This is a discussion on Re: Detecting short-TTL domains? - SpamAssassin ; Quoting Kai Schaetzl : > Thomas Raef wrote on Sun, 12 Aug 2007 06:19:43 -0500: > > > a dnsbl is the way to go. > > On first look I disagree. We already have SURBL and URIBL. I don't ...
Quoting Kai Schaetzl
> Thomas Raef wrote on Sun, 12 Aug 2007 06:19:43 -0500:
> > a dnsbl is the way to go.
> On first look I disagree. We already have SURBL and URIBL. I don't see how
> this would add any benefit on top of that. We are talking about URI's in
> mail, not about hostnames of mailservers or email adresses. The only
> occasion where looking at the TTL (and whatever else in conjunction) is of
> benefit is when the URI *is not yet* on an RBL. In that case you can use
> those deviations from the norm as a spam indicator. Nothing more, nothing
> less. That also means that if the URI is found on SURBL/URIBL you don't
> have to do the TTL lookup which helps reducing the query load.
One answer is for URI blacklists to catch more of the fast flux domains sooner.
SURBL gets some now, and we are looking to get more. The factors Thomas
mentions are some good ones to look for.
In principle SpamAssassin could also independently look for factors like these,
particularly for URI domains not already blacklisted as Kai suggests, but I'd
argue the overall function of finding these domains is better-suited to a
blacklist. Anyway, it's something we are working on.