Sm wrote:

If a few legitimate customers are enough to get a domain off a blacklist, then most of the domains currently listed will sooner or later get off. There will always be false positives because one man's spam is another man's ham. Someone should draw the line somewhere.

I definitely agree that this merits more discussion... and I see that there has been more discussion.

...and forgive me for stating that obvious...

But, I would add that a huge consideration is the obfuscation techniques of the spammer based on the sending server and the contents of the spam. For example, if every other word is spliced with a fake html tag or if the spam is being propagated by a virus, then (unless it's some kind of "joe jobs" smear campaign), you can count on it being spam.

Rob McEwen

On Wednesday, September 8, 2004, 2:08:08 PM, SM wrote:

Hi Chris, At 08:09 08-09-2004, Chris Santerre wrote:

...

NO it doesn't! The point was..... its interesting!! :) 123inkjets has been linked to a ton of other spam domains. The fact that they have customers makes it legit???? SO anyone who falls for these spams and buys something, makes it legit? Think about that. Where do you draw the line?

If a few legitimate customers are enough to get a domain off a blacklist, then most of the domains currently listed will sooner or later get off. There will always be false positives because one man's spam is another man's ham. Someone should draw the line somewhere.

Yes, we have drawn a line. A domain that's mostly used in spam will probably get listed. A domain that's only being used in spam will definitely get listed. A domain that's mostly used in legitimate messages probably won't get listed. A domain that's only used in legitimate messages definitely won't get listed.

We currently have more than 60 thousand records of domains or IP addresses listed as spammers, with many new ones added every day. Those lists include many major spammers and probably some minor ones. Certainly they represent many millions of spams being blocked every day.

What we don't want to do is to include records that are mentioned in legitimate, non-spam messages, since we don't want legitimate messages to be blocked. Note that I didn't say anything about spammers' customers. We don't really care whether spammers have customers or not. We care about where the domains and IP addresses are getting mentioned. If they're being used in a significant number of legitimate messages, such as large newsletters, then we don't want to list.

It still seems that there is some misunderstanding about what we are doing.

We are not creating lists of every domain or IP address that has ever been mentioned spams. Such a list would not be generally useful since there would be too many legitimate messages blocked if it was used. Steve's definition of "listing domains and IPs that have *only* appeared in spams" is better.

If the difference between these two cases is not clear, then the issue is perhaps a lack of understanding. If the difference or the reasons for them are not clear, then please ask questions.

Please note that we are trying to create tool for general use at ISPs, etc. We are not trying to create a tool for home users or other individuals who can afford to block every potential spam, where their friends' emails are unlikely to ever contain a spam domain or IP. Blocking on large scale mail systems has a much bigger impact on spammers since it blocks more of their messages further upstream. It gets us "the most bang for the buck" and blocks the most spam. Focussing on a provider-grade tool is the most effective use of our efforts, and it fits systems like SpamAssassin, MTAs, enterprise mail systems, etc. best. Yes you can run SA, Postfix, sendmail, etc. at home, on your personal server, etc., but that's not the main focus for SURBLs.

Jeff C.