On Thursday, September 9, 2004, 3:22:39 PM, Scott Crosby wrote: > On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <[EMAIL PROTECTED]> writes:
> How does this sound? Combine spamtraps with SURBL, using the IP as a > hint to fully automatically add on the new domain. If a spamtrap email > includes a URL that resolves to a server that has the same IP as > another server already on the SURBL blacklist, automatically and > immediately add the new domain to SURBL. One could also use shared DNS > servers as a similar hint. If a new domain in a spamtrap shares a DNS > server with an already listed domain, add it to SURBL automatically. > We should be a bit more careful than this --- require that a new URL > has to resolve to the same IP address as, say, at least 3 other SURBL > entries before being automatically added on. Also, there should also > be a list of IP's for which this automatic logic won't be > triggered. This would be important for a poorly run but popular > virtual server that's slow at kicking off spamvertized sites. > This way you can catch spammers who create new domains on an existing > IP address automatically and close to instanteanously. There's also > little to no chance of accidently blacklisting a popular virtual > server. Spammers can't get any completely innocent domain or IP onto > SURBL automatically. It must have at least some prior listings. > Scott Yes, the nameserver part is a new idea, and we would not explicitly fold trap data* in, but the IP part is in my designs already for the next version: http://www.surbl.org/faq.html#numbered > However the next version of the sc.surbl.org data engine > probably will be a hybrid name and number approach, where if a > domain resolves into an IP address commonly used with > spamvertised sites, then that domain will get added to > sc.surbl.org probably with the first report. (Note that this > still requires at least one report, but the threshold for > inclusion will be radically lower for major spam operators who > repeatedly use the same IP address for their hosting.) The next > version of the data engine may also use the IP addresses in the > sbl.spamhaus.org list to similarly short-circuit the process > and include any newly reported domains resolving into those > addresses immediately upon their first report. That should make > for a more responsive list without much chance of increasing > false positives. > > This hybrid approach will move sc.surbl.org much closer towards > the behavior of a number-based approach, though domains will > still need that initial report, whereas a numbered list would > catch the whole server IP address. > > Of course a downside of using numbers is that they can false > positive any legitimate domains that happen to be hosted on the > same IP address as a spam site. That could be disasterous for a > large web hosting company that had one bad apple. That's > another major reason why we went with names and not numbers. > Numbers can be overly broad, whereas names are highly specific > to the advertised site. To us names are a finer tool: if 30% of > the domains on a given IP address are used by spammers, we > could list all of them and not affect the 70% non-spam domains > that unfortunately happen to share the same IP address. That > specificity is a strong benefit of using domain names. I'd rather work on this than spending time defending the current practices, which are already collectively pretty well thought out. * spam trap data is already indirectly used in SURBLs. Jeff C.
