[SURBL-Discuss] Probable new data source: DNS queries hitting spamhaus lists

Jeff Chan jeffc at surbl.org
Wed Nov 10 08:34:19 CET 2004

At Daniel Quinlan's suggestion, we've started to check a sampling
of SURBL name server queries against sbl and xbl.spamhaus.org.
His interest is as a potential replacement for the very time
consuming NS record lookups done with uridnsbl.

We haven't turned these into a SURBL yet, but probably will
eventually.  So far this has resulted in about 11k SBL domains
with about 60% overlap with existing SURBLs.  The fun thing
is that this catches at a very early stage spams from scumbags
like "Media Dreamland" that has been spamming free computer
monitors, etc. lately.  Some of these type of operations that
reuse the same name server IPs, but register and change domains
frequently are caught this way, just like uridnsbl does, but
with perhaps a few missed due to sampling effects on the
DNS queries.  This method also features a much lower global
DNS overhead since the lookups are done once in a centralized
way, and not repeatedly in a gazillion SpamAssassin installations
on the same domains in a very distributed and redundant way.

The way this works is that we sample DNS queries from SURBL
lookups and compare new wild domains (i.e. domains found
in general email URIs), against xbl and sbl and build up
lists of the matches.  (To be more correct, it's the wild
domain name server "NS" record resolved ip addresses which
are checked against sbl and xbl.)  Along with this will need
to be expiration runs, which I haven't built yet.  (In other
words, domains should come off the lists when they no longer
resolve or no longer resolve to name servers in sbl or xbl.)

The main downside is that domains matching name servers
listed in sbl or xbl definitely has more false positives
than our other SURBL lists.  We'll want to do some testing,
but it may be as high as 1%, so they'd need to be used

Some perhaps other interesting stats after about two weeks:

  unique queries logged so far about 250k
    (These are reduced to base domains where easy)
  SBL matches so far about 11k
  XBL matches so far about 400

SBL are checked for NS records only
XBL are checked for NS, www, base domain against XBL
(but not MX)

Questions?  Comments?  Suggestions?

Jeff C.
"If it appears in hams, then don't list it."

