On Friday, June 3, 2005, 12:33:26 AM, Duncan Hill wrote: > On Friday 03 June 2005 08:10, Loren Wilton typed: >> It was basically "the spammer makes a zillion new domains, and they all >> take time to get into SURBL, so some spam gets through. But they all point >> to the same dotted quad, and I can match on that lookup". >> >> If that statement is true, perhaps the surbl lists could automatically >> include the dotquads for hosts that are known to be pure spam sources and >> not mixed systems. Then the client could get the ip for a suspect hostname >> and see if it matched a known spam dotquad.
> I'd swear this came up before. The one (slight?) problem with this tactic is > that you can have too many FPs if a spammer targets a legit hosting > operation. Exactly. Listing resolved IPs magnifies the problems with false positives, joe jobs and collateral damage. Please see: http://www.surbl.org/faq.html#numbered "Are there plans to offer an RBL list with the domain names resolved into IP addresses?" > Postifx does have a neat restriction to reject based on the IP address of the > name server. You run the same risk, but I've noticed that the pr1ces, al1v3 > and so on spammer has used the same NS servers for each one.... Using sbl.spamhaus.org with uridnsbl in SA3 does something similar. SBL has many spammer nameservers listed in it and uridnsbl checks a URI's nameservers against SBL. It tends to detect many spamy domains that way (and occasionally a few relatively innocent bystanders). Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
