On Saturday, September 11, 2004, 2:51:31 AM, Kai Schaetzl wrote: > Jeff Chan wrote on Fri, 10 Sep 2004 07:43:39 -0700:
>> If you're talking about adding resolved IP addresses to SURBLs, >> no we're not going to do that. :-( >> >> What I'm talking about is an internal process where we keep track >> of resolved IP addresses and use that to add new domains to >> SURBLs sooner if they resolve to a similar IP range (probably >> /24s). We would use the resolved IP addresses to add domains >> to sc.surbl.org and possibly other lists sooner. Most would >> probably get added on the first report. :-) > 1. What do you do when spammers start using IPs instead of host names? > Think ipv6, they are as good as throwaway domains. And it's in Asia where > they are getting in big use real soon. Sooner or later you *will* need to > handle IPs like domain names. We already handle domain names and IP addresses that appear in URIs. If IPv6 is ever globally routable and referred to un URIs, we will handle them also. > 2. It's being said that there's a high chance of collateral damage because > of virtual hosting. Is it? If you simply go to the sites in Chris' list by > IP instead of hostname you find them showing a spammer page. I'd say > there's a high probability if the default domain on that IP is a spammer > domain all the rest will be as well. That's probably true, but it's not the issue we are addressing. The main problem is what would happen if we listed the IP address of a shared virtual host because one of the domains on the server got listed. In other words say there are a hundred different domains on a shared virtual host. If we one domain on that host got abused, and we resolved that one domain into an IP address, then listed that IP address (and had code to do similar resolution on the spam-checking client side) then we have blocked access to the other 99 sites. That is a possibility we are trying to prevent by not resolving into IP addresses. > 3. On the other hand blacklisting whole /24s as you propose *is* bound to > a much higher collateral damage I think. No, that's not what we were proposing. We were proposing to remember the /24s on the data server and use that information for biasing newly reported domains to get the *new domains* on the lists sooner. Listing resolved /24s would be much worse than listing single resolved IP addresses. > Same goes for checking the > nameservers. If I understood correctly what Justin said SA looks up the > nameservers for a domain in spamhaus with the URIDNSBL rule for spamhaus. Yes that's correct. > Isn't that much more prone to false positives? Not if spamhaus is conservative about adding only name servers that are purely used by spammers. [interesting idea deleted] Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
