Jeff Chan wrote on Fri, 10 Sep 2004 07:43:39 -0700: > If you're talking about adding resolved IP addresses to SURBLs, > no we're not going to do that. :-( > > What I'm talking about is an internal process where we keep track > of resolved IP addresses and use that to add new domains to > SURBLs sooner if they resolve to a similar IP range (probably > /24s). We would use the resolved IP addresses to add domains > to sc.surbl.org and possibly other lists sooner. Most would > probably get added on the first report. :-) >
Haven't been reading the list for a few days I got the chance of reading this huuuge thread at once. What came to my mind is the following. 1. What do you do when spammers start using IPs instead of host names? Think ipv6, they are as good as throwaway domains. And it's in Asia where they are getting in big use real soon. Sooner or later you *will* need to handle IPs like domain names. 2. It's being said that there's a high chance of collateral damage because of virtual hosting. Is it? If you simply go to the sites in Chris' list by IP instead of hostname you find them showing a spammer page. I'd say there's a high probability if the default domain on that IP is a spammer domain all the rest will be as well. Also, how great is the chance that innocent by-standers on these machines send out email with links to their sites in them? If they are not marketing emails the chance is quite low and a link found in the signature the most possible appearance only. It should be possible to come up with a way to differentiate between a business card-like signature including a domain name and a spammer link. Furthermore, spammers need a working host which doesn't fail because it gets too many hits. A virtual host doesn't provide that. Also, a virtual host is much more risky to get shutdown quickly by an ISP than a whole box. Spammers probably use whole boxes most of the time, not normal hosting webspace. So, this situation is quite different from mail collateral damage and the chance of it is much less. I'm sure there would be many people willing to accept that low risk. 3. On the other hand blacklisting whole /24s as you propose *is* bound to a much higher collateral damage I think. Same goes for checking the nameservers. If I understood correctly what Justin said SA looks up the nameservers for a domain in spamhaus with the URIDNSBL rule for spamhaus. Isn't that much more prone to false positives? 4. I think the way this should/could work is like following: - you need to have a database of hostname - IP correlations. Not just domains, it needs to be hostnames, so you can handle 1.domain.com pointing at a different IP than 2.domain.com. All IPs resolved this way from spamvertised hostnames go in this list. And all IPs which are used directly in spam (see 1.). - after SURBL lookups are done and the domain (as I understand SURBL lookups are done by domain) isn't found, do a lookup on the resolving IP and look it up in that separate SURBL list. - if it is found there's a chance that it's a spam hosting IP. Since SA uses scores we (the end-user ISP) have methods of decreasing false positives. Also, if this rule is scored 0 by default just those people who are confident in this method could enable it. - report the hostname associated to that IP and which (the hostname) isn't in SURBL yet automatically to SURBL, so you can put it on a "normal" SURBL list after you get more confirming reports. 5. What about reporting back? This could build up confidentiality in rules and BLs. F.i. report back the spam score of that message which is associated to this host name/IP right after SA finishes with scoring. You can build a statistic which shows the resultant spam score distribution of messages which contain that host name/IP. If there's too many hammy scores you throw it out. This could be similarly used for rules and may be an alternative way to mail corpora runs of getting to know how well the rules behave. Of course, this can't be on by default and needs to be well thought thru to get good results which *mean* something. Also, if someone wanted to enable this he had to register first, so you don't get wrong scores from spammers. Just an idea. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
