[SURBL-Discuss] Proposing a greylist

Jeff Chan jeffc at surbl.org
Fri Sep 3 07:56:15 CEST 2004

On Friday, September 3, 2004, 5:27:10 AM, Rob McEwen wrote:
> However, this last point you made makes little sense. First, there is not
> much difference, for all practical purposes, between doing what you are
> suggesting and just throwing all these "mainsleazers" into SURBL... yet no
> one is suggesting or is in favor that. We are not trying to "end-run around"
> SURBL by making it more strict in order to circumvent our regular standards.
> Instead, most of us see the "graylist" as more of an auditing tool or a
> factoring tool. Recall how some have already mentioned factoring the
> unconfirmed.surbl.org into SpamAssassin's score, but at a lower value than
> the regular SURBL score. That way, where a regular SURBL hit might be enough
> to get a message blocked... an unconfirmed.surbl.org hit would take
> ADDITIONAL evidence (or rules) to get that message blocked. Also, another
> use for unconfirmed.surbl.org would be as an auditing tool, where an extra
> copy of mail that gets "hit" by unconfirmed.surbl.org (but NOT by
> multi-surbl.org) might go to a folder for review by the mail administrator
> so that the mail administrator might create additional filtering "rules" for
> blocking this type of message in the future in a more precision, "surgical
> strike" manner which doesn't block all mail just for having that particular
> URI.

> Finally, another reason for this greylist, as I and Chris have pointed out
> in the past, is that spammers will try to circumvent SURBL in the future by
> providing some little legit service "on the side". Certainly, it would be
> good to keep these types "on a short lease". If we ONLY do what we have been
> doing so far, the is a big loophole in SURBL.

Yes, I understand the points being made, but I feel there are
many practical concerns weighing against this idea.  I also
understand the enthusiasm and fervor of those of us who want
to "get every spammer," but I feel that doesn't always fit
the model we have built.

Perhaps there's some disagreement on what constitutes a
spammer.  To me a spammer essentially sends only spam, usually
for pills, cable descramblers, mortgages, etc. and steals
services using zombies.  Their sites are usually hosted at
spam-friendly ISPs who won't take down their sites for being a
spam destination, or in countries with no apparent spam laws or

Anyone who sends mostly legitimate messages should not be
blocked, and anyone not using zombies is trivially easily 
blocked using a conventional RBL of sending server IP addresses
or even sender domains.  Conventional RBLs typically list the
spammers' mail server IP addresses or their sending domain
allowing administrators to block on them.  Either of those other
solutions is vastly simpler and less costly in terms of cpu
cycles and disk storage than content checking like we're doing
with SURBLs.  Conventional RBLs are also well-supported in MTAs,
SpamAssassin and most anti-spam programs.  The main problem is
that zombies are used to get around that technology.  Zombies
spam from many different and new ip addresses more quickly than
conventional RBLs can practically keep up with.

Zombies are the main reason we decided to do SURBLs; because
URI checking was the ONLY way remaining to catch spams sent
from using rapidly shifting armies of zombied computers.
Those who think the source of spams is irrelevant or that zombies
don't matter are probably mostly hobbyists with small personal
mail servers who can afford processing that would be impractical
at ISPs or large mail servers.  It's great that people use SURBLs
on their personal servers and it's good for them to not get the
spam, but actually stopping the spammers will require solutions
that will work on a large scale for example on many high volume
inbound mail or spam filter servers.  Only then will we make
enough of a dent in the hard core, highly-abusive, zombie-using
spammers to slow or stop them or to make spamming uneconomical
for them.

There are at least 100k new zombies discovered every day.  Those
are the real problem, not someone's joke of the day site.  SURBLs
are designed to catch the otherwise uncatchable zombie spammers,
not the trivially-blocked unwanted newsletter.

These grey cases are frankly a distraction from the goal of
stopping the worst offenders and the biggest criminals.  They
also miss the biggest abusers.  The priority should be on
catching the biggest, most abusive spammers, and excluding
the grey cases which confuse that effort and make it difficult
for SURBLs to be more widely adopted due to false positives.

Jeff C.

More information about the Discuss mailing list