[SURBL-Discuss] Proposal to add some anti-phishing data to SURBL

David Hooton djh-lists at platformhosting.com
Tue May 4 21:49:06 CEST 2004

> -----Original Message-----
> From: discuss-bounces at lists.surbl.org [mailto:discuss-
> bounces at lists.surbl.org] On Behalf Of Jeff Chan
> Sent: Tuesday, 4 May 2004 8:17 PM
> To: SURBL Discuss
> Subject: Re: [SURBL-Discuss] Proposal to add some anti-phishing data to
> On Tuesday, May 4, 2004, 2:48:17 AM, David Hooton wrote:
> >Jeff Chan wrote:
> >> 1.  Merge into ws:  probably no specific code for phishing
> >> 2.  Merge into combined list:  could have a separate code
> >> 2a.  (With no separate list for phishing if it's small.)
> > I personally think 2 is the preferred option as it provides domain &
> > netblock owners with a possible means of becoming unlisted.  Further
> helping
> > us remove false positives and mopped up incidents as soon as we can.
> As soon as the domains come off your list, they will come out of
> the SURBL.  IOW the SURBL is built dynamically from your domain list.

The concept being a custom reponse (txt record) would facilitate the person
whose mail is altered knows why - ie. phishing not Spam.

> That said, processing things here automatically may be a bit
> quicker than going through Bill's more manual procedure.  Maybe
> I should assume we will do the merging here.
> Also I'm somewhat concerned about "netblocks" going to SURBLs
> for a couple reasons:
> 1.  SURBLs are largely domain name based.  They're meant to block
> domains (or IP addresses) appearing in URIs.  They're not meant
> to block resolved domains, sender domains or mail sender IP
> addresses.  Remember that there's no name resolution being done
> on the client side.  A domain in a URI will ***not*** be resolved
> into an IP address.  If the URI has an IP address like:
> then is what should be checked against
> the SURBL.  In other words SURBLs are used to check whatever
> happens to appear in the URI, where that's most often an
> unresolved domain name.

I understand this, and as the listing policy states we are only planning on
listing individual IP addresses and domains that are included in phishing

No pre-emptive blocking will be conducted on IP ranges.

I think where the confusion has come in is that I have referred to allowing
"Netblock Owners" ie. people who own the IP space to request removal of
their individual IP addresses from the SURBL once the IP has been mopped up.

> 2.  Address blocks imply more than one address, i.e. networks.
> SURBLs so far have not included any networks, only the occasional
> web hosting IP address mentioned above.  It is possible to list
> blocks in various limited ways, and that may be useful for SURBLs
> to do in a few cases, but we have not done so because it doesn't
> fit the model above as well as it does for purely number-based
> regular LHS RBLs.

Phishing attacks rarely if ever use netblocks, so don't be too worried!  If
this policy was to ever be reviewed it would be done within this forum, and
as with this thread, opportunities for community input will be offered.

> 3.  Address blocks also imply a range of addresses, where SURBLs
> generally have listed a few individual addresses that spammers
> are foolish enough to use in their spam URIs.  Those are a very
> small minority of cases.  Our approach is more specific, perhaps
> a little too specific to deal with a few cases, but that's how
> it was built.

There is a much higher incidence of IP based urls in phishing attacks than
in general spam, due in part to the majority of attacks being built on
stolen bandwidth and on hacked/trojaned servers.

This is and probably always will be the modus operandi for these

> > As far as creating additional SURBL's go, I think the less lists kept
> > overall the better, it's much kinder on bandwidth & end users system
> > performance.
> Can you give us an idea of how many records might go onto the
> list?  I realize all the data feeds may not be up and running
> yet, but a general idea could be useful.

This is a pretty hard question.  From the rough figures I've done I can't
see it hitting much more than 1500 records at any one time.  This is mainly
due to the fact that we're planning on running an expiry process as outlined
on the policy page & because we hope to provide a means of notification &
removal for ISP's and machine owners.

I have not seen the same IP address used more than once and have only seen
individual domains used for around a week or two in phishes.  I think the
self expiring model is probably a wise approach due to this.

David Hooton
Senior Partner
Platform Networks

 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam at mailsecurity.net.au

More information about the Discuss mailing list