From: "Marc Kool"
John Fawcett wrote:
If that processing logic were implemented, then you would be identifying
all
domains that were hosted on an ip where there is/was a spammer domain as spammers. That will potentially increase FPs, the rule would not be so useful and
its
Unfortunately I am not in the position to find out which set of domains resolve to the spammers IP address, but I strongly believe that very few providers put a spammer on a shared box.
score would have to be decreased.
I cannot see any way to automatically tell whether 211.158.6.88 has ONLY spammer domains and therefore should be added to such a list of ips.
Also true but somewhat theoretical if a more than X spam domains are
served
from the same IP address (where X >= 3 ?)
Is X=3 satisfactory to not create FPs for big virtual hosting providers which reuse IP addresses for many domains?
What is the right value of X which will sacle so that it doesn't create FPs on large mail servers? (One of the features of the surbl lists is the low FP rate and some poeple are using them on very large mail servers).
Have you tried using ob.surbl.org? I think it catches most of the
domains
you mentioned.
ob is good, but they lag behind the reality. This can never change because of the flow of the process: catch spam, verify it and add a domain to the list.
The surbl lists catch the mentioned domains _now_. But this spammer
generates
new ones regularly and it takes a while before the new domains are known and included in the surbl lists. I cannot estimate how many spams can get through in "a while" but I have noticed on my system that mails that were originally flagged non-spam were flagged spam a few hours later because the URIs were then included in an updated surbl list.
To stop this process where the new domain can be included in URI's and is not (yet) included in surbl lists, the IP address could be included in the surbl list and hence this spammer has no time window any more where his spam gets undetected by surbl lookups.
I think the ob list is already having quite a lot of success in blocking newly generated domains. When a spammer starts using a new domain and it hits an ob spamtrap, if that domain has been recently registered, it gets blocked.
Any idea about how many of the new domains on same ips are being missed currently by ob.surbl.org?
John
I administer an email server for 5 domains and 120 active users. Since I only keep ham and spam for my own email account I can only report in detail for this account:
in Jun 1 - Jun 10: 93 correctly classified ham emails 131 correctly classified spam emails 900+ whitelisted emails of various mailing lists 10 FN's (first classified as ham and "some" hours later correctly classified as spam) where "some" is between 1 and 10 hours.
ob and the other lists are good but lag behind. But note that registrering a new domain name is relatively cheap and registering an IP address is not. Since spammers are agressive we have to have means to fight their agressive methods. I believe that putting known IP addresses in a surbl list can be a good and effective way: it makes operating cost for spammers higher and make life difficult since they need to get new IP addresses far more quickly. Note that 211.158.6.88 has been used in spam since June 23 or *17 days*, with an IP address lookup many spams would be blocked without lagging behind the spammer.
To start another thread:
I am a contributor to the free URL database that can be used by squidguard and dansguardian
with a strong focus on sex sites (with 397000 domains). Although not every sex site sends spam, a mail administrator may want to implement
a local policy to block emails that refer to sex sites (I would :-)
Does anybody wants/needs/likes sex.surbl.org ???
For a list like sex.surbl.org a feature to include IP addresses is a benefit
since 57% percent of the sex domains have 10 or more domains resolving to a single IP address.
Marc
