[SURBL-Discuss] BigEvil + MidEvil as SURBL

Jeff Chan jeffc at surbl.org
Wed Apr 21 07:34:52 CEST 2004


On Wednesday, April 21, 2004, 6:30:05 AM, Chris Santerre wrote:
> Paul and I are still working out how we can merge ME and BE
> together without a lot of work. But I have no problems at all combining the
> ME and BE together and letting Paul add just as much as me. He knows my
> basic criteria for checking the domains. 

Sounds good.  Can you let me know what kind of TTL I should set?

Basically I'd like to set the lifetime of the zone info to
something relevant towards how often you and Paul usually
update the lists.  Nothing too specific is needed, just a
general idea.  Like is it daily, twice a day, every other
day on average, etc.

Also does this TXT record work for you guys:

  "Blocked in BigEvil. See: http://www.rulesemporium.com/"

It was just a generic placeholder.  I'd like
comments/improvements on it.

> 1) BigEvil wildcards. Not sure how you would handle these. Something like
> evil\d{2,4}spam\.com is a general wildcard. Some of those domains don't even
> exhist. Not sure how SURBL will handle that.

Yes, I should have mentioned that I'm simply discarding them.
Unfortunately there's no easy way to deal with them.  Domains
without any patterns in them, which are a majority, come right
through.  The script is at:

  http://spamcheck.freeapp.net/handle-bigevil

  http://spamcheck.freeapp.net/clean-bigevil.sed

> 2) Where would I send updates? As single domains, or a txt list? How would I
> remove an FP?

As you can see from the script, we are web-grabbing copies of
both .cf files every time the script is run, which is currently
hourly.   It's all automatic; all you guys need to do is have
the current versions on your web sites.

> 3) What is the quickest way to check a domain against the other SURBL lists?
> Basically I see no reason to duplicate the listings. *gulp* and on a
> Windowze machine? (Don't ask!)

I wouldn't worry too much about that for now. For now we just
want to get an accurate record of everything.  We're working on
ways to merge things next.

> 4) Has there been any talk with the sendmail people? It would be interesting
> to actually block at the MTA level based on an evil URL. I realise the
> inherent dangers in this ;)

Yes, there is talk about sendmail milters using SURBLs.  I
haven't heard of anyone doing one yet, but they're feasible.
The limiting factor is the FP rate.  FPs must be as close to
zero as possible before people will dare to reject spams at the
MTA level using SURBLs, other than perhaps for personal servers,
etc.

Jeff C.



More information about the Discuss mailing list