[SURBL-Discuss] BigEvil + MidEvil as SURBL

Jeff Chan jeffc at surbl.org
Wed Apr 21 15:49:51 CEST 2004


[Update, Chris wrote off list that he's put up a quick be.htm
page to be prettified later.]

On Wednesday, April 21, 2004, 7:36:08 AM, Chris Santerre wrote:
>> Sounds good.  Can you let me know what kind of TTL I should set?

> Well I am now trying to update at least every other day. This way I won't
> fall behind. But I'm now getting every day. I always test overnight, because
> too many people rely on the list now. I usually post before noon EST. 

OK sounds like an 8 or 12 hour TTL is appropriate then; setting
to 8 now.

Any idea how often Paul updates MidEvil?

>> Basically I'd like to set the lifetime of the zone info to
>> something relevant towards how often you and Paul usually
>> update the lists.  Nothing too specific is needed, just a
>> general idea.  Like is it daily, twice a day, every other
>> day on average, etc.
>> 
>> Also does this TXT record work for you guys:
>> 
>>   "Blocked in BigEvil. See: http://www.rulesemporium.com/"
>> 
>> It was just a generic placeholder.  I'd like
>> comments/improvements on it.

> How about www.rulesemporium.com/be.htm ? I can make a page just for that
> error? Otherwise it is fine. 

Done.  Please set up a page when you get a chance...  :-)

>> > 1) BigEvil wildcards. Not sure how you would handle these. 
>> Something like
>> > evil\d{2,4}spam\.com is a general wildcard. Some of those 
>> domains don't even
>> > exhist. Not sure how SURBL will handle that.
>> 
>> Yes, I should have mentioned that I'm simply discarding them.
>> Unfortunately there's no easy way to deal with them.  Domains
>> without any patterns in them, which are a majority, come right
>> through.  The script is at:

> Can we make sure that when you announce this to the public that they know
> this! :) 
> I can see the flurry of emails now. 

Definitely will mention the differences in the announcement and
web site!

>> > 3) What is the quickest way to check a domain against the
>> other SURBL lists?
>> > Basically I see no reason to duplicate the listings. *gulp* and on a
>> > Windowze machine? (Don't ask!)
>> 
>> I wouldn't worry too much about that for now. For now we just
>> want to get an accurate record of everything.  We're working on
>> ways to merge things next.
>> 

> Well ok, but I still want to look others up if I have a domain in question
> :) Will there be a quick web page to look up a domain? Or do I do an
> NSLOOKUP using the SURBL?

You can find the domains currently going into the SURBL lists at:

 sc:  http://spamcheck.freeapp.net/top-sites-domains

 ws:  http://spamcheck.freeapp.net/sa-blacklist.current.domains.afterwhitelist

 be:  http://spamcheck.freeapp.net/bigevil.domains.afterwhitelist

But frankly I like the fact that there is some overlap in the
lists.  In a sense that represents multiple reporting; i.e.
a domain in more than one list is more likely a bad guy.
I don't think we should lose that coding.

YMMV, but I'd say keep any overlap in BE.  It's a feature not
a bug.

>> > 4) Has there been any talk with the sendmail people? It 
>> would be interesting
>> > to actually block at the MTA level based on an evil URL. I 
>> realise the
>> > inherent dangers in this ;)
>> 
>> Yes, there is talk about sendmail milters using SURBLs.  I
>> haven't heard of anyone doing one yet, but they're feasible.
>> The limiting factor is the FP rate.  FPs must be as close to
>> zero as possible before people will dare to reject spams at the
>> MTA level using SURBLs, other than perhaps for personal servers,
>> etc.

> Dangerous, but so very fun!

Hehe!  ;-)   Messing with spammers is always fun!

Jeff C.



More information about the Discuss mailing list