>...
>
>On Friday, June 3, 2005, 12:33:26 AM, Duncan Hill wrote:
>> On Friday 03 June 2005 08:10, Loren Wilton typed:
>>> It was basically "the spammer makes a zillion new domains, and they all
>>> take time to get into SURBL, so some spam gets through. But they all point
>>> to the same dotted quad, and I can match on that lookup".
>>>
>>> If that statement is true, perhaps the surbl lists could automatically
>>> include the dotquads for hosts that are known to be pure spam sources and
>>> not mixed systems. Then the client could get the ip for a suspect hostname
>>> and see if it matched a known spam dotquad.
>
>> I'd swear this came up before. The one (slight?) problem with this tactic
>> is
>> that you can have too many FPs if a spammer targets a legit hosting
>> operation.
>
>Exactly. Listing resolved IPs magnifies the problems with false
>positives, joe jobs and collateral damage. Please see:
>
> http://www.surbl.org/faq.html#numbered
>
>"Are there plans to offer an RBL list with the domain names
>resolved into IP addresses?"
>
>> Postifx does have a neat restriction to reject based on the IP address of
>> the
>> name server. You run the same risk, but I've noticed that the pr1ces, al1v3
>> and so on spammer has used the same NS servers for each one....
>
>Using sbl.spamhaus.org with uridnsbl in SA3 does something
>similar. SBL has many spammer nameservers listed in it and
>uridnsbl checks a URI's nameservers against SBL. It tends
>to detect many spamy domains that way (and occasionally a few
>relatively innocent bystanders).
>
>Jeff C.
>--
>Jeff Chan
>mailto:[EMAIL PROTECTED]
>http://www.surbl.org/
>
>
And adding a URI rule for the completewhois list (basically the same
function as the no longer existing ipwhois.rfc-ignorant.org list) will hit
yet more name servers and spammer IPs with slightly fewer FPs (no issue with
escalations). The list is: combined-HIB.dnsiplists.completewhois.com
Paul Shupak
[EMAIL PROTECTED]
P.S. And if you can afford many more FPs, you can use SPEWS L1 with a low
score (catches far more than the other two combined, but has serious issues
with "escalations" and "innocent bystanders").
