----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
Looks like senderbase.org has a database of the domains and IPs used to send the most mail. Normally that would not be too interesting to us since we care about message body URIs, i.e. content, and not senders or their ISP addresses, but I'm thinking about whitelisting all the legitimate NSPs, ISPs and telcos in their top domains list:
http://www.senderbase.org/search?page=domains
we would exclude the few that appear to be spammers according to spamhaus:
imgmailer.com TAM Network stocksntalk.com iMedia Networks Inc. havagreatday.com
But I'd like to whitelist all the rest which are obviously large ISPs, etc. In essence we're just using it as a list of some of the top ISPs in the world.
Does anyone have any comments on this?
I like this idea as I believe it would cut down the number of false-positives due to false-listings.
Note that this won't have a major effect on bad guys since spammers would not have much incentive to advertise their ISPs, and we don't "whiten" spams for mentioning non-spam domains anyway. It also does not mean that we're whitelisting the ISP address space, senders, or anything like that, just mail that mentions these large ISP URIs.
Quick question: If I have set "spamcop_uri_limit 25" in my spamcop_uri.cf file, and a spammer sends a message containing 30 URIs, all legit except one, and 10 of the legit URIs are whitelisted by SURBL, would all of the remaining URIs get checked, or still only a random selection of the entire 30 URIs found in the message? Just wondering if the whitelisting will help us to be more accurate in tagging the spammer URI in the message, thus cutting down the possibility of the spammer URI not being one of the random 25 selected for checking against the SURBLs.
I'm curious to know what effect the SURBL whitelisting has as it applies to both SA 2.6x with the SpamCopURI plug-in and SA 3.0 with the URIDNSBL plug-in and the random URI check limit threshold.
Bill