[SURBL-Discuss] Re: Spam in progress bit ...

Eric Montréal erv at mailpeers.net
Thu Aug 10 21:59:50 CEST 2006

opencomputing at gmail.com a écrit :
>> When was the last time Microsoft got listed in surbl ?
>> Smaller lists might end up being sent from a false positive domain 
>> and the idea is that surbl test pattern
>> (queries/minutes, burst/continuous, historical comparisons, 
>> geolocation and perhaps other metrics) should
>> allow to differentiate between such a list and a spam run. 
> Spammers could add some fake URIs like yahoo.com, gmail.com,
> microsoft.com to their spam runs so that their mails get a hammy
> score(if surbl gives a negative score using some whitelisted URIs).

No, because the 'Spam in Progress' bit could only be set for listed domains.

A domain would never be listed only because it's sending mail.
The 'Spam in Progress' bit would be asserted only if:
- The domain is already listed
- Global traffic matches the recipe for identifying a spam in progress 
number of different servers, geographic diversity (?), any other metric)

> Also, spammers could use a badly configured good intentioned mailing
> list like sourceforge.net or through services like yahoo.com, gmail.com
> etc could reduce the accuracy.
Same goes here, as long as sourceforge.net does not get listed, surbl
queries generated by their list won't have them listed.
Spammy can subscribe to any sourceforge lists he wants.

> Having a grey +ve score for URIs queried
> from MTAs with patterns matching a spam run is a nice idea though.
what's missing is data for ham / spam runs, so that it can be analyzed and
see what characteristics are a significant differentiator. However, that's
sensitive data, and it should be anonymized (last IP byte(s?)=0) before
being released, else it gives a map of who's using the service !

More information about the Discuss mailing list