[SURBL-Announce] Bill Stearns' sa-blacklist available as SURBL: ws.surbl.org

Jeff Chan jeffc at surbl.org
Fri Apr 16 16:46:46 CEST 2004 

I probably should have introduced this second SURBL list
that can be used together with or in place of sc.surbl.org
before mentioning that its name was changing from sa.surbl.org
to ws.surbl.org.  :-)  Note that the two lists have different
data sources, so strictly speaking one is not a replacement for
the other.  They're two different lists.  sc uses URI domains
from SpamCop reports.  The data source for ws data is described
below.  Both lists have merits and we'd encourage you to consider
trying both. 

Here's an announcement with the additional update that
we've changed the *sample rule names* for the ws list to use
"WS" instead of "SA":
__

  http://www.surbl.org/   (with some live links)

More SURBL lists

In addition to the first SpamCop URI-derived SURBL sc.surbl.org, we
are pleased to host another RBL compatible with the SpamCopURI or
URIDNSBL SpamAssassin plugins, or any other software that can
check message body domains against a name-based RBL. Data for the
second SURBL ws.surbl.org comes from the domains in Bill Stearns'
SpamAssassin blacklist: sa-blacklist. This is a large list of
spam domains, including those found in spam message body URIs.
Both ws.surbl.org and sc.surbl.org SURBLs can be used in the same
SA installation by using two sets of rules.

An SA 2.63 rule and score using SpamCopURI (but not the SpamCop
data!) looks like this: 

uri       WS_URI_RBL  eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
describe  WS_URI_RBL  URI's domain appears in spamcop database at ws.surbl.org
tflags    WS_URI_RBL  net

score     WS_URI_RBL  3.0

An SA 3.0 rule and score using URIBL's urirhsbl looks like this:

urirhsbl        URIBL_WS_SURBL  ws.surbl.org.   A
header          URIBL_WS_SURBL  eval:check_uridnsbl('URIBL_WS_SURBL')
describe        URIBL_WS_SURBL  Contains a URL listed in the WS SURBL blocklist
tflags          URIBL_WS_SURBL  net

score           URIBL_WS_SURBL  3.0

More details about ws.surbl.org are available in the section
"Additional SURBLs for spam URI testing" (copied below).

Please note that the name of this list is being changed from
sa.surbl.org to ws.surbl.org. If you were using the old name in
your rules please update them to the new name. 

...

Additional SURBLs for spam URI testing

Additional SURBLs that list domains occurring in spam message
bodies may be used with the same routines that use the
sc.surbl.org RBL.

sa-blacklist available as RBL: ws.surbl.org

In cooperation with Bill Stearns, SURBL is making his
sa-blacklist SpamAssassin blacklist available as the RBL
ws.surbl.org. It can be used in the same way as sc.surbl.org, for
example by adding urirhsbl and SpamCopURI rules as described in
the Quick Start section at the top of this document. Like sc,
ws.surbl.org is available through DNS and, for large-volume mail
servers, as rsynced BIND and rbldns zone files. Raymond
Dijkxhoorn has graciously agreed to host the ws.surbl.org zone
files from his rsync server along with sc.surbl.org's. Please
contact him at rsync at surbl.org for rsync access. 

Both sc and ws RBLs can be used in the same installation. The
choice of using either or both or none is yours. Their data
differs somewhat, and we'll try to briefly describe and link some
of the differences here. Bill's list is rather large at about
9600 domains. It consists of domains found in spam message body
URIs and some spam sender and spam operator domains. Given that
the former are more relevant to isolate these days, most of the
recent additions to Bill's list have been URI domains. Those are
also the domains most relevant for use with the message body
checking approach which we propose throughout this site. 

The data in sa-blacklist and therefore ws.surbl.org differ from
the SpamCop URI report data described above in that the list is
about ten times larger, more stable, and may have a slightly
higher false positive rate. Bill's policy for inclusion and
cleaning of the sa-blacklist is quite sound, however, so folks
should feel comfortable giving this list a try in addition to the
sc list. ws may currently detect some spam that sc misses, and
vice versa, but it's worth mentioning that the current sc is a
working prototype and that we expect the performance of sc to
improve as we tune the sc data engine further. sc just got out of
the gate, yet it already has some worthy competition in ws.
Thanks Bill! 

Because ws is larger and more stable, the zone files for it gets
a six hour TTL compared to 10 minutes for sc. Due to the
differences between the time scales, sizes, and data sources of
ws and sc, we probably won't be offering a combined ws plus sc
list. For example it would be difficult to say what TTL a merged
list should get, and you probably would not want a megabyte plus
BIND zone file refreshing every 10 minutes. For those using
rsynced zone files that would probably not be an issue, but for
those using BIND, the DNS traffic quite well could be.

We encourage you to give ws.surbl.org a try.

Please note that the name of this list is being changed from
sa.surbl.org to ws.surbl.org. If you were using the old name in
your rules please update them to the new name.

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/

More information about the Announce mailing list