On 18/09/19 21:05, Amir Caspi wrote:
Since the return code for the domain is specifically regarding
malware, shouldn't the score be higher? I would imagine the purpose
of the unique Spamhaus return codes is to enable such granularity in
scoring on the user end...
I can't speak about SA scoring politics because we are not directly
involved in the project. What I can say is that we flag legitimate
domains that are abused to distribute malware. In example:
http://drapart[dot]org/Prensa/k0viv68-5v5-2137/
The website itself is legit, but that particular path is hosting Emotet.
As of now SA checks only the drapart[dot]org domain against DBL (and
others) and gives you back a score according to masschecks. You can't
outright say that *every* drapart[dot]org urls are malicious, because
most of them really aren't.
So, as of now, if you don't care so much about FPs, just shortcircuit
DBL responses to spam. There are some new functions in SA 3.4.3 that
could help with better sniping, but that's something that has still to come.
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
