On Friday, April 2, 2004, 3:52:31 PM, Jeff Chan wrote: > We have enough history built up that I should be able > to see if they would have fallen off my lists at certain points > due to our relatively short expiration. I might be able to use > that information to tune the expirations better.
After I wrote this I remembered a strategy someone else may have suggested here earlier (unfortunately can't remember where I first saw it): make the expiration tied to the amount of reporting. That could make SURBL somewhat self-tuning: 1. Domains with many reports over a short period of time probably really are spam domains and would get a longer expiration. I.e., with a longer expiration we keep watching this domain for a longer period of time, making it easier to catch repeat offenses and keep the domain on the list for longer. Something like an inverse logarithmic function where the input is the spam count and the output is the number of days to keep it on the list might be nice. 2. Domains with fewer reports get a shorter expiration. This lets FPs roll off the list sooner, all automatically. In other words we don't let small things bother us for very long, but big offenders get the big hairy eye on them for a long time. How does this sound? Something that should probably be clarified about our expirations is that they are "refreshed" by fresh spam. If a domain keeps getting more than 10 spam reports over a 4 day sliding window (current values), it will *stay on the list for longer than 4 days*. Domains stay on the list for as long as a certain rate of reports keep coming in, which could in principle be forever. It's not like the domains automatically get off the list after 4 days. If reports keep coming in, they stay on the list. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
