On Thursday, September 9, 2004, 3:22:39 PM, Scott Crosby wrote:
On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre csanterre@MerchantsOverseas.com writes:
How does this sound? Combine spamtraps with SURBL, using the IP as a hint to fully automatically add on the new domain. If a spamtrap email includes a URL that resolves to a server that has the same IP as another server already on the SURBL blacklist, automatically and immediately add the new domain to SURBL. One could also use shared DNS servers as a similar hint. If a new domain in a spamtrap shares a DNS server with an already listed domain, add it to SURBL automatically.
We should be a bit more careful than this --- require that a new URL has to resolve to the same IP address as, say, at least 3 other SURBL entries before being automatically added on. Also, there should also be a list of IP's for which this automatic logic won't be triggered. This would be important for a poorly run but popular virtual server that's slow at kicking off spamvertized sites.
This way you can catch spammers who create new domains on an existing IP address automatically and close to instanteanously. There's also little to no chance of accidently blacklisting a popular virtual server. Spammers can't get any completely innocent domain or IP onto SURBL automatically. It must have at least some prior listings.
Scott
Yes, the nameserver part is a new idea, and we would not explicitly fold trap data* in, but the IP part is in my designs already for the next version:
http://www.surbl.org/faq.html#numbered
However the next version of the sc.surbl.org data engine probably will be a hybrid name and number approach, where if a domain resolves into an IP address commonly used with spamvertised sites, then that domain will get added to sc.surbl.org probably with the first report. (Note that this still requires at least one report, but the threshold for inclusion will be radically lower for major spam operators who repeatedly use the same IP address for their hosting.) The next version of the data engine may also use the IP addresses in the sbl.spamhaus.org list to similarly short-circuit the process and include any newly reported domains resolving into those addresses immediately upon their first report. That should make for a more responsive list without much chance of increasing false positives.
This hybrid approach will move sc.surbl.org much closer towards the behavior of a number-based approach, though domains will still need that initial report, whereas a numbered list would catch the whole server IP address.
Of course a downside of using numbers is that they can false positive any legitimate domains that happen to be hosted on the same IP address as a spam site. That could be disasterous for a large web hosting company that had one bad apple. That's another major reason why we went with names and not numbers. Numbers can be overly broad, whereas names are highly specific to the advertised site. To us names are a finer tool: if 30% of the domains on a given IP address are used by spammers, we could list all of them and not affect the 70% non-spam domains that unfortunately happen to share the same IP address. That specificity is a strong benefit of using domain names.
I'd rather work on this than spending time defending the current practices, which are already collectively pretty well thought out.
* spam trap data is already indirectly used in SURBLs.
Jeff C.