have been testing overnight, 400.000 spams passed, 2 were mentioned by XS and both would have been high spam allready without XS anyway.
So basicly if you block with DSBL i dont see a point using this.
The point is that DSBLs have delays in getting new IPs listed, but the same URIs may tend to get advertised from fresh zombies. Therefore if we get the URIs we will catch spams even before the fresh zombie IPs get listed.
The particular set of data currently in XS won't show much 0 hour spams because it's set so conservatively. It takes a lot of spams already seen to get included. What is more interesting to checking at this conservative setting is how spammy the URIs it detects are. When we crank down the settings and catch more URIs sooner, then we should catch more zero hour spams, including ones where the sender IPs don't show up on RBLs yet (because URIs likely change more slowly than sender IPs).
Jeff C. -- "If it appears in hams, then don't list it."