[SURBL-Discuss] use of surbl to check non-body content?

Jeff Chan jeffc at surbl.org
Wed Oct 12 17:02:19 CEST 2005

[Rob confirmed he meant to send his reply below to the list.
Here's my reply to his (unintentionally) private reply.]

On Wednesday, October 12, 2005, 7:14:51 AM, Rob McEwen wrote:
>>Were you resolving SURBL domains
>>then checking resolved IPs against header IPs?

> No, I wasn't. Even though IPs on SURBL are rare, when they do occur, they
> are prime candidates for FPs if/when checking headers.

> Of course, SURBL FPs on the body of the message are already extremely
> rare... But, even so, because we've been constantly making improvements in
> that area as well, it is entirely possible that SURBL FPs when checking
> against headers might be MORE rare now than in previous months... again,
> this being due to our steady and constant across-the-board improvements.

While it's true that many of the IPs that appear on SURBLs are
probably zombies and those zombies could be used as senders, this
is straying pretty far from the original purpose of the lists.

Probably something like CBL or XBL would be much better general
compromised sender lists to check against message headers.  Even
something like a Dynamic IP list like dynablock.njabl.org may be
a better indicator of zombie-ness.

I have not done any research, but far more of the zombies are
probably on those lists than as IPs on SURBLs.

BTW you sent your reply privately.  May I post this?

Jeff C.
Don't harm innocent bystanders.

More information about the Discuss mailing list