[SURBL-Discuss] second and third level domains - again!

Jeff Chan jeffc at surbl.org
Mon Apr 26 03:58:58 CEST 2004

On Sunday, April 25, 2004, 8:57:56 AM, John Fawcett wrote:
> Version 0.14 includes the changes which were
> being discussed last week, so that if ads.msn.com
> is found in an email only msn.com is being
> checked against sc.surbl.org.

Regarding redirection sites, we definitely do not
want to blacklist the redirection sites of mostly
legitimate sites like msn and yahoo.

If their redirection sites are being abused by
spammers then they should have the added traffic
as incentive to block the abusers.

If there were spam-only redirection sites then those
could be easily blocked on.

Another reason to not block legitimate redirection
sites is that SA 3.0's urirhsbl will check the redirection
site against the SURBL also, and we don't want to block
messages simply because a redirection site is used in
them.  On the other hand the redirection site could
get a special A record such as you propose below to
say "check further".  But that's getting a bit complex
on the client side for my likes.

> So the choices available to the list maintainer are either:
> - list all of msn.com
> - list none of msn.com

> Since listing all of msn.com is likely to be too wide, 
> this means msn.com will not get listed even if
> there are subdomains which are candidates for 
> listing.

> I've used msn as an example, but the same logic
> applies to any of the big names like yahoo etc where 
> the list maintainer may want to have more granularity
> in what is listed rather than list the whole registered 
> domain.

The underlying principle as I see it is that most
major site will have functional anti-abuse and anti-spam
policies, so either a base domain is good or bad.  I
know that seems simplistic, but it's easy and fast to
implement AND it seems to match reality pretty well.

There are no drug spam sites hosted on yahoo for example,
and if there were they would get shut down extremely quickly.
The legitimate sites have an incentive to stay that way.
Similarly spam ISPs and spam gangs have a seeming incentive
to stay that way.

So the dividing line can generally be easily drawn at
the registrar domain level.

> The solution could be to use a special return code
> which indicates "query again with more detail".
> (I remember someone bringing up something similar
> in the context of ccTLDs as well).

> So if ads.msn.com were to be listed in sc.surbl.org
> it would need two records:

> msn.com IN A
> ads.msn.com IN A

> The client (in this case SpamCopURI) would
> find a url ads.msn.com in the email but would
> query for msn.com as per the current logic.

> The return value of then indicates
> to the client to query for one level 
> lower, ie ads.msn.com.

> This same mechanism could be used for ccTLDs.
> sc.surbl.org could contain:

> co.uk IN A
> co.nz IN A

> So that if I get xxxxxxxx.co.uk in an email, 
> the client queries for co.uk and it will be told 
> to query with the lower level. The client
> queries for xxxxxxxx.co.uk

That's an interesting idea.  Basically you want to
signal redirection to higher domain levels with a
special result for levels that should never get
checked like co.uk.

That might be doable, but it would require extra
logic on the client side as you note.  That already
sounds more complex than I like, though I see what
you're getting at.  Better to control what goes into
the data (i.e. never let the TLD itself co.uk in),
and make sure the client is following similar rules.

We will always catch bigspammer.co.uk with the current

I know a lot of what I argue for above seems simplistic
when a more complex solution could have more interesting
results, but very often the simpler solutions are better,
especially in terms of resource consumption.

Jeff C.

More information about the Discuss mailing list