On Friday 03 June 2005 08:10, Loren Wilton typed: > It was basically "the spammer makes a zillion new domains, and they all > take time to get into SURBL, so some spam gets through. But they all point > to the same dotted quad, and I can match on that lookup". > > If that statement is true, perhaps the surbl lists could automatically > include the dotquads for hosts that are known to be pure spam sources and > not mixed systems. Then the client could get the ip for a suspect hostname > and see if it matched a known spam dotquad.
I'd swear this came up before. The one (slight?) problem with this tactic is that you can have too many FPs if a spammer targets a legit hosting operation. Postifx does have a neat restriction to reject based on the IP address of the name server. You run the same risk, but I've noticed that the pr1ces, al1v3 and so on spammer has used the same NS servers for each one....
