[Rob confirmed he meant to send his reply below to the list. Here's my reply to his (unintentionally) private reply.]
On Wednesday, October 12, 2005, 7:14:51 AM, Rob McEwen wrote:
Were you resolving SURBL domains then checking resolved IPs against header IPs?
No, I wasn't. Even though IPs on SURBL are rare, when they do occur, they are prime candidates for FPs if/when checking headers.
Of course, SURBL FPs on the body of the message are already extremely rare... But, even so, because we've been constantly making improvements in that area as well, it is entirely possible that SURBL FPs when checking against headers might be MORE rare now than in previous months... again, this being due to our steady and constant across-the-board improvements.
While it's true that many of the IPs that appear on SURBLs are probably zombies and those zombies could be used as senders, this is straying pretty far from the original purpose of the lists.
Probably something like CBL or XBL would be much better general compromised sender lists to check against message headers. Even something like a Dynamic IP list like dynablock.njabl.org may be a better indicator of zombie-ness.
I have not done any research, but far more of the zombies are probably on those lists than as IPs on SURBLs.
BTW you sent your reply privately. May I post this?
Jeff C. -- Don't harm innocent bystanders.