On Saturday, April 10, 2004, 10:31:04 PM, Raymond Dijkxhoorn wrote:
Just wanted to say hi! And thanks Jeff and Raymond for the new lists.
You've got the honour of doing the first posting :) I see most are subscribed now on the list, who were in the cc fields of the other mails. I invited the rsync mirrors to the other list also, hopefully they will sign up.
Hows things with the BigEvil list Jeff ? Would love to take that out my configs and put back a RBL for it. Would save some RAM on my setups :)
Hi Everyone, Thanks indeed to everyone for their continued support. You guys have made this project a dream.
Regarding BigEvil, I brought up turning it into an RBL with Chris and he's checking with the data sources last I heard. I certainly hope he gets the green light and we can add it.
BTW, Kelsey and I brainstormed last night and I think we have a way to effectively prejudice new domain reports coming in from SpamCop without reference to SBL or to geographic databases like IP::Country::Fast or any other external sources like I had in mind originally.
It's so simple that I might be tempted to call it elegant:
1. Resolve the incoming spam domains from SC into A and perhaps NS records. 2. Keep a persistent tally counting those IPs. (a history) 3. For As or NSes of incoming domains that match many identical or nearby IP tallies (i.e., the new domains use known bad old IPs), drop their inclusion thresholds in some statistically cool and relevant way.
To our thinking, this will automatically and in a self-tuning way catch spam gangs, rogue IPs, rogue blocks, rogue ISPs in any nation, etc. (Manually resolving some of the domains in spams I get seem to show China and a few gangs a lot. I'd dearly like to crush them early and often. Building this refinement into the second version of the sc.surbl.org data engine may very well do that.)
The big advantage is that far fewer reports would be needed for a *new* domain to get added to the list if it has an IP near previously reported domain's IPs. We would expire IPs like domains, but probably with a longer time window for IPs, so that cleaned IPs would eventually come off the tallies.
To clarify, the IPs would not get added to any lists, just get used internally to lower the inclusion threshold for the number of SpamCop reports needed to get added. Inclusion would still be triggered by SpamCop reports, but in a more sensitive way for bad guy IPs.
Seems almost too good to be true. Am I missing something?
I may bounce this idea off SA-dev also.
Jeff C.