[SURBL-Discuss] RFC: New SURBL based on exploited senders?

Patrik Nilsson patrik at patrik.com
Thu Mar 24 20:30:23 CET 2005


At 03:21 2005-03-24 -0800, Jeff Chan wrote:
>intensive.)  They may be able to process up to a hundred times as
>many of their messages for us (i.e. 6M a day) if this moves
>forward, though even that would be only a small fraction of their
>trap hits.

Is there anything we can do to increase this fraction? Donate CPU cycles, etc?

>Even after whitelisting there are still a few legitimate-looking
>domains coming through, so one idea would be to list the records
>up to the 96th or 97th percentile, but for the remaining ones
>with fewer hits, only list those that also appeared in existing
>SURBLs,

The ones in existing SURBLs are not really that interesting, unless we are 
looking for a confirmation that what is listed should stay listed. The main 
point of working on this particular setup would be catching additional 
domains, not confirming already listed ones, right?

>or resolved into sbl.spamhaus.org,

Might seem like a redundant check for people that are used to running SA 3 
with uridnsbl, but for people using other SURBL implementations, that are 
not implementing anything like the uridnsbl "check dns servers for the 
domain against SBL", this might be very useful for catching additional spam 
domains.
>or where the sending
>software was clearly spamware.  Hopefully that would reduce FPs
>in these records with fewer hits, but still let us "pull some
>useable data out of the noise" and list some of the less
>frequently appearing records.

I think that the important thing for putting efforts into something like 
this would be to catch more of the zero-hour domains currently slipping by 
SURBL for a couple of hours, rather than to just confirm current listings. 
Agreed?

Patrik 



More information about the Discuss mailing list