[SURBL-Discuss] BigEvil + MidEvil as SURBL

Jeff Chan jeffc at surbl.org
Wed Apr 21 17:08:17 CEST 2004

On Wednesday, April 21, 2004, 3:16:12 PM, Simon Byrnand wrote:
> At 09:49 22/04/2004, you wrote:

>> >> > 1) BigEvil wildcards. Not sure how you would handle these.
>> >> Something like
>> >> > evil\d{2,4}spam\.com is a general wildcard. Some of those
>> >> domains don't even
>> >> > exhist. Not sure how SURBL will handle that.
>> >>
>> >> Yes, I should have mentioned that I'm simply discarding them.
>> >> Unfortunately there's no easy way to deal with them.  Domains
>> >> without any patterns in them, which are a majority, come right
>> >> through.  The script is at:
>> > Can we make sure that when you announce this to the public that they know
>> > this! :)
>> > I can see the flurry of emails now.

> Right near the top of 
> http://spamcheck.freeapp.net/bigevil.domains.afterwhitelist there is 
> 123-ebiz - is that a mistake or parsing error ?

Good eye.  I think that may be a bug in the original BigEvil.cf
rules for Chris to fix since it fell right out of the
expand_regex.pl that way: 123\-ebiz (i.e. without a TLD).  For
now I'll stop it from getting into the RBLs with a manual
whitelist, though it likely hurts nothing to have it in there.

>>But frankly I like the fact that there is some overlap in the
>>lists.  In a sense that represents multiple reporting; i.e.
>>a domain in more than one list is more likely a bad guy.
>>I don't think we should lose that coding.
>>YMMV, but I'd say keep any overlap in BE.  It's a feature not
>>a bug.

> I think so too. What some people suggesting merging are forgetting, is with 
> lists with totally different sources, that whether a given URL is listed in 
> one two or three of the lists IS an extra piece of information, something 
> listed in all three is more likely to be correct than one listed on only 
> one of the lists.

> The SA approach of assigning a score to each list based on it's relative 
> merits, and the scores ADDING if they're in multiple lists seems to be a 
> sensible approach to me...

We can merge the lists in a way to preserve the fact that the
entries came from multiple lists.  That's what the bitmasked
single A record versus multiple A record discussion was about.

> Of course there is nothing to stop you having merged lists available AS 
> WELL for those that are willing to take the risk of one higher scoring 
> merged list...with choice, everyone is happy ;)

> By the way, am I jumping the gun here or is be.surbl.org ready to go, or 
> should I wait a bit ? :)

It's pretty much ready.  We got good feedback from Chris
Santerre.   I need to update the web site and announce it.

Still waiting to hear back from some of the secondary DNS

Jeff C.

More information about the Discuss mailing list