Should I use RBL?

[Erik Wickstrom <er...@gmail.com>]

Hi All,

Just wanted to get your opinion on whether or not I should have RBL
activated?  I have read some mixed opinions so far.  Does it create
alot of false positives (vice versa)?

Thanks,
Erik

Re: Should I use RBL?

[Jeff Chan <je...@surbl.org>]

On Tuesday, September 28, 2004, 8:43:14 PM, Erik Wickstrom wrote:
> Just wanted to get your opinion on whether or not I should have RBL
> activated?  I have read some mixed opinions so far.  Does it create
> alot of false positives (vice versa)?

It may be worth pointing out that there are a couple different
ways to use RBLS:

1.  In your MTA (sendmail, postfix, etc.) to block at the
transport level, meaning messages are blocked before SpamAssassin
or any users every see them.

2.  In SpamAssassin, where RBL hits are used to increase the
score of a particular message, usually together with other
rules.

Blocking at the MTA is somewhat more extreme than using RBLs
in SA, since they get dropped up front.  In SA, RBLs simply
become one additional way to score a message.  That makes their
results more customizable than using them in MTAs.  It also uses
more CPU, memory, disk, etc. If you like one RBL better than
another, you can give it a higher score, etc.

There's probably a FAQ or wiki about this subject somewhere.

We use sbl-xbl.spamhaus.org at the MTA level, and other rules
in SpamAssassin.  This is kind of a hybrid approach that gets
rid of a bunch of junk before it even gets to SA, reducing the
load on SA by more than 50%.  We get almost no FPs from using
spamhaus at the MTA level.  YMMV. 

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Should I use RBL?

[Kenneth Porter <sh...@sewingwitch.com>]

--On Tuesday, September 28, 2004 8:43 PM -0700 Erik Wickstrom 
<er...@gmail.com> wrote:

> Just wanted to get your opinion on whether or not I should have RBL
> activated?  I have read some mixed opinions so far.  Does it create
> alot of false positives (vice versa)?

To see an example of why using an RBL at the MTA is a Bad Idea, check out 
the thread titled "roaringpenguin.com is listed in rfc-ignorant" here:

<http://lists.roaringpenguin.com/pipermail/mimedefang/2004-September/thread.html>

(For some reason the thread is broken up, perhaps due to broken mail 
clients not preserving the reference chain in the headers.)

Re: Should I use RBL?

[Matt Kettler <mk...@comcast.net>]

At 08:43 PM 9/28/2004 -0700, Erik Wickstrom wrote:
>Just wanted to get your opinion on whether or not I should have RBL
>activated?  I have read some mixed opinions so far.  Does it create
>alot of false positives (vice versa)?

My opinion is that RBLs are lousy as a single-point criteria for spam if 
FPs are a big problem for you (ie: traditional MTA layer blocking).

However, integrated in SA I've rarely had FPs that were attributable to the 
RBLs, particularly when combined with bayes, which can deduct just about as 
many points as the RBLs can add.

Typicaly if I have a FP that involves RBL hits, the email has less than 
half the required points from RBL rules. (ie: less than 2.5 points) and a 
substantial chunk of points from various malformed HTML, malformed mime, 
and malformed message-id rules.