On Tuesday, October 11, 2005, 10:33:55 PM, Rob McEwen wrote:
Jeff asked:
What kinds of percentage of spam message header domains are showing up on SURBLs? I would imagine the hit rates might not be too high, so there may be a processing cost/benefit issue.
...and...
I'm puzzled why there would be FPs. Are hammers forging spam domains in their headers? That would seem bizarre if so.
[...]
But, let me mention that the overall FP rate is still very, very low. It was like 1/200 FPs, or less. (but I'm guessing)
Most often, if a FP occurred, it was because an IP address used in a spammer's URL would, for whatever reason, also appear in the headers of legit messages.
Huh? SURBLs are mostly domains. Were you resolving SURBL domains then checking resolved IPs against header IPs? That would be, ahem, unusual.
Jeff C. -- Don't harm innocent bystanders.