[SURBL-Discuss] use of surbl to check non-body content?

Steven Champeon schampeo at hesketh.com
Wed Oct 12 16:00:05 CEST 2005

on Wed, Oct 12, 2005 at 01:33:55AM -0400, Rob McEwen wrote:
> I have to correct something... I misspoke. I **used** to use SURBLs for
> checking headers. I had forgotten that I had stopped doing so a few months
> ago because (1) too many FPs (for my admitted strict standards), and (2) I
> made enough great improvements in others parts of my filtering that I felt I
> could back off on the SURBL-checking of headers.

I'd only be checking the From:, Reply-To:, and Message-Id: (and,
possibly, if I were to find a reason to do so, References: and
In-Reply-To:), not the Received: or To: or Cc: etc. By "find a reason"
I usually mean "get pissed that I got spam I could have blocked by the
proper and appropriate application of just one more check" ;)

I'll admit I share JeffC's confusion about why legit mail would contain
known spammer domains in the headers, but it sounds like you were more
referring to IPs that had been the result of resolving a spammy domain,
> Most often, if a FP occurred, it was because an IP address used in a
> spammer's URL would, for whatever reason, also appear in the headers of
> legit messages.

OK. Where in the headers? Do you recall? (No biggie if you can't)
> I recall catching about 50 extra spams a day on my 10K messages/day server
> by checking the header against SURBL. Statistically, not that much, but
> every 1/2 percent counts for something and these were ones which, at that
> time, wouldn't have been caught otherwise.

Good, that's what I'm hoping for. I'm literally down to <10/day, less
than that if you consider 419 spam the price of allowing hotmail to
relay to any of your users :/ I'd like to achieve a spam-free day here,
and I'm looking for the last in the line of defenses, without accepting
and analyzing the messages.
> I don't think that processing SURBL against headers was a big
> processing drain... but the FPs were too high for my very strict
> tastes. Still, it is a VERY good indicator of spam and might work well
> if integrated into a scoring system and not outright blocked for that
> alone.

My test implementation simply "tags" suspected messages with a header
for filtering via procmail. I haven't seen any hits or FPs yet, but it's
early days. But if my analysis is correct, it could mean as much as 1/3
of the spam I let in so far this month could have been caught and

hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

More information about the Discuss mailing list