[SURBL-Discuss] Re: Start an IP list to block?

Scott A Crosby scrosby at cs.rice.edu
Fri Sep 10 00:22:39 CEST 2004

On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <csanterre at MerchantsOverseas.com> writes:

> OK, this isn't the first time we've had this discussion, but Raymond
> and I felt this should be made public again. He ran thru some tests
> of 1500+ domains and found the following data. Looks like they maybe
> send from zombies, and never their hosts. IPs are similar across the
> board.
> So is there a way to use the IP info in a good way? Could SA or
> SURBL do a quick ping of the URL and match against a URL? This would
> allow us to simply list 1 IP instead of all these domains.
> (I'm well aware of virtual hosts! So only the filthiest of spammers
> would be put on this IP list. Then their IP better boot them or
> anyone hosted on that box would feel the rath of SURBL.)

How does this sound? Combine spamtraps with SURBL, using the IP as a
hint to fully automatically add on the new domain. If a spamtrap email
includes a URL that resolves to a server that has the same IP as
another server already on the SURBL blacklist, automatically and
immediately add the new domain to SURBL. One could also use shared DNS
servers as a similar hint. If a new domain in a spamtrap shares a DNS
server with an already listed domain, add it to SURBL automatically.

We should be a bit more careful than this --- require that a new URL
has to resolve to the same IP address as, say, at least 3 other SURBL
entries before being automatically added on. Also, there should also
be a list of IP's for which this automatic logic won't be
triggered. This would be important for a poorly run but popular
virtual server that's slow at kicking off spamvertized sites.

This way you can catch spammers who create new domains on an existing
IP address automatically and close to instanteanously. There's also
little to no chance of accidently blacklisting a popular virtual
server. Spammers can't get any completely innocent domain or IP onto
SURBL automatically. It must have at least some prior listings.


More information about the Discuss mailing list