spamassassin-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j.@jmason.org (Justin Mason)
Subject Re: Announcing SpamCopURI 0.08 support of SURBL for spam URI domain tests
Date Fri, 02 Apr 2004 23:27:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Jeff Chan writes:
> On Friday, April 2, 2004, 2:11:39 AM, Jeff Chan wrote:
> > If it's the case that domains expire out of the SpamCop
> > URI data sooner than the particular spam domains remain
> > a problem, then I could definitely see a need for a longer
> > expiration.  Being somewhat new to the game, I don't
> > have any data to support either argument.
> 
> OK I can see one flaw in my argument would be that if message
> body domain blocking were already popular and successful then
> *reporting* about spam URIs would taper off as fewer spams
> reached victims, even if the spam-referenced domains stayed
> up.  In that case we could simply increase our expiration
> time to make the blocking persist long after the reports
> tapered off.  (But there still should be some mechanism for
> expiring domains off the block list, whatever time period
> is used.  Or there should be some other method of removing
> domains from the list.)
> 
> Does anyone have any data about the persistence of spam URI
> domains?  I'll even settle for any data about spam web server
> IP addresses.  :-)

I've seen the same domain being used for several months.

BTW I would suggest a TTL in the list of at least 1 month for reported
URIs.  If you're worried about FPs hanging around for long, provide a very
easy removal method (e.g. web form or email). Don't bother trying to
assess the spamminess or otherwise of the requester, just remove the URL
ASAP (and log the action, of course).

Side issue: why use easy removal without questions? Spammers do not have
the bandwidth to remove themselves from every list.  If they *do* go to
the bother, and a URL does get removed, then repeatedly crops up in spam
again, it should be raised as an alarm -- and possibly brought to the
notice of other people -- e.g. this list or others.

If it really is a spammy URL and the spammer just keeps removing it, I'd
imagine the URL would be noted as such and quickly find its way into
systems that *don't* offer easy removal. ;)  If it isn't a spammy URL,
then you've saved yourself a lot of FPs and annoyed users, without
requiring much legwork on your part.

Basically the philosophy is to make it easy for anyone to remove an
URL from the list.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAbfbRQTcbUG5Y7woRAlB0AJoDZtBP7lqSmUDngr9kBASS2VvJpgCfSG6v
8JNhCJUWh2C5X7NDm86crEE=
=i2Ij
-----END PGP SIGNATURE-----


Mime
View raw message