On Saturday, September 11, 2004, 6:32:59 AM, Kai Schaetzl wrote: > Jeff Chan wrote on Sat, 11 Sep 2004 03:30:20 -0700:
>> We already handle domain names and IP addresses that appear in >> URIs. If IPv6 is ever globally routable and referred to un >> URIs, we will handle them also. > Ah, I see. So, in this case you handle IPs as if they were domains? Yes, if I understand what you're asking. If we see http://abc.com/ in spams, we add abc.com. if we see http://1.2.3.4/ in spams, we add 4.3.2.1 (meaning 1.2.3.4 in RBL-speak). In that sense domains and IPs are treated similarly. >> > 2. It's being said that there's a high chance of collateral damage because >> > of virtual hosting. Is it? If you simply go to the sites in Chris' list by >> > IP instead of hostname you find them showing a spammer page. I'd say >> > there's a high probability if the default domain on that IP is a spammer >> > domain all the rest will be as well. >> >> That's probably true, but it's not the issue we are addressing. >> The main problem is what would happen if we listed the IP address >> of a shared virtual host because one of the domains on the server >> got listed. > But that's not what Chris was referring to. The given list seems to contain > IPs > which are "guaranteed" to host only spam. Of course, I don't know how much > more > effective this were compared to the current method and given a quick add > cycle > for new domains. It would be worth testing it on a small scale before even > thinking about putting it on SURBL. But as far as I know there's no rule for > looking up a domain's IP and then check that IP in an RBL or a flat file, > isn't > it? If such a rule exists one could set up an rbldns privately just with > those > few IPs and test it for a while. There is no rule to do that currently, nor do I recommend one. I like the idea of adding *domains* based on their IP better because it keeps the advantages of using domains. If we try to use resolved IPs, some problems can happen, as we mentioned earlier. >> In other words say there are a hundred different domains on a >> shared virtual host. If we one domain on that host got abused, >> and we resolved that one domain into an IP address, then listed >> that IP address (and had code to do similar resolution on the >> spam-checking client side) then we have blocked access to the >> other 99 sites. > No. You have blocked mail including links to domains on that IP. > That's quite > different and I think it reduces the FP potential quite a lot. I think we're talking about slightly different things here. If we add the resolved IP address to a (new) list, then we must also write a program or rule that resolves the domains found in a message to an IP address, then compares that address to the list. That means any domain resolving to that address will match the list. That would make for FPs if any legitimate domains resolve to the same IP. It's a good reason to not use resolved IPs. Instead, if we use the resolved IPs internally to bias the inclusion of new domains, then we're still only listing domains reported to be in spams, not resolved IP addreses. Therefore we can have no effect on other domains that resolve to the same IP unless they are also reported in spams. If they are *not* reported in spams, then they can share the same resolved IP but not be listed or affected. That takes care of the problem of virtual hosting perfectly. Only the reported spam domains are affected. >> No, that's not what we were proposing. We were proposing to >> remember the /24s on the data server and use that information >> for biasing newly reported domains to get the *new domains* on the >> lists sooner. > Ok, so, what you want to use is a probability of a new domain being a spam > domain because it resolves in that range, correct? Yes, though we may use the IP data as a count, rather than an actual probability. We may weight the count also, so it can be compared to counts of domain hits in spams. >> Not if spamhaus is conservative about adding only name servers >> that are purely used by spammers. > But these seem to be used quite rarely, I'm not sure if that rule is worth > the > lookup at all. I haven't seen a lot if any occurances of the spamhaus rule in > spam reports. I've got to check. I don't know if uridnsbl is enabled by default, but in tests someone posted, it was very effective in catching spam, about the same level of effectiveness as SURBLs, which is to say, quite good. That probably means sbl.spamhaus.org has nameservers listed that belong (only) to big time spammers. Can't remember the ham scores though. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
