On Thursday, July 21, 2005, 7:28:53 PM, Charles Sprickman wrote: > Hello,
> I've been watching some of the misses that have passed through > spamassassin (3.0.4) lately and they are pretty clean; no DNS BL hits, > etc. > One thing I did notice is that many of them have a fairly contorted URL > for the spamvertized products, ie: > kjekliennxi&ffiennnkenc.spamsite.com > This doesn't trigger any URIDNSBL hits, but if I punch the entire URI into > the surbl.org checker it does hit. It seems as if the SA check is looking > only at the domain part and not the subdomain. > Is this expected? Is there a switch to flip to get the whole hostname > checked? As Loren correctly mentions, SURBLs and the applications that use them usually try to check the registered domain, not the full host name. Some exceptions include phishing hosts that might be hosted on a legitimate ISP under their domain name, like phisher.geocities.com or whatever. So there is no switch to check the whole hostname and most of the time the full hostnames would not match the SURBL data. There are a number of reasons for this design decision, some of which can be seen at: http://www.surbl.org/faq.html#random http://www.surbl.org/faq.html#cctlds Most of the major spammers register dozens or hundreds of new domains at a time, use some for a few days or weeks then abandon them and start using others. We're a lot more interested in catching those than some minor abuse at a free host, since the ones using throwaway domains are probably the same ones sending billions of spams per day using botnets, etc. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/