----- Original Message ----- From: "Daryl C. W. O'Shea" spamassassin@dostech.ca
Was the whitelist you were referring to really the SURBL server-side
whitelist?
Yes! But local SURBL whitelists are needed to reduce traffic and time.
I'd much rather see SURBL respond with 127.0.0.0 with a really large TTL for white listed domains. Any sensible setup will run a local DNS cache which will take care of the load and time issue.
I agree, and have suggested a whitelist SURBL several times on the SURBL discussion list, but it has always fallen on deaf ears - nary a response. It would be nice if someone would at least respond as to why this is not a reasonable suggestion.
Bill
On Wed, 8 Dec 2004 08:03:35 -0800, Bill Landry billl@pointshare.com wrote:
I agree, and have suggested a whitelist SURBL several times on the SURBL discussion list, but it has always fallen on deaf ears - nary a response. It would be nice if someone would at least respond as to why this is not a reasonable suggestion.
The floor in offering a DNS based whitelist is that it encourages people to place a negative score on it. The problem with this is that spammers can poison messages with whitelisted domains, thereby bypassing the power of the SURBL
The concept of "Whitelist" in the SURBL world is more of an "Exclusion List" as in "we exclude these domains from being listed" rather than we consider the presence of these domains in an email to be a good sign of ham.
An excluded domain is therefore ignored in all data and not allocated a score positively or negatively, so trying to poison a message with whitelisted domains is therefore pointless.
I think we either need to look at a DNS version of uridnsbl_skip_domain with long TTL's or we should look at releasing a .cf file. I personally think the more proper implementation may be the DNS based version in order to avoid BigEvil type situations.
Cheers! -- Regards,
David Hooton
On Wednesday, December 8, 2004, 8:03:35 AM, Bill Landry wrote:
----- Original Message ----- From: "Daryl C. W. O'Shea" spamassassin@dostech.ca
Was the whitelist you were referring to really the SURBL server-side
whitelist?
Yes! But local SURBL whitelists are needed to reduce traffic and time.
I'd much rather see SURBL respond with 127.0.0.0 with a really large TTL for white listed domains. Any sensible setup will run a local DNS cache which will take care of the load and time issue.
I agree, and have suggested a whitelist SURBL several times on the SURBL discussion list, but it has always fallen on deaf ears - nary a response. It would be nice if someone would at least respond as to why this is not a reasonable suggestion.
Bill, We did discuss several times before. Some of the discussion may have been behind the scenes in the development of uridnsbl_skip_domain:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3805
but we also discussed it on the SURBL discussion list. As I recall some of the arguments against it included:
1. Possible misuse: i.e. mistakenly using it as a blacklist.
2. Performance: A relatively small number of domains appear most frequently in hams, like yahoo.com, w3.org, etc. The point of diminishing returns in publishing as a DNS list more than a few hundred whitelisted domains is reached quickly in terms of decreasing frequency of hits. Some of this can be seen in the whitelist sample hit count stats at:
http://www.surbl.org/dns-queries.whitelist.counts.txt
A cursory statistical analysis will prove my point.
3. Whitehat domains are pretty stable. They tend not to change over the course of many months or even years.
4. Blackhat domains in contrast tend to change rapidly. There is statistical research showing that most spam domains are only used for a few days, then discarded.
5. Therefore the size and rapid changes of spam domains are more appropriately communicated in DNS lists than whitehat domains.
There may have been other arguments, but these are probably the key ones.
Jeff C.
-
Bill Landry -
David Hooton -
Jeff Chan