[SURBL-Discuss] Re: Start an IP list to block?

Jeff Chan jeffc at surbl.org
Fri Sep 10 00:37:42 CEST 2004


On Thursday, September 9, 2004, 3:22:39 PM, Scott Crosby wrote:
> On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <csanterre at MerchantsOverseas.com> writes:

> How does this sound? Combine spamtraps with SURBL, using the IP as a
> hint to fully automatically add on the new domain. If a spamtrap email
> includes a URL that resolves to a server that has the same IP as
> another server already on the SURBL blacklist, automatically and
> immediately add the new domain to SURBL. One could also use shared DNS
> servers as a similar hint. If a new domain in a spamtrap shares a DNS
> server with an already listed domain, add it to SURBL automatically.

> We should be a bit more careful than this --- require that a new URL
> has to resolve to the same IP address as, say, at least 3 other SURBL
> entries before being automatically added on. Also, there should also
> be a list of IP's for which this automatic logic won't be
> triggered. This would be important for a poorly run but popular
> virtual server that's slow at kicking off spamvertized sites.

> This way you can catch spammers who create new domains on an existing
> IP address automatically and close to instanteanously. There's also
> little to no chance of accidently blacklisting a popular virtual
> server. Spammers can't get any completely innocent domain or IP onto
> SURBL automatically. It must have at least some prior listings.

> Scott

Yes, the nameserver part is a new idea, and we would not
explicitly fold trap data* in, but the IP part is in my designs
already for the next version:

  http://www.surbl.org/faq.html#numbered

> However the next version of the sc.surbl.org data engine
> probably will be a hybrid name and number approach, where if a
> domain resolves into an IP address commonly used with
> spamvertised sites, then that domain will get added to
> sc.surbl.org probably with the first report. (Note that this
> still requires at least one report, but the threshold for
> inclusion will be radically lower for major spam operators who
> repeatedly use the same IP address for their hosting.) The next
> version of the data engine may also use the IP addresses in the
> sbl.spamhaus.org list to similarly short-circuit the process
> and include any newly reported domains resolving into those
> addresses immediately upon their first report. That should make
> for a more responsive list without much chance of increasing
> false positives. 
> 
> This hybrid approach will move sc.surbl.org much closer towards
> the behavior of a number-based approach, though domains will
> still need that initial report, whereas a numbered list would
> catch the whole server IP address.
> 
> Of course a downside of using numbers is that they can false
> positive any legitimate domains that happen to be hosted on the
> same IP address as a spam site. That could be disasterous for a
> large web hosting company that had one bad apple. That's
> another major reason why we went with names and not numbers.
> Numbers can be overly broad, whereas names are highly specific
> to the advertised site. To us names are a finer tool: if 30% of
> the domains on a given IP address are used by spammers, we
> could list all of them and not affect the 70% non-spam domains
> that unfortunately happen to share the same IP address. That
> specificity is a strong benefit of using domain names.

I'd rather work on this than spending time defending the current
practices, which are already collectively pretty well thought out.

* spam trap data is already indirectly used in SURBLs.

Jeff C.



More information about the Discuss mailing list