On Friday, May 12, 2006, 12:47:10 PM, SM SM wrote:
At 09:31 12-05-2006, Brandon Hutchinson wrote:
Using the "www.freecat.biz" example: assuming this is a phishing domain, would also including "freecat.biz" in SURBL be a bad idea? Are there cases where we should "trust" the base domain even when a subdomain is used in a phishing email?
You would look up freecat.biz in the above example. See http://www.surbl.org/implementation.html for implementation guidelines. If it is a phishing email, I would not trust the base domain.
Probably we're not providing enough context to be clear. Brandon's concern was that there were records like www.freecat.biz in the blacklists that won't match the type of checking specified in the Implementation Guidelines:
http://www.surbl.org/implementation.html
Normally we would blacklist freecat.biz, not www.freecat.biz, if the domain were known bad. In a few rare cases hosts or subdomains are blacklisted where the domain may be ok, but the host or subdomain isn't. So phishing.legitimate-free-host.com might be blacklisted. That actually violates our own specification, so in a sense it's not too clever for us to blacklist. So that's addressing an inconsistency on the blacklist data side.
On the application side, if phishing.legitimate-free-host.com or www.freecat.biz appeared in a message, they should properly be reduced to legitimate-free-host.com and freecat.biz before checking against the blacklists. Unless the unqualified domains were actually blacklisted, they would not match (www.freecat.biz is not the same as freecat.biz). In a sense that is an error: a mismatch between the blacklist data and the application's handling of message URI data. But the error is really on the data side, so there's no need to do anything off-spec with the applications. Yes, it may cause a few spams or phishes to be missed, but they're very rare and obscure.
HTH,
Jeff C. -- Don't harm innocent bystanders.