[SURBL-Discuss] RFC: Storm URI IPs to XS list?

Jeff Chan jeffc at surbl.org
Sat Aug 18 23:18:24 CEST 2007

Thanks to everyone for the comments so far.  To respond to some of the

1.  A Spamassassin rule would need to be added to tell it to use the 128th bit
if we added XS to multi; for 3.2:

urirhssub	URIBL_XS_SURBL	multi.surbl.org.	A   128
body		URIBL_XS_SURBL	eval:check_uridnsbl('URIBL_XS_SURBL')
describe	URIBL_XS_SURBL	Contains an URL listed in the XS SURBL blocklist
tflags		URIBL_XS_SURBL	net

(Don't add this yet, the list is not active yet.)

2.  Generally IPs are not used in URIs, so the chance of FPs should be small. 
People hosting web sites on dynamic IPs usually use dynamic DNS to refer to 
them by domain names instead.

3.   Risk of FPs generally increase where SURBLs are incorrectly used as IP
blacklists, where domains are resolved and checked against SURBLS, where SURBLs
are used to check headers, etc.  All of those are arguably misuses.  SURBLs
should only be used to check message body URIs.  Other unintended uses may give
unexpected results.

4.  Yes, the IPs would be expired. (All SURBL records should be expired.) The
optimal expiration time is yet to be determined but would probably be a few
days.  Does anyone have data on how long a give IP is advertised?

5.  Regarding blacklisting AOL's web site IP addresses, given that they are 
usually referred to by domain name and not IP, it should not have any
significant impact.  (But see #3.)  If they did get added, we could remove or
whitelist them.

6.  We may put additional filters on the IPs like needing to be on PBL, SBL,
XBL, etc.  AOL/Google/Yahoo/MSN's IPs probably aren't on any major blacklists,
so that would be another way to prevent possible FPs.  We may also use internal
IP whitelists.

7.  Regarding Paul's concern about cracked university servers, #2 should apply. 
Presumably most universities, etc., refer to their web sites by domain name and
not IP.  (See #3 again too.)


Jeff C.

More information about the Discuss mailing list