[SURBL-Discuss] Proposal to add some anti-phishing data to SURBL
jeffc at surbl.org
Tue May 4 05:20:31 CEST 2004
On Tuesday, May 4, 2004, 3:49:06 AM, David Hooton wrote:
>> On Tuesday, May 4, 2004, 2:48:17 AM, David Hooton wrote:
>> >Jeff Chan wrote:
>> >> 1. Merge into ws: probably no specific code for phishing
>> >> 2. Merge into combined list: could have a separate code
>> >> 2a. (With no separate list for phishing if it's small.)
>> > I personally think 2 is the preferred option as it provides domain &
>> > netblock owners with a possible means of becoming unlisted. Further
>> > us remove false positives and mopped up incidents as soon as we can.
> The concept being a custom reponse (txt record) would facilitate the person
> whose mail is altered knows why - ie. phishing not Spam.
Aha, you were more concerned about a specific reason (i.e.
phishing) being presented. I misunderstood. That would
probably be better if I did the combining.
>> That said, processing things here automatically may be a bit
>> quicker than going through Bill's more manual procedure. Maybe
>> I should assume we will do the merging here.
>> Also I'm somewhat concerned about "netblocks" going to SURBLs
> I understand this, and as the listing policy states we are only planning on
> listing individual IP addresses and domains that are included in phishing
> No pre-emptive blocking will be conducted on IP ranges.
> I think where the confusion has come in is that I have referred to allowing
> "Netblock Owners" ie. people who own the IP space to request removal of
> their individual IP addresses from the SURBL once the IP has been mopped up.
Got it. I read that as discussing input data for the list as
opposed to describing resulting actions taken to get off the list.
> There is a much higher incidence of IP based urls in phishing attacks than
> in general spam, due in part to the majority of attacks being built on
> stolen bandwidth and on hacked/trojaned servers.
Thanks for the added background. Multiple, individual IP-based
URIs scattered around the Internet would work fine as a SURBL.
> I can't
> see it hitting much more than 1500 records at any one time. This is mainly
> due to the fact that we're planning on running an expiry process as outlined
> on the policy page & because we hope to provide a means of notification &
> removal for ISP's and machine owners.
OK good to know.
> I have not seen the same IP address used more than once and have only seen
> individual domains used for around a week or two in phishes. I think the
> self expiring model is probably a wise approach due to this.
Yes, that sounds very appropriate to the data.
More information about the Discuss