[SURBL-Discuss] RFC: SURBL inclusion policy

Joe Wein joewein at pobox.com
Sat Sep 25 16:52:13 CEST 2004


>   http://www.surbl.org/policy.html

"The older a domain is the less likely it should be listed. Most spam
domains are used for 3 days then abandoned. Domains older than 90 days
probably should not be added. A domain more than a few years old usually
should not be added."


I would say, domains older than 90 days probably should not be added
*unless* they use a blacklisted nameserver.

You really have to look at both the name servers and the date, in that
order.

I want to give you some data on domain age for my recent blacklistings (last
two weeks):

  year    count
  2004    4165
  2003     582
  2002      30
  2001       6
  2000       3
<=1999      12
total:    4830

There is a significant percentage of domains registered in 2003, but most of
these still  fall within one year of the listing. There are extremely few
blacklistings for domains registered before 2003, about 1% of the total.
Most of the 1999 ones are porn sites using a NS by wildrhino.com, plus one
each by vendaregroup.com, webfinity.net, allproactive.com, rackhosters.com,
all notorious spamhouses with SBL listings. These domains are exceptions to
the rule that old domains usually don't merit listing.

About 11% of blacklisted domains were registered within 3 days of detection,
18% within 7 days, 34% within 2 weeks.

Then it gets interesting: I have no records in the set for 13-24 days, then
a whole bunch of pill spam domains registered at least 25 days ago. These
guys seem to wait a little before they strike.

50% of all blacklisted domains are registered no more than 35 days before
listing, 60% within two months, 66% within three months, 70% with four
months. As you see, the incremental gain per extra month gets smaller and
smaller. Six months cover 80%, 12 months 90%, 24 months 97%.

A few comments in addition to those numbers:

1) There's a very small set of hardcore spammer NSs for which I list *all*
domains that use them, regardless of age.

2) For other domains with SBL-listed NS, I routinely list them *if* they are
recently registered.

3) For domains with SBL-listed NS older than a few months, I list them if
they fit a pattern. Most of these will be porn and gambling sites from usual
suspects, i.e. I'll see lots and lots of domains all sharing the same NS,
advertised in similar spam mails. These guys stick around, so it doesn't
matter much if you don't list them immediately, before you see a pattern.
You can still get them later.

4) I also list sites without SBL records on the NS if they are very recently
registered (usually < 6 weeks) and they fit a pattern with regard to naming
or what kind of spam subject lines / sender names are used. That takes care
of discardable spam domains registered with Joker.com such as these:

californiapassword.info
coloradopassword.info
coloradovodka.info
dc-user.info
dcpassword.info
floridaadmin.info
georgiapass.info
georgiauser.info
hawaii-vodka.info
idahouser.info
iowavodka.info
kentucky-password.info

5) Recently registered domains with a name server from the same domain are
more suspicious than those using a different server, because it means the
name server has no track record to check.

Joe
-- 
http://www.joewein.de/sw/jwSpamSpy/



More information about the Discuss mailing list