[SURBL-Discuss] Re: second and third level domains - again!

Jeff Chan jeffc at surbl.org
Wed Apr 28 01:02:26 CEST 2004


On Tuesday, April 27, 2004, 10:37:22 PM, John Fawcett wrote:
> As far as I could see the table in SpamCopUri contains only the
> .uk not co.uk. so this means that all .uk domains are being handled 
> in the same way i.e. checked on the third level. 

> Likewise, I saw .ca in the table not ab.ca, so just as for the
> uk example everything is being checked at the third level by
> the client, and so spammer.ca. will be missed.

...
>> tm.fr
>> gouv.fr
>> asso.fr
>> nom.fr
>> avocat.fr
...

> I didn't spot any of these being used on the client. So if I am
> reading things correctly we will never catch spammer.nom.fr etc.

> Maybe if Eric is reading this, he can confirm whether this is
> the case.

Thanks for the research into how SpamCopURI is handling ccTLDs.

In case it wasn't clear, I was referring to the data side in my
description of how the ccTLDs are handled.

For best performance, we probably want to make both the data and
client sides behave similarly, whether it's by changing the data
side to use the SA module handling ccTLDs, by getting zones with
more than two levels out via a special zone or value in SURBLs,
or some other way.

But we can say that whitelisting of the known legitimate
two-level ccTLDs will guarantee that they won't get into the data
and therefore won't match in any SURBL queries.  It's a partial
solution and does help prevent most FPs that might happen from
matching the specific ccTLDs.  But it may not be the ultimate
solution.

I'll also add a couple points:

1.  For SURBLs to be useful preventing FPs is very important,
probably more so than catching 100% of spam.

2.  So far, :-) there is relatively little abuse of geographic
domain names.  By far the most abused geographic domain is .us .
Spam URI domains in .com, .biz, etc. are several orders of
magnitude more numerous than any geographic ones.  In that sense
catching those is a higher priority, and we are canonically if
imperfectly meeting that now.

Jeff C.



More information about the Discuss mailing list