You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Larry Nedry <sp...@bluestreak.net> on 2006/12/29 22:25:10 UTC
Re: RBLs (was: sa-learn explained)
On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
>What are you using?
Currently I am using only zen.spamhaus.org. The rest of the RBLs that I
have tried have had too many false positives to be useful for my
requirements.
Which RBLs do the rest of you folks feel comfortable using?
Nedry
Re: RBLs (was: sa-learn explained)
Posted by Jeff Chan <je...@surbl.org>.
On Friday, December 29, 2006, 1:25:10 PM, Larry Nedry wrote:
> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
>>What are you using?
> Currently I am using only zen.spamhaus.org. The rest of the RBLs that I
> have tried have had too many false positives to be useful for my
> requirements.
> Which RBLs do the rest of you folks feel comfortable using?
> Nedry
zen.spamhaus.org is the only RBL I recommend using for outright
blocking at the MTA level. Of the spamhaus lists, zen is the
only one people should be using going forward, as already
mentioned from the Spamhaus site:
http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Technical#186
Be aware that zen will include the new PBL list in addition to
SBL and XBL:
http://www.spamhaus.org/pbl/index.lasso
The PBL list should be quite effective, but it is a different,
new list. It is a "Policy Black List" that lists network spaces
that ISPs say should not be emitting mail, such as dialup spaces,
DHCP spaces, DSL, cable modem, etc. Many of the mail emitters in
such spaces tend to be botnets sending spam.
Also note that MTA level blocking is not the same as the way
SpamAssassin uses RBLs. SpamAssassin uses many blacklists in
addition to Spamhaus:
http://wiki.apache.org/spamassassin/UsingNetworkTests
http://wiki.apache.org/spamassassin/DnsBlocklists
in order to score the senders of messages. It scores different
blacklists differently, essentially depending on how accurate
they are. The more accurate lists get a higher score, etc.
SpamAssassin also uses some RBLs to check message body URIs,
including using Spamhaus and SURBLs:
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
Blocking in an MTA means not allowing the message to even get to
SpamAssassin for checking. This is the normal way most mail
servers are set up since the volume of all spam could generally
overwhelm SpamAssassin without MTA blocking. Blocking by sener
IP is much more efficient, so it's generally used as a fast
pre-filter before SpamAssassin even sees a message.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: RBLs
Posted by Jason Faulkner <jf...@broadwick.com>.
Larry Nedry wrote:
> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
>> What are you using?
>
> Currently I am using only zen.spamhaus.org. The rest of the RBLs that
> I have tried have had too many false positives to be useful for my
> requirements.
>
> Which RBLs do the rest of you folks feel comfortable using?
Spamhaus is amazingly good -- but some other are less than stellar. I'd
reccomend using the rbl and xbl from Spamhaus.
--
Jason Faulkner
Systems Manager
Broadwick Corporation
(919) 459-2509
Re: RBLs
Posted by John Rudd <jr...@ucsc.edu>.
Sander Holthaus wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John Rudd wrote:
>> John D. Hardin wrote:
>>> On Fri, 29 Dec 2006, Larry Nedry wrote:
>>>
>>>> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
>>>>> What are you using?
>>>> Currently I am using only zen.spamhaus.org. The rest of the
>>>> RBLs that I have tried have had too many false positives to be
>>>> useful for my requirements.
>>>>
>>>> Which RBLs do the rest of you folks feel comfortable using?
>>> I use a few others from sorbs.net, but I don't see them having
>>> any effect as zen.spamhaus.org catches everything first... :)
>>>
>>
>> I've been using sbl-xbl for a while, and then recently switched to
>> zen.
>>
>> I also recently added list.dsbl.org (called before zen, so I can
>> see how much it's really catching). It's pretty small (about 1/6
>> of what zen catches).
>>
>> I'm also contemplating adding dul.dnsbl.sorbs.net.
>>
>> I tend to put the newest (to me) rbl first, so I can see what it's
>> actually catching before the stuff I was already using :-)
>>
>>
> zen != xbl-sbl. It is xbl-sbl-pbl. AFAIK, the PBL's aren't active, but
> will be in near future. You might want to change the scoring for
> PBL-entries.
>
Yes, I never implied that zen == sbl-xbl. However, for now, according
to spamhaus, zen only contains the production databases, so it IS
currently (practically) the same as sbl-xbl. The difference is that
once the PBL becomes fully published/public, zen will include all 3, but
sbl-xbl will not.
So, if what you want is "the one with everything [fully publicly
published]" you can start using zen now and wont have to make a change
in the future.
Re: RBLs
Posted by Sander Holthaus <in...@orangexl.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Rudd wrote:
> John D. Hardin wrote:
>> On Fri, 29 Dec 2006, Larry Nedry wrote:
>>
>>> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
>>>> What are you using?
>>> Currently I am using only zen.spamhaus.org. The rest of the
>>> RBLs that I have tried have had too many false positives to be
>>> useful for my requirements.
>>>
>>> Which RBLs do the rest of you folks feel comfortable using?
>>
>> I use a few others from sorbs.net, but I don't see them having
>> any effect as zen.spamhaus.org catches everything first... :)
>>
>
>
> I've been using sbl-xbl for a while, and then recently switched to
> zen.
>
> I also recently added list.dsbl.org (called before zen, so I can
> see how much it's really catching). It's pretty small (about 1/6
> of what zen catches).
>
> I'm also contemplating adding dul.dnsbl.sorbs.net.
>
> I tend to put the newest (to me) rbl first, so I can see what it's
> actually catching before the stuff I was already using :-)
>
>
zen != xbl-sbl. It is xbl-sbl-pbl. AFAIK, the PBL's aren't active, but
will be in near future. You might want to change the scoring for
PBL-entries.
Kind Regards,
Sander Holthaus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFFlcT7Vf373DysOTURAjd3AKC+Q8OY4AIiO6JSREp192zSPK/zHwCgwJes
Oqrza5QHzHQWS3X4T39G+l0=
=lbP5
-----END PGP SIGNATURE-----
Re: RBLs
Posted by Jason Faulkner <jf...@broadwick.com>.
>>
>> In a lot of cases, that seems to boil down to "sending a legitimate
>> email to a recipient who once *asked* to be sent such email, who has
>> now forgotten they signed up in the first place". :(
>>
>> There's not much a sender can do about that - particularly for
>> periodic emails of the type *many* companies send to customers (or
>> potential customers) who have signed up for these messages.
>
>
> Not only can the sender not do anything about the reporting and
> getting blacklisted, but the way spamcop sometimes (always?) lists the
> host, they can't find out which of their senders was involved, and
> thus have no hope of figuring out which of that sender's recipients is
> responsible.
>
> Kind of hard to solve a problem when you're just being told "something
> is wrong" and _nothing_ more. Which is the case when a spamtrap was
> involved.
Exactly the point I was trying to make earlier. As an ESP (email service
provider), we have a tough job in separating the wheat from the chaff.
When you have just under 10,000 customers and 12 IPs, it's a little
difficult to know who sent to a spamtrap when we aren't even given the
most basic information about a message.
--
Jason Faulkner
Systems Manager
Broadwick Corporation
(919) 459-2509
Re: RBLs
Posted by John Rudd <jr...@ucsc.edu>.
Kris Deugau wrote:
> Jeff Chan wrote:
>> The SpamCop BL is a fair representation of the sending IPs of the
>> messages that its users are reporting as spam. One of your goals
>> as an ESP should be to not get perceived as spam in the mailboxes
>> of those users. If the users get your messages and report them
>> as spam (via SpamCop, AOL, etc.), then you may be doing something
>> inappropriate that's worth reviewing and correcting.
>
> In a lot of cases, that seems to boil down to "sending a legitimate
> email to a recipient who once *asked* to be sent such email, who has now
> forgotten they signed up in the first place". :(
>
> There's not much a sender can do about that - particularly for periodic
> emails of the type *many* companies send to customers (or potential
> customers) who have signed up for these messages.
Not only can the sender not do anything about the reporting and getting
blacklisted, but the way spamcop sometimes (always?) lists the host,
they can't find out which of their senders was involved, and thus have
no hope of figuring out which of that sender's recipients is responsible.
Kind of hard to solve a problem when you're just being told "something
is wrong" and _nothing_ more. Which is the case when a spamtrap was
involved.
Re: RBLs
Posted by Kris Deugau <kd...@vianet.ca>.
Jeff Chan wrote:
> The SpamCop BL is a fair representation of the sending IPs of the
> messages that its users are reporting as spam. One of your goals
> as an ESP should be to not get perceived as spam in the mailboxes
> of those users. If the users get your messages and report them
> as spam (via SpamCop, AOL, etc.), then you may be doing something
> inappropriate that's worth reviewing and correcting.
In a lot of cases, that seems to boil down to "sending a legitimate
email to a recipient who once *asked* to be sent such email, who has now
forgotten they signed up in the first place". :(
There's not much a sender can do about that - particularly for periodic
emails of the type *many* companies send to customers (or potential
customers) who have signed up for these messages.
-kgd
Re: RBLs
Posted by Jeff Chan <je...@surbl.org>.
On Saturday, December 30, 2006, 10:40:21 AM, Jason Faulkner wrote:
> I will completely concur with the statement about spamcop being too
> aggressive -- I work with a company that sends out ~10 million messages
> per month per ip (we're an ESP) and we can get listed on Spamcop for as
> few as 20 complaints on one of those IPs, and there's absolutely no
> feedback mechanism that they'll listen to us with.
> Spamhaus is fair. DULs are a great idea. But please, please don't
> support SpamCop. Their policies are not fair and you /will/ lose some
> legitimate email in the process.
While I agree that the SpamCop BL is too aggressive for use as
MTA blocking, it's unfair to say that SpamCop or their blacklist
are unfair.
The SpamCop BL is a fair representation of the sending IPs of the
messages that its users are reporting as spam. One of your goals
as an ESP should be to not get perceived as spam in the mailboxes
of those users. If the users get your messages and report them
as spam (via SpamCop, AOL, etc.), then you may be doing something
inappropriate that's worth reviewing and correcting. Frankly if
I were an ESP, I'd be grateful for the feedback that something
may be wrong. That feedback is valuable and gives you a chance
to review your practices before you become more widely viewed as
spammers. Presumably that's something you would want to avoid.
In contrast to outright blocking at the MTA level, SpamAssassin
uses the SpamCop BL and many other BLs to create a score to tag
messages as spammy or not. For a list that's a bit too
aggressive like SCBL, the score is lower. For a list that's more
accurate like xbl.spamhaus.org, SpamAssassin gives it a higher
score. Etc.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: RBLs
Posted by Jason Faulkner <jf...@broadwick.com>.
>> I will completely concur with the statement about spamcop being too
>> aggressive -- I work with a company that sends out ~10 million
>> messages per month per ip (we're an ESP) and we can get listed on
>> Spamcop for as few as 20 complaints on one of those IPs, and there's
>> absolutely no feedback mechanism that they'll listen to us with.
>>
>> Spamhaus is fair. DULs are a great idea. But please, please don't
>> support SpamCop. Their policies are not fair and you /will/ lose
>> some legitimate email in the process.
>
> Jason, if your folks own "emaildirect.com" expect to remain blacklisted.
> I just received a mortgage spam from them which hit no BL rules at all.
> I'm motivated to submit it to all and sundry.
>
> {^_^}
I don't know who emaildirect.com is -- but it's certainly not us, and I
just checked our DB, and they aren't a customer of ours.
If you wanted to know who we were, you could have just looked up the
website in my sig --- http://broadwick.com -- owners of
http://www.intellicontact.com
--
Jason Faulkner
Systems Manager
Broadwick Corporation
(919) 459-2509
jfaulkne@broadwick.com
Re: RBLs
Posted by jdow <jd...@earthlink.net>.
From: "Jason Faulkner" <jf...@broadwick.com>
>
>> we are using sbl-xbl.spamhaus.org, dul.dnsbl.sorbs.net, bl.spamcop.net
>> and list.dsbl.org in this particular order. The results are available
>> at:
>>
>> http://graph.noc.ntua.gr/a/graph_529.html
>>
>> Sbl-xbl(zen).spamhaus.org being first in the list and more complete
>> gets the most hits. Dul.dnsbl.sorbs.net does a pretty good job without
>> causing the problems of dnsbl.sorbs.net (too aggressive, weird
>> re-listing policy etc.). Bl.spamcop.net gets fewer hits, tends too be
>> aggressive sometimes (that's why we have combined rbls with a proper
>> whitelist) but also works as an early detector which is useful.
>> List.dsbl.org gets even fewer hits being last and smaller.
>
> I will completely concur with the statement about spamcop being too
> aggressive -- I work with a company that sends out ~10 million messages
> per month per ip (we're an ESP) and we can get listed on Spamcop for as
> few as 20 complaints on one of those IPs, and there's absolutely no
> feedback mechanism that they'll listen to us with.
>
> Spamhaus is fair. DULs are a great idea. But please, please don't
> support SpamCop. Their policies are not fair and you /will/ lose some
> legitimate email in the process.
Jason, if your folks own "emaildirect.com" expect to remain blacklisted.
I just received a mortgage spam from them which hit no BL rules at all.
I'm motivated to submit it to all and sundry.
{^_^}
Re: RBLs
Posted by Jason Faulkner <jf...@broadwick.com>.
> we are using sbl-xbl.spamhaus.org, dul.dnsbl.sorbs.net, bl.spamcop.net
> and list.dsbl.org in this particular order. The results are available
> at:
>
> http://graph.noc.ntua.gr/a/graph_529.html
>
> Sbl-xbl(zen).spamhaus.org being first in the list and more complete
> gets the most hits. Dul.dnsbl.sorbs.net does a pretty good job without
> causing the problems of dnsbl.sorbs.net (too aggressive, weird
> re-listing policy etc.). Bl.spamcop.net gets fewer hits, tends too be
> aggressive sometimes (that's why we have combined rbls with a proper
> whitelist) but also works as an early detector which is useful.
> List.dsbl.org gets even fewer hits being last and smaller.
I will completely concur with the statement about spamcop being too
aggressive -- I work with a company that sends out ~10 million messages
per month per ip (we're an ESP) and we can get listed on Spamcop for as
few as 20 complaints on one of those IPs, and there's absolutely no
feedback mechanism that they'll listen to us with.
Spamhaus is fair. DULs are a great idea. But please, please don't
support SpamCop. Their policies are not fair and you /will/ lose some
legitimate email in the process.
--
Jason Faulkner
Systems Manager
Broadwick Corporation
(919) 459-2509
jfaulkne@broadwick.com
Re: RBLs
Posted by Panagiotis Christias <ch...@gmail.com>.
On 12/30/06, John Rudd <jr...@ucsc.edu> wrote:
> John D. Hardin wrote:
> > On Fri, 29 Dec 2006, Larry Nedry wrote:
> >
> >> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
> >>> What are you using?
> >> Currently I am using only zen.spamhaus.org. The rest of the RBLs
> >> that I have tried have had too many false positives to be useful
> >> for my requirements.
> >>
> >> Which RBLs do the rest of you folks feel comfortable using?
> >
> > I use a few others from sorbs.net, but I don't see them having any
> > effect as zen.spamhaus.org catches everything first... :)
> >
>
>
> I've been using sbl-xbl for a while, and then recently switched to zen.
>
> I also recently added list.dsbl.org (called before zen, so I can see how
> much it's really catching). It's pretty small (about 1/6 of what zen
> catches).
>
> I'm also contemplating adding dul.dnsbl.sorbs.net.
>
> I tend to put the newest (to me) rbl first, so I can see what it's
> actually catching before the stuff I was already using :-)
Hello,
we are using sbl-xbl.spamhaus.org, dul.dnsbl.sorbs.net, bl.spamcop.net
and list.dsbl.org in this particular order. The results are available
at:
http://graph.noc.ntua.gr/a/graph_529.html
Sbl-xbl(zen).spamhaus.org being first in the list and more complete
gets the most hits. Dul.dnsbl.sorbs.net does a pretty good job without
causing the problems of dnsbl.sorbs.net (too aggressive, weird
re-listing policy etc.). Bl.spamcop.net gets fewer hits, tends too be
aggressive sometimes (that's why we have combined rbls with a proper
whitelist) but also works as an early detector which is useful.
List.dsbl.org gets even fewer hits being last and smaller.
Regards,
Panagiotis
Re: RBLs
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> On Fri, 29 Dec 2006, Larry Nedry wrote:
>
>> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
>>> What are you using?
>> Currently I am using only zen.spamhaus.org. The rest of the RBLs
>> that I have tried have had too many false positives to be useful
>> for my requirements.
>>
>> Which RBLs do the rest of you folks feel comfortable using?
>
> I use a few others from sorbs.net, but I don't see them having any
> effect as zen.spamhaus.org catches everything first... :)
>
I've been using sbl-xbl for a while, and then recently switched to zen.
I also recently added list.dsbl.org (called before zen, so I can see how
much it's really catching). It's pretty small (about 1/6 of what zen
catches).
I'm also contemplating adding dul.dnsbl.sorbs.net.
I tend to put the newest (to me) rbl first, so I can see what it's
actually catching before the stuff I was already using :-)
Re: RBLs (was: sa-learn explained)
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 29 Dec 2006, Larry Nedry wrote:
> On 12/29/06 at 2:50 PM -0500 Vernon Webb wrote:
> >What are you using?
>
> Currently I am using only zen.spamhaus.org. The rest of the RBLs
> that I have tried have had too many false positives to be useful
> for my requirements.
>
> Which RBLs do the rest of you folks feel comfortable using?
I use a few others from sorbs.net, but I don't see them having any
effect as zen.spamhaus.org catches everything first... :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
676 days until the Presidential Election