[SURBL-Discuss] Re: Start an IP list to block?

Jeff Chan jeffc at surbl.org
Fri Sep 10 00:52:44 CEST 2004


On Thursday, September 9, 2004, 2:48:51 PM, System Dan Mahoney wrote:
> On Thu, 9 Sep 2004, Matt Kettler wrote:

> If it's blacklisting based on resolved ip, it should probably be noted 
> that there are a couple of caveats:

> 1) Spammers can set up multiple ip addresses to an A record.  Whatever 
> does the reporting should check all A records, from the top down.  i.e. 
> query each NS multiple times to make sure it's not being round-robined or 
> reported differently from multiple DNS servers.

Good point.

> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to 
> thwart this, if we're doing nslookups.

Code using SURBLs attempts reduce domains to the base (registrar)
domains before comparing to SURBLs.  In other words we ignore the
subdomains, host portion, etc.

  http://www.surbl.org/faq.html#random

> 3) It's a common case that spammers use disposable landing sites, such as 
> the forwarding services offered by tinyurl, zoneedit, and the like, or 
> will put an HTTP redirect on a hotmail or geocities page.  Should those be 
> exempt from this, since they have a fair number of legitimate domains as 
> well?

Please see:

  http://www.surbl.org/faq.html#redirect

and the rest of the FAQ.  :-)

Jeff C.



More information about the Discuss mailing list