As postmaster, I see a lot of double-bounces for a user who forwards their mail to a server that implements the policy:
550 5.7.1 mail containing 8aa.tXokG4N.fagonyenomy.org rejected - sbl; see http://www.spamhaus.org/query/bl?ip=201.3.240.234
They appear to be using the milter mentioned in http://www.surbl.org/faq.html#numbered
Sure, fagonyenomy.org is in sc.surbl.org now, but these cretins register new domains pointing at the same IPs on a (at least) daily basis, and there is a time lag. The site they were spamming about this morning, thebest-search.com.sc.surbl.org, exists only on ob.surbl.or, not sc or ws.
For the reasons mentioned in the FAQ, I do not agree with uri-to-ip-based blacklisting as a blanket policy, but it does seem very effective in dealing with these rapidly morphing porn spammers. I would like to give such a rule a SA score of 4 or so.
In order to implement this nicely, I see a need for a *per surbl* switch in SpamCopURI telling it whether to look up the domain, or the domain as resolved to an IP. Configured something like
uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2') uri SPAMHAUS_URI eval:check_spamcop_uri_rbl('sbl.spamhaus.org','127.0.0.2','ip')
Obviously there is no point in looking up fagonyenomy.org in spamhaus, nor do I want to look up all resolved IPs in all surbls needlessly. I could write completely separate code to do this, but I'd like to reuse the url and redirector parsing infrastructure. Unfortunately I don't see a clean way to do this without changing the internal hash structure.
Ideas?
Should I just wait for (or start experimenting with now) SA3's uridnsbl and urirhsbl, which were designed for this? Yeah, that's what I was afraid of...
I think I just answered my own question, but I'm curious what others think and how others are dealing with this spam gang. I can't wait for a big ISP to hit them with the big clue stick.