[SURBL-Discuss] Additional phish/fraud list

David Hooton david.hooton at gmail.com
Sat Sep 18 11:38:29 CEST 2004


On Sat, 18 Sep 2004 00:33:59 -0700, Jeff Chan <jeffc at surbl.org> wrote:
> OK taking a look at the fraud.rhs.mailpolice.com data,
> there's not too much overlap with the MailSecurity phishing
> data which we're currently using in PH in muli.surbl.org.
> 
> The former has about 260 records, and the latter has
> about 400 records, and the overlap is around 25 records.
> So adding in the mailpolice fraud data would grow PH
> by about 240 new records.
> 
> Most of the data looks pretty regular, but one difference
> is that the mailpolice data has some records like these:
<snip>
> which we would typically try to reduce to their base (registrar)
> domains.  Reducing would cause some obvious false positives, for
> example comcast.net, if we did not happen to whitelist it.

Hmm, this is not great.

> One solution would be to not reduce.  Another would be to discard
> these longer domains, but it's not too easy to detect which ones
> to discard.  Neither solution is really great, but they're both
> better than reducing, because of the FPs that would create.

This is probably the best approach.

> Also Jay:  example.tld is on the list.  That doesn't resolve and
> probably isn't useful for fraud or phishing so you may want to
> consider removing it.  ;-)
> 
> It would be nice to figure out these issues before adding the
> mailpolice fraud data into PH.

Agreed on all counts.
-- 
Regards,

David Hooton


More information about the Discuss mailing list