Yes you are correct. I got so focused on the improper identification of fast-flux that I lost sight of the details.
I stand, maybe not corrected, but at least with a broader understanding of the real issue. There must be some way of better identifying these domains in a URI. Thank you for pointing out my misconception. I always appreciate being corrected - really I do. -----Original Message----- From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Sent: Sunday, August 12, 2007 7:31 AM To: users@spamassassin.apache.org Subject: Re: Detecting short-TTL domains? Thomas Raef wrote on Sun, 12 Aug 2007 06:19:43 -0500: > a dnsbl is the way to go. On first look I disagree. We already have SURBL and URIBL. I don't see how this would add any benefit on top of that. We are talking about URI's in mail, not about hostnames of mailservers or email adresses. The only occasion where looking at the TTL (and whatever else in conjunction) is of benefit is when the URI *is not yet* on an RBL. In that case you can use those deviations from the norm as a spam indicator. Nothing more, nothing less. That also means that if the URI is found on SURBL/URIBL you don't have to do the TTL lookup which helps reducing the query load. > I believe that not checking for everyone of these will lead to erroneous > domains being blocked. Why should that be the case? SA is all about storing. So, even if you add a score of 1.0 to *each* low-TTL domain any "normal" ham will just bypass that. You do not ever *block* by this single criterion! Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
