When was the last time Microsoft got listed in surbl ?
Smaller lists might end up being sent from a false positive domain and the idea is that surbl test pattern (queries/minutes, burst/continuous, historical comparisons, geolocation and perhaps other metrics) should allow to differentiate between such a list and a spam run.
Spammers could add some fake URIs like yahoo.com, gmail.com, microsoft.com to their spam runs so that their mails get a hammy score(if surbl gives a negative score using some whitelisted URIs). Also, spammers could use a badly configured good intentioned mailing list like sourceforge.net or through services like yahoo.com, gmail.com etc could reduce the accuracy. Having a grey +ve score for URIs queried from MTAs with patterns matching a spam run is a nice idea though.
-- Skar.
On Thursday, August 10, 2006, 3:53:16 AM, opencomputing opencomputing wrote:
When was the last time Microsoft got listed in surbl ?
Smaller lists might end up being sent from a false positive domain and the idea is that surbl test pattern (queries/minutes, burst/continuous, historical comparisons, geolocation and perhaps other metrics) should allow to differentiate between such a list and a spam run.
Spammers could add some fake URIs like yahoo.com, gmail.com, microsoft.com to their spam runs so that their mails get a hammy score(if surbl gives a negative score using some whitelisted URIs).
We don't use any negative scores anywhere. Our internal whitelist is only used to exclude domains from blacklisting.
Jeff C. -- Don't harm innocent bystanders.
Spammers could add some fake URIs like yahoo.com, gmail.com, microsoft.com to their spam runs so that their mails get a hammy score(if surbl gives a negative score using some whitelisted URIs).
We don't use any negative scores anywhere. Our internal whitelist is only used to exclude domains from blacklisting.
ok. so the idea is to have grey scores instead if listed or unlisted, so that a bigger score means the URI is found in a lot of spam runs, while lesser score means the URI isn't so prevalent?
-- skar.
opencomputing@gmail.com a écrit :
When was the last time Microsoft got listed in surbl ? Smaller lists might end up being sent from a false positive domain and the idea is that surbl test pattern (queries/minutes, burst/continuous, historical comparisons, geolocation and perhaps other metrics) should allow to differentiate between such a list and a spam run.
Spammers could add some fake URIs like yahoo.com, gmail.com, microsoft.com to their spam runs so that their mails get a hammy score(if surbl gives a negative score using some whitelisted URIs).
No, because the 'Spam in Progress' bit could only be set for listed domains.
A domain would never be listed only because it's sending mail. The 'Spam in Progress' bit would be asserted only if: - The domain is already listed and - Global traffic matches the recipe for identifying a spam in progress (amount, number of different servers, geographic diversity (?), any other metric)
Also, spammers could use a badly configured good intentioned mailing list like sourceforge.net or through services like yahoo.com, gmail.com etc could reduce the accuracy.
Same goes here, as long as sourceforge.net does not get listed, surbl queries generated by their list won't have them listed. Spammy can subscribe to any sourceforge lists he wants.
Having a grey +ve score for URIs queried from MTAs with patterns matching a spam run is a nice idea though.
what's missing is data for ham / spam runs, so that it can be analyzed and see what characteristics are a significant differentiator. However, that's sensitive data, and it should be anonymized (last IP byte(s?)=0) before being released, else it gives a map of who's using the service !