[SURBL-Discuss] Howdy

Jeff Chan jeffc at surbl.org
Sun Apr 11 09:47:44 CEST 2004


On Sunday, April 11, 2004, 6:52:56 AM, William Stearns wrote:
> On Sat, 10 Apr 2004, Jeff Chan wrote:
>> It's so simple that I might be tempted to call it elegant:
>> 
>> 1.  Resolve the incoming spam domains from SC into A and
>> perhaps NS records.

>         NS is a little tougher.  I could see us hurting people that left 
> their name service with their registrar or large ISP's that simply host a 
> lot of domains.  It would also be possible for a spammer to simply claim 
> that ns1.earthlink.net and ns2.aol.com are their secondary and tertiary 
> when they aren't.  It's not possible - or at least tougher - to fake A 
> records.

Indeed, that's a strong argument for using A records only.
I really appreciate your feedback!

>> 2.  Keep a persistent tally counting those IPs. (a history)
>> 3.  For As or NSes of incoming domains that match many identical
>> or nearby IP tallies (i.e., the new domains use known bad old IPs),
>> drop their inclusion thresholds in some statistically cool and
>> relevant way. 

Update: I'm thinking of storing class C sized bins for the
tallies.  That's very quick and gets "nearness" automatically.
(In other words, any IPs in the same /24 could be counted
together initially.)  How does that sound?   Do I lose much
by that deliberate imprecision?  How much do the spammers move
IPs?  Would numerical nearness matter/help in detecting them?

>         The approach made sense to me as well.  
> http://www.stearns.org/sa-blacklist/spamip.current.txt is the report
> created from the A record harvesting.
>         I'd be glad to provide the raw data collected over the past 5 
> months.  I also have SOA and whois data for the entire sa-blacklist.

Thanks for the reference!  Checking the list of IPs will probably
answer some of my questions about numbers above, though I kind of
want to get not-invented-here :-) in terms of the engine operation
so I can prove the merits of using the SC data alone.

That said, I will check out the IPs!

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/



More information about the Discuss mailing list