On Sunday, April 11, 2004, 8:51:10 AM, Raymond Dijkxhoorn wrote:
Update: I'm thinking of storing class C sized bins for the tallies. That's very quick and gets "nearness" automatically. (In other words, any IPs in the same /24 could be counted together initially.) How does that sound? Do I lose much by that deliberate imprecision? How much do the spammers move IPs? Would numerical nearness matter/help in detecting them?
I personally like the way DSBL handles this, if a spammer moved we will find out pretty quickly, if you list a /24 you will get in a lot of Ips that have nothing to do with the blocks, most of the time. For example spammers using a open proxy.
Do they use open proxies for their web hosting? Remember this would only be the IP addresses of their URI domains, not their mail sending.
The other thing that cuts down collateral damage is that the IPs must resolve from message body URIs, which won't be too common for FPs among the heaviest spammers. OTOH, like you, I like precision better also and don't like collateral damage either. Maybe full numbers is better than /24s.
Jeff C.