Moving to the Users List.
Jeff Chan wrote:
On Monday, August 2, 2004, 6:00:21 AM, Albert Whale wrote:
Jeff Chan wrote:
uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe WS_URI_RBL URI's domain appears in sa-blacklist tflags WS_URI_RBL net
score WS_URI_RBL 3.0
Well, if the RBL contains a score of 3.0 and the minimum for detection is a 5 or a 6, how is this of any value? Do you see a little of what I mean?
The reason for a score below the threshold is to mitigate false
positives by requiring other rules to also fire. That's a basic
feature of Spam Assassin, and it's more of a diverse, collaborative
approach to detecting spam than outright blocking based on a
single characteristic. Certainly, if you're comfortable with the
lack of false positives in a given SURBL rule, or any other rules
for that matter, you can raise the score of that rule. Adjusting
scores and choosing rules is how you can tune SA to your liking
and to the type of mail you get.
Agreed, I understnad this wholey.
Most Phishers are based on IP Addresses. Is the SURBL a Good Match, or am I attempting to develop a New Detection Tool?
I guess the issue here Jeff, is that there are a few million injections of the message before it makes it into the Database. I want to detect it as soon as it occurs (and not require that it be relying on any other device externally for the detection).
How does the IP Address make it into the SURBL List?
Well first, SURBLs don't have many IP addresses. Most entries
in the lists are domain names.
Second it doesn't take "a few million" messages for an entryWell, I say a Few million get out of the Phishers, before someone reports it. I want to detect it, and stop it before needing to rely on a first responder acting on behalf of someone else. I guess I am looking for this new Detection tool to be the First Responder.
to get onto a SURBL list. For some of the lists it requires
only one to be detected. Please see the Lists document on
our site for more information:
This certainly is NOT going to replace the lists in the SURBL, but is may also permit that this detection could 'feed' data into the SURBL.
Back to a previous point. Since most Phishers are using IP Addresses in the Web Link, is there an existing test for this, or do I need to develop it?
http://www.surbl.org/lists.html
Also unless there's a specific development issue here, this discussion should probably move to the spamassassin-users list.
Jeff C.
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
