On Friday, September 3, 2004, 5:27:10 AM, Rob McEwen wrote:
However, this last point you made makes little sense. First, there is not much difference, for all practical purposes, between doing what you are suggesting and just throwing all these "mainsleazers" into SURBL... yet no one is suggesting or is in favor that. We are not trying to "end-run around" SURBL by making it more strict in order to circumvent our regular standards. Instead, most of us see the "graylist" as more of an auditing tool or a factoring tool. Recall how some have already mentioned factoring the unconfirmed.surbl.org into SpamAssassin's score, but at a lower value than the regular SURBL score. That way, where a regular SURBL hit might be enough to get a message blocked... an unconfirmed.surbl.org hit would take ADDITIONAL evidence (or rules) to get that message blocked. Also, another use for unconfirmed.surbl.org would be as an auditing tool, where an extra copy of mail that gets "hit" by unconfirmed.surbl.org (but NOT by multi-surbl.org) might go to a folder for review by the mail administrator so that the mail administrator might create additional filtering "rules" for blocking this type of message in the future in a more precision, "surgical strike" manner which doesn't block all mail just for having that particular URI.
Finally, another reason for this greylist, as I and Chris have pointed out in the past, is that spammers will try to circumvent SURBL in the future by providing some little legit service "on the side". Certainly, it would be good to keep these types "on a short lease". If we ONLY do what we have been doing so far, the is a big loophole in SURBL.
Yes, I understand the points being made, but I feel there are many practical concerns weighing against this idea. I also understand the enthusiasm and fervor of those of us who want to "get every spammer," but I feel that doesn't always fit the model we have built.
Perhaps there's some disagreement on what constitutes a spammer. To me a spammer essentially sends only spam, usually for pills, cable descramblers, mortgages, etc. and steals services using zombies. Their sites are usually hosted at spam-friendly ISPs who won't take down their sites for being a spam destination, or in countries with no apparent spam laws or enforcement.
Anyone who sends mostly legitimate messages should not be blocked, and anyone not using zombies is trivially easily blocked using a conventional RBL of sending server IP addresses or even sender domains. Conventional RBLs typically list the spammers' mail server IP addresses or their sending domain allowing administrators to block on them. Either of those other solutions is vastly simpler and less costly in terms of cpu cycles and disk storage than content checking like we're doing with SURBLs. Conventional RBLs are also well-supported in MTAs, SpamAssassin and most anti-spam programs. The main problem is that zombies are used to get around that technology. Zombies spam from many different and new ip addresses more quickly than conventional RBLs can practically keep up with.
Zombies are the main reason we decided to do SURBLs; because URI checking was the ONLY way remaining to catch spams sent from using rapidly shifting armies of zombied computers. Those who think the source of spams is irrelevant or that zombies don't matter are probably mostly hobbyists with small personal mail servers who can afford processing that would be impractical at ISPs or large mail servers. It's great that people use SURBLs on their personal servers and it's good for them to not get the spam, but actually stopping the spammers will require solutions that will work on a large scale for example on many high volume inbound mail or spam filter servers. Only then will we make enough of a dent in the hard core, highly-abusive, zombie-using spammers to slow or stop them or to make spamming uneconomical for them.
There are at least 100k new zombies discovered every day. Those are the real problem, not someone's joke of the day site. SURBLs are designed to catch the otherwise uncatchable zombie spammers, not the trivially-blocked unwanted newsletter.
These grey cases are frankly a distraction from the goal of stopping the worst offenders and the biggest criminals. They also miss the biggest abusers. The priority should be on catching the biggest, most abusive spammers, and excluding the grey cases which confuse that effort and make it difficult for SURBLs to be more widely adopted due to false positives.
Jeff C.