Author: B.Spade (27 Sep 07 3:21am)
OK, one example of a false positive, the threat score isn't terribly high, but high enough for my spamkiller to ask for a second opinion.
The IP address is 220.127.116.11
The http:BL return is 127.12.41.3
Country of origin (from whois -h whois.afrinic.net 18.104.22.168) - Ghana
http:BL score=127.3.49.3 (at the time of posting, Aug 9, 2007)
http:BL score=127.5.47.3(on Aug 11,2007)
Country of origin (from whois -h whois.afrinic.net 22.214.171.124) - Nigeria
My forum is for discussing Spanish soap operas (telenovelas) in languages other than Spanish, there are a few of these telenovelas being aired in Africa now, and it appears that the people who post from there are not very experienced with computers. My guess is that they are all dial-up users, some of them have been infected with viruses that have drafted them into the 'global network of anonymous proxy servers', and as they swap around the addresses as they dial in, the reputation score gets shared.
On the other hand, real spam might score like these:
Country of origin (from http://ws.arin.net/cgi-bin/whois.pl) USA
Also, so far this month, we have received 3926 comment spam messages where http:BL helped to catch the spam, and 1978 comment spam messages where http:BL didn't help at all. But then one major class of spam we get comes from IP addresses that have only contributed spam, and another major class of spam comes from IP addresses we have never seen before. And most of the http:BL false negatives are in this second class.