[SURBL-Discuss] whitelist senderbase top domains?

Bill Landry billl at pointshare.com
Wed Sep 8 09:44:34 CEST 2004

----- Original Message ----- 
From: "Jeff Chan" <jeffc at surbl.org>

> Looks like senderbase.org has a database of the domains and IPs
> used to send the most mail.  Normally that would not be too
> interesting to us since we care about message body URIs, i.e.
> content, and not senders or their ISP addresses, but I'm thinking
> about whitelisting all the legitimate NSPs, ISPs and telcos in
> their top domains list:
>   http://www.senderbase.org/search?page=domains
> we would exclude the few that appear to be spammers according to
> spamhaus:
>   imgmailer.com         TAM Network
>   stocksntalk.com       iMedia Networks Inc.
>   havagreatday.com
> But I'd like to whitelist all the rest which are obviously
> large ISPs, etc.  In essence we're just using it as a list
> of some of the top ISPs in the world.
> Does anyone have any comments on this?

I like this idea as I believe it would cut down the number of
false-positives due to false-listings.

> Note that this won't have a major effect on bad guys since
> spammers would not have much incentive to advertise their ISPs,
> and we don't "whiten" spams for mentioning non-spam domains
> anyway.  It also does not mean that we're whitelisting the ISP
> address space, senders, or anything like that, just mail that
> mentions these large ISP URIs.

Quick question:  If I have set "spamcop_uri_limit 25" in my spamcop_uri.cf
file, and a spammer sends a message containing 30 URIs, all legit except
one, and 10 of the legit URIs are whitelisted by SURBL, would all of the
remaining URIs get checked, or still only a random selection of the entire
30 URIs found in the message?  Just wondering if the whitelisting will help
us to be more accurate in tagging the spammer URI in the message, thus
cutting down the possibility of the spammer URI not being one of the random
25 selected for checking against the SURBLs.

I'm curious to know what effect the SURBL whitelisting has as it applies to
both SA 2.6x with the SpamCopURI plug-in and SA 3.0 with the URIDNSBL
plug-in and the random URI check limit threshold.


More information about the Discuss mailing list