On Tuesday, October 11, 2005, 8:54:26 PM, Steven Champeon wrote:
I'm not asking for SURBLs to list domains found in headers, I'm suggesting that domains found in SURBLs because of their use in the bodies of spam may also be found on occasion in less-inspected message headers of spam that may also find them in the body.
I'm just trying to reduce my spam inspection workload here by using reliable sources of known spammy domains to allow rejection of the message without body inspection (which in SA and procmail, et al requires that the message be accepted and inspection undertaken prior to delivery). I estimate that some 30% or more of spam we'd accepted and delivered or quarantined could have been rejected during the SMTP conversation, using SURBLs.
I do know that spammer domains - listed in SURBL and URIBL already - do tend to be found in headers likely to direct replies back to the spammer, and which may contain tracking devices also useful to the spammer (when inserted by compliant clients as References: or In-Reply-To: in the reply). I'm advocating rejecting these known spammy messages, which would otherwise be caught/tagged by SURBLs after delivery (and delivered or quarantined, after which it's in the hands of users to know whether or not to reply to ask to be removed), during the SMTP conversation, not after.
Sounds reasonable, even if it's not the original purpose of SURBLs.
What kinds of percentage of spam message header domains are showing up on SURBLs? I would imagine the hit rates might not be too high, so there may be a processing cost/benefit issue.
Jeff C. -- Don't harm innocent bystanders.