[SURBL-Discuss] Re: Need help checking FP list from Theo

Jeff Chan jeffc at surbl.org
Wed Sep 8 00:13:05 CEST 2004


On Tuesday, September 7, 2004, 8:50:50 AM, Chris Santerre wrote:
> OK, you asked for it ;)

> Some of this info will give you a 'feel' for who the hosts operate.

>>>Theo got us a list of 112 new false positives >from across all
>>>SURBLs.  He showed me the source >messages which are almost
>>>all subscribed newsletters and mailing list >messages, so they
>>>seem quite hammy.
>>
>>>Given the type of source messages and some >spot checking, I'm
>>>inclined to whitelist them all, but I'd like to >ask for some help
>>>checking them first.  Can anyone help check >these?
>>
>>123inkjets.com

> Oh, these guys are on my personal poop list!

> http://groups.google.com/groups?q=123inkjets.com+abuse&hl=en&lr=&ie=UTF-8&sa
> =G&scoring=d

> Domain List matching cluster of russ-effrig

>     * 1: 007inkjets.com
>     * 2: 00inkjets.com
>     * 3: 111inkjets.com
>     * 4: 123cartridges.com
>     * 5: 123inkjets.com
[...]

That's interesting, but I think it misses the point:

A.  The question is not what domains has anyone ever seen in a
spam.

B.  The question is what domains has anyone ever seen in a ham.

If domains get mentioned in legitimate messages, we don't want
to block them, right?  That's the definition of a false
positive.  (That of course is assuming that people are smart
enough to not process spam meta-discussion with anti-spam tools.)

A.  In other words, we're not trying to catch every domain that's
ever been mentioned in a spam.

B.  We're trying to catch domains that are ***only*** mentioned
in spams.

Anything else potentially causes false positives.

As I mentioned earlier this is a different paradigm than many
people are used to.  It may require some shifting of attitudes
when dealing with these.  I hope people are able to do that.

Jeff C.



More information about the Discuss mailing list