[SURBL-Discuss] RFC: Combined SURBL list details, phishing list
jeffc at surbl.org
Fri May 14 04:24:42 CEST 2004
Based on comments received so far, the following is proposed for a
combined SURBL list:
The sc and ws lists and a phishing list would be combined into a
single, bitmasked SURBL mutli.surbl.org. Bitmasking means that
there will only be one entry per spam URI domain name or IP
address, but that entry will have an IP address that resolves
according to which lists it belongs to:
1 = comes from sc.surbl.org
2 = comes from ws.surbl.org (and be.surbl.org)
4 = comes from phishing list
Where if an entry belongs to one of the lists it will have an
address where the last octet has that value, for example
127.0.0.4 means it comes from the phishing list and 127.0.0.1
means it's in the data used in sc.surbl.org. An entry on multiple
lists gets the sum of those list numbers as the last octet, so
127.0.0.3 means an entry is on both ws.surbl.org and
sc.surbl.org. In this way membership in multiple lists is
encoded into a single response.
Default TTL for the combined list is generally the longest of the
included lists, which is six hours, while individual entries
inherit the shortest TTL which can be 10 minutes for sc data.
That allows individual entries to expire in BIND appropriately to
their data source.
TXT message for each entry is generic, pointing to a page
describing the different lists and their data sources.
All this is still open to discussion, but lets lock in the
bitmasking scheme, unless there are any strong objections, so
that the SA programs can start to be written or modified to use
a combined list.
A combined list would be in addition to the individual lists,
which would continue to exist.
More information about the Discuss