[SURBL-Discuss] Proposing a greylist

Rob McEwen rob at powerviewsystems.com
Fri Sep 3 09:27:10 CEST 2004


Jeff said:
>If Mainsleazers use fixed mail servers, then just block the mail
>servers using a global or local RBL, or even block their IP
>addresses at the transport or routing layer.

>It they're using zombies then they're a very good candidate for
>SURBLs.

>How's that for a compromise?

Jeff, up until this point, all your concerns and points made a lot of sense.
Certainly, there are issues and questions you have raised which need more
attention and thought.

However, this last point you made makes little sense. First, there is not
much difference, for all practical purposes, between doing what you are
suggesting and just throwing all these "mainsleazers" into SURBL... yet no
one is suggesting or is in favor that. We are not trying to "end-run around"
SURBL by making it more strict in order to circumvent our regular standards.
Instead, most of us see the "graylist" as more of an auditing tool or a
factoring tool. Recall how some have already mentioned factoring the
unconfirmed.surbl.org into SpamAssassin's score, but at a lower value than
the regular SURBL score. That way, where a regular SURBL hit might be enough
to get a message blocked... an unconfirmed.surbl.org hit would take
ADDITIONAL evidence (or rules) to get that message blocked. Also, another
use for unconfirmed.surbl.org would be as an auditing tool, where an extra
copy of mail that gets "hit" by unconfirmed.surbl.org (but NOT by
multi-surbl.org) might go to a folder for review by the mail administrator
so that the mail administrator might create additional filtering "rules" for
blocking this type of message in the future in a more precision, "surgical
strike" manner which doesn't block all mail just for having that particular
URI.

Finally, another reason for this greylist, as I and Chris have pointed out
in the past, is that spammers will try to circumvent SURBL in the future by
providing some little legit service "on the side". Certainly, it would be
good to keep these types "on a short lease". If we ONLY do what we have been
doing so far, the is a big loophole in SURBL.

A week or two ago, I had other related suggestions about this issue. (I
don't know if it got much attention at the time). This post had suggestions
for OTHER ways to deal with this potential loophole. (I'll try to find it
and repost.)

Rob McEwen




More information about the Discuss mailing list