On Wednesday, December 1, 2004, 3:25:42 PM, John Hardin wrote:
On Wed, 2004-12-01 at 14:35, Chris Santerre wrote:
We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL.
I'm going to bring up this idea again, in a slightly different context this time:
Perhaps it would be useful to have a SURBL list that is automatically generated daily from the registrars' notifications of domains that have been recently created. This information is available for free download - I'm pretty sure I posted the location here a while ago.
The definition of "recently" might require some testing to set properly, perhaps a starting point would be one week.
Granted this SURBL would be more subject to FPs than a hand-maintained list, so it should have a correspondingly lower default score. And it wouldn't help too much if spammers don't start using their throwaway domains immediately after registering them.
We still want SURBLs to be lists of domains (and a few IPs) that have actually occurred in spams. A list of all new registrations could perhaps be used as an internal data source, but I think it would have way too many false positives to use alone.
The Outblaze data in ob.surbl.org somewhat fulfills your suggestion since it contains only domains that have been registered within the last 90 days *and which have appeared in a lot of spams lately. It tends to work well.
Jeff C.