On Friday, May 12, 2006, 9:53:41 AM, Jeff Chan wrote:
If a subdomain is listed, the subdomain should be checked. It's not necessarily safe to check the base domain when a subdomain is listed. For example if phishing.freehost.com is blacklisted, checking freehost.com is probably not a good idea. I do realize this is somewhat off spec.
It's been pointed out that the description above may be somewhat unclear. To clarify, it's best to follow the specification:
http://www.surbl.org/implementation.html
1. For GTLDs like com, net, org, info, biz, etc., check at the second level.
2. For CCTLDs listed in the two-level-tlds list, check at the third level, etc. For CCTLDs not in that list, check at the second level.
A vast majority of the time, those will match the levels in the blacklist. In a few off-spec cases we blacklist subdomains, but they are very rare and exceptional. It's best not to code to those rare exceptions, especially as it can double, triple, etc, the DNS queries largely unnecessarily.
The point about listed subdomains such as phishing.freehost.com was to *not* check levels closer to the root (even if I didn't explain that very clearly in the quote above). While phishing.freehost.com may be bad (and in theory ok to check), freehost.com may not be. Checking freehost.com could easily lead to FPs.
Really the best advice is to ignore the off-spec data. It doesn't help the results very much and arguably doesn't even belong in there.
Cheers,
Jeff C. -- Don't harm innocent bystanders.