[SURBL-Discuss] Howdy

Jeff Chan jeffc at surbl.org
Sun Apr 11 00:22:07 CEST 2004


On Saturday, April 10, 2004, 10:31:04 PM, Raymond Dijkxhoorn wrote:
>> Just wanted to say hi!
>> And thanks Jeff and Raymond for the new lists.

> You've got the honour of doing the first posting :) I see most are 
> subscribed now on the list, who were in the cc fields of the other mails.
> I invited the rsync mirrors to the other list also, hopefully they will 
> sign up.

> Hows things with the BigEvil list Jeff ? Would love to take that out my 
> configs and put back a RBL for it. Would save some RAM on my setups :)

Hi Everyone,
Thanks indeed to everyone for their continued support.  You guys
have made this project a dream.

Regarding BigEvil, I brought up turning it into an RBL with Chris
and he's checking with the data sources last I heard.  I
certainly hope he gets the green light and we can add it.


BTW, Kelsey and I brainstormed last night and I think we have a
way to effectively prejudice new domain reports coming in from
SpamCop without reference to SBL or to geographic databases like
IP::Country::Fast or any other external sources like I had in mind
originally. 

It's so simple that I might be tempted to call it elegant:

1.  Resolve the incoming spam domains from SC into A and
perhaps NS records.
2.  Keep a persistent tally counting those IPs. (a history)
3.  For As or NSes of incoming domains that match many identical
or nearby IP tallies (i.e., the new domains use known bad old IPs),
drop their inclusion thresholds in some statistically cool and
relevant way. 

To our thinking, this will automatically and in a self-tuning
way catch spam gangs, rogue IPs, rogue blocks, rogue ISPs in any
nation, etc.  (Manually resolving some of the domains in spams I
get seem to show China and a few gangs a lot.  I'd dearly like
to crush them early and often.  Building this refinement into the
second version of the sc.surbl.org data engine may very well do
that.) 

The big advantage is that far fewer reports would be needed
for a *new* domain to get added to the list if it has an IP
near previously reported domain's IPs.  We would expire IPs
like domains, but probably with a longer time window for IPs,
so that cleaned IPs would eventually come off the tallies.

To clarify, the IPs would not get added to any lists, just
get used internally to lower the inclusion threshold for the
number of SpamCop reports needed to get added.  Inclusion would
still be triggered by SpamCop reports, but in a more sensitive
way for bad guy IPs.

Seems almost too good to be true.  Am I missing something?

I may bounce this idea off SA-dev also.

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/



More information about the Discuss mailing list