[SPAM-TAG] [SURBL-Discuss] Subdomains in SURBL

Jeff Chan jeffc at surbl.org
Thu May 18 11:50:34 CEST 2006

On Friday, May 12, 2006, 9:53:41 AM, Jeff Chan wrote:
> If a subdomain is listed, the subdomain should be checked.  It's
> not necessarily safe to check the base domain when a subdomain is
> listed.  For example if phishing.freehost.com is blacklisted,
> checking freehost.com is probably not a good idea.  I do realize
> this is somewhat off spec.

It's been pointed out that the description above may be somewhat
unclear.  To clarify, it's best to follow the specification:


1.  For GTLDs like com, net, org, info, biz, etc., check at the
second level.

2.  For CCTLDs listed in the two-level-tlds list, check at the
third level, etc.  For CCTLDs not in that list, check at the
second level.

A vast majority of the time, those will match the levels in the
blacklist.  In a few off-spec cases we blacklist subdomains, but
they are very rare and exceptional.  It's best not to code to
those rare exceptions, especially as it can double, triple, etc,
the DNS queries largely unnecessarily.

The point about listed subdomains such as phishing.freehost.com
was to *not* check levels closer to the root (even if I didn't
explain that very clearly in the quote above).  While
phishing.freehost.com may be bad (and in theory ok to check),
freehost.com may not be.  Checking freehost.com could easily lead
to FPs. 

Really the best advice is to ignore the off-spec data.  It doesn't
help the results very much and arguably doesn't even belong in there.


Jeff C.
Don't harm innocent bystanders.

More information about the Discuss mailing list