You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by da...@chaosreigns.com on 2011/04/03 03:24:15 UTC
What blacklists are you using at your MTA?
I'm curious what blacklists other people are currently using at their MTA,
rejecting during delivery, before mail gets to spamassassin.
For a while I've been using zen.spamhaus.org and dnsbl.sorbs.net. Based on
recent stats ( http://ruleqa.spamassassin.org/?daterev=20110319 )
I think I'm dropping sorbs and adding psbl.surriel.com.
MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 0.7411 4.1503 0.152 0.31 (n/a) __RCVD_IN_ZEN
0 0.3626 5.1060 0.066 0.24 (n/a) __RCVD_IN_SORBS
0 49.8989 0.0183 1.000 0.97 0.00 RCVD_IN_PSBL
Man it's a shame those __* rules don't include all their sub-rules.
Why do some RBLs use firsttrusted and others use lastexternal? Shouldn't
they all be the same?
zen.spamhaus.org:
MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 70.7263 0.0016 1.000 1.00 0.00 RCVD_IN_XBL
0 65.6389 0.1020 0.998 0.90 0.00 RCVD_IN_PBL
How can those add up to more than 100% of spam? They're both checking
lastexternal, for different values?
Also includes:
0 0.5502 0.0469 0.921 0.65 0.00 RCVD_IN_SBL
dnsbl.sorbs.net:
MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 15.4739 0.1462 0.991 0.81 0.00 RCVD_IN_SORBS_DUL
0 10.8966 0.1608 0.985 0.78 0.00 RCVD_IN_SORBS_WEB
0 0.1347 0.0027 0.980 0.58 0.00 RCVD_IN_SORBS_SOCKS
0 0.1347 0.0027 0.980 0.58 0.00 RCVD_IN_SORBS_HTTP
0 0 0 0.500 0.48 0.00 RCVD_IN_SORBS_ZOMBIE
0 0 0 0.500 0.48 0.00 RCVD_IN_SORBS_BLOCK
0 0 0 0.500 0.48 0.00 RCVD_IN_SORBS_SMTP
0 0.0005 0.0005 0.458 0.48 0.00 RCVD_IN_SORBS_MISC
TOTAL 26.6404 0.3129 0.998
And psbl.surriel.com is just:
MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 49.8989 0.0183 1.000 0.97 0.00 RCVD_IN_PSBL
If I have the sorbs totals right, psbl is *way* better than sorbs, both in
ham% and spam% hit.
--
"Life is either a daring adventure or it is nothing at all."
- Helen Keller
http://www.ChaosReigns.com
Re: What blacklists are you using at your MTA?
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 03/04/11 02:24, darxus@chaosreigns.com wrote:
> I'm curious what blacklists other people are currently using at their MTA,
> rejecting during delivery, before mail gets to spamassassin.
>
There was a similar thread on this list a few months ago - please refer
back to the list archives:
3rd Jan, 2011; Subject: Off topic: best RBLs to use to block at smtp
connection?
Re: What blacklists are you using at your MTA?
Posted by RW <rw...@googlemail.com>.
On Sat, 2 Apr 2011 23:13:45 -0400
darxus@chaosreigns.com wrote:
> On 04/03, Karsten Bräckelmann wrote:
> > Because they are two different blacklists. Because there is no
> > guarantee being on one prevents being listed on the other. And
> > because these stats are generated in a SCORING system.
>
> Yeah but they're in the same DNS zone, zen.spamhaus.org, and although
> I recognize you can have multiple "A" records for the same name, it
> looks like queries to this zone only return one answer per lookup.
>
> Or does it sometimes return multiple "A" records for one query, and
> I'm just not finding those examples?
>
Here's one:
$ dig +short 8.172.193.117.zen.spamhaus.org.
127.0.0.11
127.0.0.4
Re: What blacklists are you using at your MTA?
Posted by da...@chaosreigns.com.
On 04/03, Karsten Bräckelmann wrote:
> A binary, black-and-white perception. While under certain circumstances
> really close to reality, it might yield FPs. But see below.
Yup.
> > 0 70.7263 0.0016 1.000 1.00 0.00 RCVD_IN_XBL
> > 0 65.6389 0.1020 0.998 0.90 0.00 RCVD_IN_PBL
> >
> > How can those add up to more than 100% of spam? They're both checking
> > lastexternal, for different values?
>
> I am rather speechless...
>
> Because they are two different blacklists. Because there is no guarantee
> being on one prevents being listed on the other. And because these stats
> are generated in a SCORING system.
Yeah but they're in the same DNS zone, zen.spamhaus.org, and although I
recognize you can have multiple "A" records for the same name, it looks like
queries to this zone only return one answer per lookup.
Or does it sometimes return multiple "A" records for one query, and I'm
just not finding those examples?
I thought maybe it was because these tests are run on all untrusted
relays, not just the last. Which seems like a waste. But I have spams
with only one hop before delivering to my server that hit both of them.
--
"We will be dead soon. Is this how we want to live?"
http://www.ChaosReigns.com
Re: What blacklists are you using at your MTA?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2011-04-02 at 21:24 -0400, darxus@chaosreigns.com wrote:
> I'm curious what blacklists other people are currently using at their MTA,
> rejecting during delivery, before mail gets to spamassassin.
A binary, black-and-white perception. While under certain circumstances
really close to reality, it might yield FPs. But see below.
> zen.spamhaus.org:
>
> MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
> 0 70.7263 0.0016 1.000 1.00 0.00 RCVD_IN_XBL
> 0 65.6389 0.1020 0.998 0.90 0.00 RCVD_IN_PBL
>
> How can those add up to more than 100% of spam? They're both checking
> lastexternal, for different values?
I am rather speechless...
Because they are two different blacklists. Because there is no guarantee
being on one prevents being listed on the other. And because these stats
are generated in a SCORING system.
Because there is overlap. Because there are SA rules, part of a scoring
system, NOT rejecting on sight. That is, why different DNS BL tests in
SA, different rules, actually *can* add up to more than 100%...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}