[SURBL-Discuss] Fwd: Re: ob.surbl.org FP

Jeff Chan jeffc at surbl.org
Sun Jul 18 00:50:45 CEST 2004 

Brian Godette noticed on spamassassin-users that
kerrypicksedwards.com showed up on ob.surbl.org last week ago.
That started a fairly long thread, to which I responded below.


From: Jeff Chan
To: spamassassin-users
Date: Saturday, July 17, 2004, 11:22:23 PM
Subject: ob.surbl.org FP


OK here are some of my responses to the themes in this thread:

1. I've whitelisted: kerrypicksedwards.com, johnkerry.com, bush's
site and some other candidate sites.  (By whitelisting I mean
preventing these domains from getting onto SURBLs.  There is
no whitening or score improvement of your incoming messages
with the SURBL whitelists.)

2. Some people seem more comfortable sending non-commercial spam
out.  It's still spam, but in their religious or political fervor
they think they're justified, which of course they are not.  And
any site that has unconfirmed opt-in is just begging for this
kind of abuse by zealots (and opponents) also.

3. Justin is right that's it's important to keep domains of sites
that might get mentioned in legitimate messages (ham) out of
SURBLs, otherwise false positives are possible.  In this sense
CAN-SPAM is irrelevant since any partially whitehat sites need
to not get listed.  In this sense the standards for inclusion in
SURBLs need to be higher than sender IP or domain RBLs.  Blocking
messages based on URIs has potentially much larger effect on
mail in general than blocking a specific zombie or rogue mail
server.  The focus of SURBLs therefore should be on the hard
core professional criminal spammers' domains first.

4. The outblaze data is based on their spam traps, so they *are*
getting spam from these when they should not (for example
outside the U.S.).  The whitelists take precedence over any
input data feeds like Outblaze, so they will prevent list
inclusion.

5. Outblaze has another interesting idea in that only domains
less than 90 days old are listed.  The idea is that spammers burn
through domains quickly so the really recently registered ones
are more likely to be spammers'.  This is only for domains that
actually get delivered into their spam traps, and it's probably
a good idea.

6. Outblaze may do some additional processing before we get
their data, but in general it appears to be quite good.  We
iterated a bit by sharing whitelist hits, etc. so we could
focus their feed on the most often spamming URI domains.
So it may take more than a single trap hit to get onto their
list, and in addition to the 90 day newness of registration
factor, their data seems quite good in general.

Jeff C.

More information about the Discuss mailing list