Jeff Chan wrote on Sat, 11 Sep 2004 03:30:20 -0700: > We already handle domain names and IP addresses that appear in > URIs. If IPv6 is ever globally routable and referred to un > URIs, we will handle them also.
Ah, I see. So, in this case you handle IPs as if they were domains? > > > 2. It's being said that there's a high chance of collateral damage because > > of virtual hosting. Is it? If you simply go to the sites in Chris' list by > > IP instead of hostname you find them showing a spammer page. I'd say > > there's a high probability if the default domain on that IP is a spammer > > domain all the rest will be as well. > > That's probably true, but it's not the issue we are addressing. > The main problem is what would happen if we listed the IP address > of a shared virtual host because one of the domains on the server > got listed. But that's not what Chris was referring to. The given list seems to contain IPs which are "guaranteed" to host only spam. Of course, I don't know how much more effective this were compared to the current method and given a quick add cycle for new domains. It would be worth testing it on a small scale before even thinking about putting it on SURBL. But as far as I know there's no rule for looking up a domain's IP and then check that IP in an RBL or a flat file, isn't it? If such a rule exists one could set up an rbldns privately just with those few IPs and test it for a while. > > In other words say there are a hundred different domains on a > shared virtual host. If we one domain on that host got abused, > and we resolved that one domain into an IP address, then listed > that IP address (and had code to do similar resolution on the > spam-checking client side) then we have blocked access to the > other 99 sites. No. You have blocked mail including links to domains on that IP. That's quite different and I think it reduces the FP potential quite a lot. > No, that's not what we were proposing. We were proposing to > remember the /24s on the data server and use that information > for biasing newly reported domains to get the *new domains* on the > lists sooner. Ok, so, what you want to use is a probability of a new domain being a spam domain because it resolves in that range, correct? > Not if spamhaus is conservative about adding only name servers > that are purely used by spammers. But these seem to be used quite rarely, I'm not sure if that rule is worth the lookup at all. I haven't seen a lot if any occurances of the spamhaus rule in spam reports. I've got to check. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
