> SURBLs on the other hand have mostly domain names with a few IPs. > Whatever appears in URI host portions is what goes into SURBLs. > Usually URIs have domain names so that's what most of the SURBL > records are.
Jeff, the OP (or someone) had an interesting idea, I thought. It was basically "the spammer makes a zillion new domains, and they all take time to get into SURBL, so some spam gets through. But they all point to the same dotted quad, and I can match on that lookup". If that statement is true, perhaps the surbl lists could automatically include the dotquads for hosts that are known to be pure spam sources and not mixed systems. Then the client could get the ip for a suspect hostname and see if it matched a known spam dotquad. Possibly this would want to be a separate list. Alternately, it might want to be possible 'backend processing' inside surbl itself. For instance, you could run your own caching dns. Any hostname lookup request not matching the current list (or the whitelist) gets looked up. If the ip address matches that of a known spam host, it is automatically added to the list and a positive hit is returned to the original requestor. Instant catching of unknown spam domains! Of course with your policies you may simply want to add the domain name to a list for manual review rather than directly including it. Or perhaps establish a new list that is scored deliberately at half the normal surbl score and add it to that list and flag for manual review. If it is spam, it will provide at least some early warning to people receiving it. If it turns out to be a false hit, it will be found in manual review and removed from the list shortly, and in the mean time the low score means no great harm will likely be done. I think this is a concept worth thinking about. Domain names are near infinite, but there is a limit on IPV4 ip addresses; so a lot of domain names must end up mapping to the same ip address in some way or other. This is something that we should be able to exploit. Loren