[SPAM-TAG] [SURBL-Discuss] Subdomains in SURBL

Jeff Chan jeffc at surbl.org
Sat May 13 10:52:20 CEST 2006


On Friday, May 12, 2006, 12:47:10 PM, SM SM wrote:
> At 09:31 12-05-2006, Brandon Hutchinson wrote:

>>Using the "www.freecat.biz" example: assuming this is a phishing 
>>domain, would
>>also including "freecat.biz" in SURBL be a bad idea? Are there cases where we
>>should "trust" the base domain even when a subdomain is used in a phishing
>>email?

> You would look up freecat.biz in the above example.  See 
> http://www.surbl.org/implementation.html for implementation 
> guidelines.  If it is a phishing email, I would not trust the base 
> domain.

Probably we're not providing enough context to be clear.
Brandon's concern was that there were records like
www.freecat.biz in the blacklists that won't match the type of
checking specified in the Implementation Guidelines:

  http://www.surbl.org/implementation.html

Normally we would blacklist freecat.biz, not www.freecat.biz, if
the domain were known bad.  In a few rare cases hosts or
subdomains are blacklisted where the domain may be ok, but the
host or subdomain isn't.  So phishing.legitimate-free-host.com
might be blacklisted.  That actually violates our own
specification, so in a sense it's not too clever for us to
blacklist.  So that's addressing an inconsistency on the
blacklist data side.

On the application side, if phishing.legitimate-free-host.com or
www.freecat.biz appeared in a message, they should properly be
reduced to legitimate-free-host.com and freecat.biz before
checking against the blacklists.  Unless the unqualified domains
were actually blacklisted, they would not match (www.freecat.biz
is not the same as freecat.biz).  In a sense that is an error: a
mismatch between the blacklist data and the application's
handling of message URI data.  But the error is really on the
data side, so there's no need to do anything off-spec with the
applications.  Yes, it may cause a few spams or phishes to be
missed, but they're very rare and obscure. 

HTH,

Jeff C.
--
Don't harm innocent bystanders.



More information about the Discuss mailing list