BigEvil.cf and MidEvil.cf are now available in SURBL form as be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and URIDNSBL SpamAssassin 3.0 plugins. Thanks Chris, Paul and Gary Funck!

Here's an excerpt about the new list from the Quick Start section:

http://www.surbl.org/

Chris Santerre and Paul Barbeau's BigEvil and MidEvil SpamAssassin rules are now available as an SURBL for use with plugins and programs such as those mentioned above which can extract message body URI domains and compare them against name-based RBLs. The name of the list is be.surbl.org, and some sample rules and scores to use it appears below. The well-known and popular BigEvil and MidEvil SA rulesets are used to block messages based on domains that have occurred in spam message body URIs. Using this as an SURBL instead allows you to remove this relatively large ruleset from SA memory and lets DNS cache the data in a zone file instead, querying SURBL hits from DNS as needed.

An SA 2.63 rule and score using SpamCopURI (but not the SpamCop data!) looks like this:

uri BE_URI_RBL eval:check_spamcop_uri_rbl('be.surbl.org','127.0.0.2') describe BE_URI_RBL URI's domain appears in BigEvil tflags BE_URI_RBL net

score BE_URI_RBL 3.0

An SA 3.0 rule and score using URIBL's urirhsbl looks like this:

urirhsbl URIBL_BE_SURBL be.surbl.org. A header URIBL_BE_SURBL eval:check_uridnsbl('URIBL_BE_SURBL') describe URIBL_BE_SURBL Contains a URL listed BigEvil tflags URIBL_BE_SURBL net

score URIBL_BE_SURBL 3.0

be.surbl.org can be used alone or with other SURBL lists; all that's needed are different rule and score names, as we've shown in the samples. More information about be.surbl.org can be found in the Additional SURBLs section.

http://www.surbl.org/additional.html

be.surbl.org joins Bill Stearns' sa-blacklist-based ws.surbl.org and my own SpamCop URI-based sc.surbl.org SURBLs. All are described more at the site.

Please send me any questions, comments, corrections, updates, etc.

Cheers,

Jeff C.

P.S. We will probably offer a combined list at some point. We're still working out the details of that. Until then it's quite possible to use one or more of the lists simply by using separate SA rules for each one that you want to use, as shown in the Quick Start samples.

P.P.S. The sample rules have been updated to mention "SpamCop" only in the descriptions of rules that actually use SpamCop data. -- Jeff Chan

Hi, You seem to put a lot of emphasis on the memory taken up by these two lists in memory. When I removed them, spamd's memory utilisation went down only 1.9MB (down from 33.5MB to 31.6MB). Now unless you are really strapped for memory, I don't see this as a great advantage. What's quicker execution-wise...a regex of the list in memory, or a DNS lookup/eval...I would imagine the later, but does anybody know? The obvious advantage is that one doesn't have to update the cf files manually. What's the TTL for entries in this database?

Cheers Scott