[SURBL-Discuss] use of surbl to check non-body content?

Catherine Hampton ariel at spambouncer.org
Wed Oct 12 18:24:49 CEST 2005


> I have found through experience that the FP rate is considerably higher when
> checking headers with SURBL. I can't even recall ALL the reasons why... but
> I know empirically... from actually experience... that this is true.
> (especially with IP addresses)

I can second this.  I did some testing just for my own curiousity
a while back because plenty of spammers, even those sending through
open proxies, use their own registered domains to HELO and/or
in the From: line.  However, I found that the following stuff
causes FPs:

 * With IPs, often an IP that is used directly in a spam is on
   a hacked server that is not supposed to be a web server.  If
   you block URIs on the IP, you get no false positives.  If you
   block on headers, you often do, especially if you block on 
   all foreign IPs rather than the first external IP/"handoff
   IP".  That's because these trojaned servers also have a "real
   life" as something else, often a DNS or mail server (if a 
   server), or a user workstation.  If you deliberately want to
   cause FPs to pressure the owners to clean up the trojan,
   fine, but that is not what SURBLs are intended to do.  That's
   SPEWS or (to a much lesser extent) the SBL.

 * With domains, phishers and (increasingly) spammers are hosting
   web pages on hacked servers and using that server's domain in
   the spam URI.  If you bloc on headers, again, you have a real
   risk of blocking legitimate email.

I'd like to see a larger, more conservatively run RHSBL for headers
than the AHBL RHSBL.  But right now, there isn't one.


-- 
Catherine Hampton <ariel at spambouncer.org>
The SpamBouncer         *     <http://www.spambouncer.org/>
Personal Home Page      *         <http://www.devsite.org/>


More information about the Discuss mailing list