From: "Marc Kool" > John Fawcett wrote: > > > > If that processing logic were implemented, then you would be identifying all > > domains that were hosted on an ip where there is/was a spammer domain as > > spammers. > > That will potentially increase FPs, the rule would not be so useful and its > > score would have to be decreased. > > > > I cannot see any way to automatically tell whether 211.158.6.88 has ONLY > > spammer domains and therefore should be added to such a list of ips. > > Also true but somewhat theoretical if a more than X spam domains are served > from the same IP address (where X >= 3 ?) >
Is X=3 satisfactory to not create FPs for big virtual hosting providers which reuse IP addresses for many domains? What is the right value of X which will sacle so that it doesn't create FPs on large mail servers? (One of the features of the surbl lists is the low FP rate and some poeple are using them on very large mail servers). > > Have you tried using ob.surbl.org? I think it catches most of the domains > > you > > mentioned. > > The surbl lists catch the mentioned domains _now_. But this spammer generates > new ones regularly and it takes a while before the new domains are known > and included in the surbl lists. I cannot estimate how many spams > can get through in "a while" but I have noticed on my system that > mails that were originally flagged non-spam were flagged spam a few hours > later because the URIs were then included in an updated surbl list. > > To stop this process where the new domain can be included in URI's and is > not (yet) included in surbl lists, the IP address could be included in > the surbl list and hence this spammer has no time window any more where > his spam gets undetected by surbl lookups. I think the ob list is already having quite a lot of success in blocking newly generated domains. When a spammer starts using a new domain and it hits an ob spamtrap, if that domain has been recently registered, it gets blocked. Any idea about how many of the new domains on same ips are being missed currently by ob.surbl.org? John
