> SURBLs on the other hand have mostly domain names with a few IPs.
> Whatever appears in URI host portions is what goes into SURBLs.
> Usually URIs have domain names so that's what most of the SURBL
> records are.
Jeff, the OP (or someone) had an interesting idea, I thought.
It was basically "the spammer makes a zillion new domains, and they all take
time to get into SURBL, so some spam gets through. But they all point to
the same dotted quad, and I can match on that lookup".
If that statement is true, perhaps the surbl lists could automatically
include the dotquads for hosts that are known to be pure spam sources and
not mixed systems. Then the client could get the ip for a suspect hostname
and see if it matched a known spam dotquad.
Possibly this would want to be a separate list.
Alternately, it might want to be possible 'backend processing' inside surbl
itself. For instance, you could run your own caching dns. Any hostname
lookup request not matching the current list (or the whitelist) gets looked
up. If the ip address matches that of a known spam host, it is
automatically added to the list and a positive hit is returned to the
original requestor. Instant catching of unknown spam domains!
Of course with your policies you may simply want to add the domain name to a
list for manual review rather than directly including it. Or perhaps
establish a new list that is scored deliberately at half the normal surbl
score and add it to that list and flag for manual review. If it is spam, it
will provide at least some early warning to people receiving it. If it
turns out to be a false hit, it will be found in manual review and removed
from the list shortly, and in the mean time the low score means no great
harm will likely be done.
I think this is a concept worth thinking about. Domain names are near
infinite, but there is a limit on IPV4 ip addresses; so a lot of domain
names must end up mapping to the same ip address in some way or other. This
is something that we should be able to exploit.
Loren
