On Thursday, September 9, 2004, 1:56:33 PM, Chris Santerre wrote: > OK, this isn't the first time we've had this discussion, but Raymond and I > felt this should be made public again. He ran thru some tests of 1500+ > domains and found the following data. Looks like they maybe send from > zombies, and never their hosts. IPs are similar across the board.
> So is there a way to use the IP info in a good way? Could SA or SURBL do a > quick ping of the URL and match against a URL? This would allow us to simply > list 1 IP instead of all these domains. > (I'm well aware of virtual hosts! So only the filthiest of spammers would be > put on this IP list. Then their IP better boot them or anyone hosted on that > box would feel the rath of SURBL.) Yes, we've already discussed reasons why we're using only the data actually found in spam URIs. The potential for collateral damage in looking at resolved IPs is too high. It would be very easy for a large hosting provider to have 1 bad guy sharing a web server with 100 or 1000 non-spammers. Given that we can't see those other 100 or 1000, it would be very easy for us to add that 1 IP address and block the other 100 or 1000 *without even knowing it*. It is a question about the limits of knowledge. In our universe we can't see the potential collateral damage from listing a shared host, so we should not do it. From our point of view it's not knowable. Sure the hosting company knows whether that's the case, but we can't. I'd encourage people with questions like this to read up or take some classes on epistemology or the theory of knowledge. Or just contemplate the possibilities harder... ;-) Jeff C.
