[SURBL-Discuss] Draw the line (was: Need help checking FP list from Theo)

Jeff Chan jeffc at surbl.org
Thu Sep 9 09:45:36 CEST 2004


On Wednesday, September 8, 2004, 2:08:08 PM, SM wrote:
> Hi Chris,
> At 08:09 08-09-2004, Chris Santerre wrote:
>>NO it doesn't! The point was..... its interesting!! :)  123inkjets has been
>>linked to a ton of other spam domains. The fact that they have customers
>>makes it legit???? SO anyone who falls for these spams and buys something,
>>makes it legit? Think about that. Where do you draw the line?

> If a few legitimate customers are enough to get a domain off a blacklist, 
> then most of the domains currently listed will sooner or later get 
> off.  There will always be false positives because one man's spam is 
> another man's ham.  Someone should draw the line somewhere.

Yes, we have drawn a line.  A domain that's mostly used in
spam will probably get listed.  A domain that's only being
used in spam will definitely get listed.  A domain that's
mostly used in legitimate messages probably won't get
listed.  A domain that's only used in legitimate messages
definitely won't get listed.

We currently have more than 60 thousand records of domains
or IP addresses listed as spammers, with many new ones added
every day.  Those lists include many major spammers and probably
some minor ones.  Certainly they represent many millions of spams
being blocked every day.

What we don't want to do is to include records that are mentioned
in legitimate, non-spam messages, since we don't want legitimate
messages to be blocked.  Note that I didn't say anything about
spammers' customers.  We don't really care whether spammers have
customers or not.  We care about where the domains and IP
addresses are getting mentioned.  If they're being used in a
significant number of legitimate messages, such as large
newsletters, then we don't want to list.

It still seems that there is some misunderstanding about what we
are doing.

We are not creating lists of every domain or IP address that has
ever been mentioned spams.  Such a list would not be generally
useful since there would be too many legitimate messages blocked
if it was used.  Steve's definition of "listing domains and IPs
that have *only* appeared in spams" is better.

If the difference between these two cases is not clear, then
the issue is perhaps a lack of understanding.  If the difference
or the reasons for them are not clear, then please ask questions.

Please note that we are trying to create tool for general use
at ISPs, etc.  We are not trying to create a tool for home users
or other individuals who can afford to block every potential
spam, where their friends' emails are unlikely to ever contain
a spam domain or IP.  Blocking on large scale mail systems has a
much bigger impact on spammers since it blocks more of their
messages further upstream.  It gets us "the most bang for the
buck" and blocks the most spam.  Focussing on a provider-grade
tool is the most effective use of our efforts, and it fits
systems like SpamAssassin, MTAs, enterprise mail systems, etc.
best.  Yes you can run SA, Postfix, sendmail, etc. at home,
on your personal server, etc., but that's not the main focus
for SURBLs.

Jeff C.



More information about the Discuss mailing list