[SURBL-Discuss] Re: New xs.surbl list

Jeff Chan jeffc at surbl.org
Sat Apr 23 12:19:10 CEST 2005


On Saturday, April 23, 2005, 2:59:29 AM, Raymond Dijkxhoorn wrote:
> Hi!

>>>> Yes, I agree too.  :-)  When I announced the list for testing I
>>>> said we'd start conservative to get a feeling for the data.
>>
>>> Could we maybe, just for testing, have two or more lists to test with
>>> different percentiles?
>>> 97.xs.surbl.org
>>> 98.xs.surbl.org
>>> etc...
>>
>>> Patrik
>>
>> Probably we'll try XS at the 98th percentile next, take out the
>> SURBL hits, and try to list only domains that are less than a
>> year old.
>>
>> How toes this sound to folks?

> It might be usefull info that if you allready block with DSBL on MTA level 
> the XS is rather useless. We have been testing overnight, 400.000 spams 
> passed, 2 were mentioned by XS and both would have been high spam allready 
> without XS anyway.

> So basicly if you block with DSBL i dont see a point using this.

The point is that DSBLs have delays in getting new IPs listed,
but the same URIs may tend to get advertised from fresh zombies.
Therefore if we get the URIs we will catch spams even before the
fresh zombie IPs get listed.

The particular set of data currently in XS won't show much 0 hour
spams because it's set so conservatively.  It takes a lot of
spams already seen to get included.  What is more interesting
to checking at this conservative setting is how spammy the
URIs it detects are.  When we crank down the settings and
catch more URIs sooner, then we should catch more zero hour
spams, including ones where the sender IPs don't show up on
RBLs yet (because URIs likely change more slowly than sender
IPs).

Jeff C.
--
"If it appears in hams, then don't list it."



More information about the Discuss mailing list