Steven,
SURBL is NOT, will never be used, doesn't care, /dev/null's, any domain or IP the email came from.
Well, I for one won't be sending any more domains along if I have to also distinguish between the domains I happened to find in email bodies from those I happened to find in message headers. Sorry. The overlap is far too great, as for example in a recent message I got (summarized):
Its simple, thats ok. =)
Received: from mx51.AfClawFrog1.us (mx51.afclawfrog1.us [216.162.182.51]) Subject: [Target-removed] Free Break-In & Fire Protection System Message-ID: wfbzwsbunaxhmuetqnef@mx51.AfClawFrog1.us
[text part with a snippet of fictional text]
[html part containing several links to
<a href="http://medium.AfClawFrog1.us?id=%5Bsnipped long hash id]
<img src="http://images.AfClawFrog1.us/images/HomeSecurityProfessionals2_r1_c1.gif
Sorry, I don't have time to deal with the distinction. Because for me, for the most part, there quite simply is no distinction.
You should be rather picky what you submit, if you are not sure, dont submit. It will harm the effectiveness and accuracy of the whole SURBL idea if people (sorry, no offence) only do some script magic and submit tons of domains.
You see for example with the relatively small SC dataset a LOT of hits. Its not the quantity but the quality that counts in a project like this.
#1 26728 BAYES_99 #2 19956 HTML_MESSAGE #3 19723 RCVD_IN_SBL+XBL #4 19126 RCVD_IN_BL_SPAMCOP_NET #5 18141 WS_URI_RBL #6 17354 OUTBLAZE_URI_RBL #7 16352 RCVD_IN_SORBS #8 13000 SPAMCOP_URI_RBL #9 12988 RCVD_IN_DSBL #10 12717 MIME_HTML_ONLY #11 12660 ABUSEBUTLER_URI_RBL #12 10270 RCVD_IN_DYNABLOCK #13 7644 DNS_FROM_RFCI_ABUSE #14 7471 RCVD_IN_AHBL #15 6763 RCVD_IN_NJABL #16 6318 MIME_HTML_ONLY_MULTI #17 6274 MIME_HTML_NO_CHARSET #18 6064 CLICK_BELOW #19 5169 HTML_FONT_BIG #20 4776 MSGID_FROM_MTA_HEADER #21 4506 LOCAL_XMESSAGEINFO #22 4489 HTML_LINK_CLICK_HERE #23 4081 RCVD_IN_RFCI #24 3739 RCVD_IN_NJABL_PROXY #25 3614 HTML_60_70 #26 3360 6DOS_URI_RBL
If you look at this data, 6DOS, has a list thats holding many more entry's. Still SPAMCOP_URI_RBL is listing more hits.
Bye, Raymond.