[SURBL-Discuss] RFC: SURBL inclusion policy

Jeff Chan jeffc at surbl.org
Sun Sep 26 05:00:18 CEST 2004


On Saturday, September 25, 2004, 7:52:13 AM, Joe Wein wrote:
>>   http://www.surbl.org/policy.html

> I would say, domains older than 90 days probably should not be added
> *unless* they use a blacklisted nameserver.

> You really have to look at both the name servers and the date, in that
> order.

> I want to give you some data on domain age for my recent blacklistings (last
> two weeks):

>   year    count
>   2004    4165
>   2003     582
>   2002      30
>   2001       6
>   2000       3
> <=1999      12
> total:    4830

> There is a significant percentage of domains registered in 2003, but most of
> these still  fall within one year of the listing. There are extremely few
> blacklistings for domains registered before 2003, about 1% of the total.
[...]

> About 11% of blacklisted domains were registered within 3 days of detection,
> 18% within 7 days, 34% within 2 weeks.

> Then it gets interesting: I have no records in the set for 13-24 days, then
> a whole bunch of pill spam domains registered at least 25 days ago. These
> guys seem to wait a little before they strike.

> 50% of all blacklisted domains are registered no more than 35 days before
> listing, 60% within two months, 66% within three months, 70% with four
> months. As you see, the incremental gain per extra month gets smaller and
> smaller. Six months cover 80%, 12 months 90%, 24 months 97%.

> A few comments in addition to those numbers:

> 1) There's a very small set of hardcore spammer NSs for which I list *all*
> domains that use them, regardless of age.

> 2) For other domains with SBL-listed NS, I routinely list them *if* they are
> recently registered.

> 3) For domains with SBL-listed NS older than a few months, I list them if
> they fit a pattern. Most of these will be porn and gambling sites from usual
> suspects, i.e. I'll see lots and lots of domains all sharing the same NS,
> advertised in similar spam mails.
[...]

> 4) I also list sites without SBL records on the NS if they are very recently
> registered (usually < 6 weeks) and they fit a pattern with regard to naming
> or what kind of spam subject lines / sender names are used. That takes care
> of discardable spam domains registered with Joker.com such as these:

Hi Joe,
All your observations and policies seem quite reasonable to me.
:-)

There can be some lag in SBL detecting new domains and new
spam gang name servers, so it's definitely true that
non-inclusion in SBL should not give new domains a "free
pass".  New domains not matching SBL can be real spammers.

Thanks also for sharing your research into the age of spam
domains!  It's very useful data, though it might also be
interesting to know how long a domain is used after it appears
in the first spams we detect.  Many are only used for a few
days according to a well-placed spam statistician I spoke with
before.  It's also interesting that some domains don't get
used immediately after registration.  (Note that I said
many spam domains only get used for a few days, not that
they only get used for a few days after registration.)

I've updated the domain age guidelines, taking into account
your research:

 "The older a domain is the less likely it should be listed.
  Most spam domains are used for 3 days then abandoned.
  Domains older than 90 days probably should not be added.
  Domains more than 1 year old usually should not be added.
  However, domains that use name servers listed in SBL as
  belonging to known spam operators can be included,
  regardless of age. (See below.)"

How does that sound?

Jeff C.
--
"If it appears in hams, then don't list it."



More information about the Discuss mailing list