opencomputing@gmail.com a écrit :
When was the last time Microsoft got listed in surbl ? Smaller lists might end up being sent from a false positive domain and the idea is that surbl test pattern (queries/minutes, burst/continuous, historical comparisons, geolocation and perhaps other metrics) should allow to differentiate between such a list and a spam run.
Spammers could add some fake URIs like yahoo.com, gmail.com, microsoft.com to their spam runs so that their mails get a hammy score(if surbl gives a negative score using some whitelisted URIs).
No, because the 'Spam in Progress' bit could only be set for listed domains.
A domain would never be listed only because it's sending mail. The 'Spam in Progress' bit would be asserted only if: - The domain is already listed and - Global traffic matches the recipe for identifying a spam in progress (amount, number of different servers, geographic diversity (?), any other metric)
Also, spammers could use a badly configured good intentioned mailing list like sourceforge.net or through services like yahoo.com, gmail.com etc could reduce the accuracy.
Same goes here, as long as sourceforge.net does not get listed, surbl queries generated by their list won't have them listed. Spammy can subscribe to any sourceforge lists he wants.
Having a grey +ve score for URIs queried from MTAs with patterns matching a spam run is a nice idea though.
what's missing is data for ham / spam runs, so that it can be analyzed and see what characteristics are a significant differentiator. However, that's sensitive data, and it should be anonymized (last IP byte(s?)=0) before being released, else it gives a map of who's using the service !