Thanks to everyone for the comments so far. To respond to some of the questions:
1. A Spamassassin rule would need to be added to tell it to use the 128th bit if we added XS to multi; for 3.2:
urirhssub URIBL_XS_SURBL multi.surbl.org. A 128 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Contains an URL listed in the XS SURBL blocklist tflags URIBL_XS_SURBL net #reuse URIBL_XS_SURBL
(Don't add this yet, the list is not active yet.)
2. Generally IPs are not used in URIs, so the chance of FPs should be small. People hosting web sites on dynamic IPs usually use dynamic DNS to refer to them by domain names instead.
3. Risk of FPs generally increase where SURBLs are incorrectly used as IP blacklists, where domains are resolved and checked against SURBLS, where SURBLs are used to check headers, etc. All of those are arguably misuses. SURBLs should only be used to check message body URIs. Other unintended uses may give unexpected results.
4. Yes, the IPs would be expired. (All SURBL records should be expired.) The optimal expiration time is yet to be determined but would probably be a few days. Does anyone have data on how long a give IP is advertised?
5. Regarding blacklisting AOL's web site IP addresses, given that they are usually referred to by domain name and not IP, it should not have any significant impact. (But see #3.) If they did get added, we could remove or whitelist them.
6. We may put additional filters on the IPs like needing to be on PBL, SBL, XBL, etc. AOL/Google/Yahoo/MSN's IPs probably aren't on any major blacklists, so that would be another way to prevent possible FPs. We may also use internal IP whitelists.
7. Regarding Paul's concern about cracked university servers, #2 should apply. Presumably most universities, etc., refer to their web sites by domain name and not IP. (See #3 again too.)
Comments?
Jeff C.