From: "Marc Kool" > Hi, > > Using quaraintained spam and FN's I found out that the various SURBL lists lag behind the spammers. > I consider it "normal" but also like to improve it. > > I only receive 20-50 spams per day and did an analysis and found out that the > URLs of the spam messages are about domains using the same IP address. > > I found for example: > 211.158.6.88 2giKe4V5C.simptompsakiana.org > 211.158.6.88 5tYTNHYH.polishesofikals.org > 211.158.6.88 7Z05PeUBKz.9H8UozoNv.pazdanimphos.org > 211.158.6.88 9L88lRG.poisesneynano.org > 211.158.6.88 9XA.1eX.fraklesneynano.org > 211.158.6.88 BL4CLL.fraklesneynano.org > 211.158.6.88 BlnXPOc7d.LURaH.bortsimisbortsimis.org > 211.158.6.88 Cdj.2NJq2BanB.bortsimisbortsimis.org > 211.158.6.88 DC.pikasxesros.org > (and lots more) > > So I wonder if we could extend the SURBL module in SA to also verify the IP address of the URI > in a (new?) surbl list. > > Marc
Marc The SURBL work only on urls found within spam. They do not resolve these to IPs. Resolving them to IPs and checking against a dnsbl would require a different processing logic (and more processing time). If that processing logic were implemented, then you would be identifying all domains that were hosted on an ip where there is/was a spammer domain as spammers. That will potentially increase FPs, the rule would not be so useful and its score would have to be decreased. I cannot see any way to automatically tell whether 211.158.6.88 has ONLY spammer domains and therefore should be added to such a list of ips. Have you tried using ob.surbl.org? I think it catches most of the domains you mentioned. John
