dynamic IP range and good RBL?

["Ryan L. Sun" <li...@gmail.com>]

Hi, all

I am using spamhaus sbl+xbl RBL and dsbl RBL. It seems they got too
much false positive, especially dynamic IPs.
Do you guys know how can I get all the dynamic IP range on internet,
or is that possible?
Any other RBL suggestion? False positive is critical to me.  I can
accept 40% catch ratio using a RBL with as low as possible false
positive.

Thanks.
-Ryan

Re: dynamic IP range and good RBL?

["Ryan L. Sun" <li...@gmail.com>]

Does "dul.dnsbl.sorbs.net" list all the dynamic IPs?
Or just the dynamic IPs which fall in spamtrap?

Thanks.

On 5/25/05, Ing. Alejandro Rodriguez <as...@b2ec.net> wrote:
> I have the same problem that you, with dsbl, record are keep over years,
> and the delist process is complex. So most
> of unskilled Net Admin never take care of this list.
> IMHO the dynamic IPs list is dul.dnsbl.sorbs.net
> In fact I'm rejecting mails at SMTP conection time using,
> sbl-xbl.spamhaus.org
> bl.spamcop.net
> dul.dnsbl.sorbs.net
> with this I'm rejecting 90% of the spam without a single complain.
> 
> Ing. Alejandro Rodriguez
> Gerente Tecnico
> Cybercom
> 
> 
> 
> Ryan L. Sun wrote:
> 
> >Hi, all
> >
> >I am using spamhaus sbl+xbl RBL and dsbl RBL. It seems they got too
> >much false positive, especially dynamic IPs.
> >Do you guys know how can I get all the dynamic IP range on internet,
> >or is that possible?
> >Any other RBL suggestion? False positive is critical to me.  I can
> >accept 40% catch ratio using a RBL with as low as possible false
> >positive.
> >
> >Thanks.
> >-Ryan
> >
> >
> >
>

Re: dynamic IP range and good RBL?

[ev...@coolrunningconcepts.com]

Quoting "Ing. Alejandro Rodriguez" <as...@b2ec.net>:

> I have the same problem that you, with dsbl, record are keep over years,
> and the delist process is complex. So most
> of unskilled Net Admin never take care of this list.
> IMHO the dynamic IPs list is dul.dnsbl.sorbs.net
> In fact I'm rejecting mails at SMTP conection time using,
> sbl-xbl.spamhaus.org
> bl.spamcop.net
> dul.dnsbl.sorbs.net
> with this I'm rejecting 90% of the spam without a single complain.

Well, you didn't recieve any complaints by email!

LOL - the only people that would complain can't get to you.  I've found that
watching the body of the email for links or image URLs to RBL listed IPs is
much more effective.  Even someone listed in the RBL can send you can email,
provided they don't have a link back to their website.

This was critical as one of the companies we were dealing with had a user that
worked from home behind a custom BSD firewall and mailserver.  While 
his system
was indeed secure and wasn't sending out spam (we both tested this), he 
was on a
dynamic IP that managed to get listed on the spamhaus site - evidently some
neighbor with a cable modem and Windows was sending out loads of SPAM.  We
turned off the header checks and eased up on sender-IP checks and focused on
the message content, asking the question "What does a spammer need to send you
to make a sale?"

This means LINKS TO listed IPs, not mail FROM the IP.  Add in not accepting
viruses, html forms, or javascript.   Don't block someone from sending 
you mail
until they actually do something bad.  Not all mail from an RBL listed site is
spam.  All mail with a LINK to an RBL listed site has been spam - 100%, no
false positives.

Everything else focused on spam-traps, honey-pot addresses, honey-pot email
addresses, tar-pits, "multiple failed RCPT-TO" and other SMTP commands, and
stuff like that for IPs that sent spam or sent mail to a specially listed
honey-pot email addresses or honey-pot domain MX servers, or failed the other
checks.  Basically, you have to do something really bad like send an actual
spam or try a long list of addresses to send to and have them all not 
exist, in
order to get blacklisted, and then the blacklist doesn't do anything 
but tarpit
(Linux netfilter rule can do this) your connections and eventually reject your
mail until the blacklist times out.  Automatic whitelisting rules helped keep
out FPs too.

Regular HELO/EHLO checks were considerably lax so that even poorly configured
sales guys could get in from their WinXP laptops on some dial-up or 
dynamic DSL
IP.

Re: dynamic IP range and good RBL?

["Ing. Alejandro Rodriguez" <as...@b2ec.net>]

I have the same problem that you, with dsbl, record are keep over years, 
and the delist process is complex. So most
of unskilled Net Admin never take care of this list.
IMHO the dynamic IPs list is dul.dnsbl.sorbs.net
In fact I'm rejecting mails at SMTP conection time using,
sbl-xbl.spamhaus.org
bl.spamcop.net
dul.dnsbl.sorbs.net
with this I'm rejecting 90% of the spam without a single complain.

Ing. Alejandro Rodriguez
Gerente Tecnico
Cybercom



Ryan L. Sun wrote:

>Hi, all
>
>I am using spamhaus sbl+xbl RBL and dsbl RBL. It seems they got too
>much false positive, especially dynamic IPs.
>Do you guys know how can I get all the dynamic IP range on internet,
>or is that possible?
>Any other RBL suggestion? False positive is critical to me.  I can
>accept 40% catch ratio using a RBL with as low as possible false
>positive.
>
>Thanks.
>-Ryan
>
>  
>

Re: dynamic IP range and good RBL?

[Andy Jezierski <aj...@stepan.com>]

"Ryan L. Sun" <li...@gmail.com> wrote on 05/25/2005 01:33:19 PM:

> Hi, all
> 
> I am using spamhaus sbl+xbl RBL and dsbl RBL. It seems they got too
> much false positive, especially dynamic IPs.
> Do you guys know how can I get all the dynamic IP range on internet,
> or is that possible?
> Any other RBL suggestion? False positive is critical to me.  I can
> accept 40% catch ratio using a RBL with as low as possible false
> positive.
> 
> Thanks.
> -Ryan

Yeah, I tried the spamhaus sbl+xbl list a while back, it lasted one day, 
way too many FP's for me.  Their sbl list is much, much better.  Spamcop 
used to have a lot of FP's for me as well, not sure if it has gotten 
better or not.  As for dynamic IP's, I use dul.dnsbl.sorbs.net, seems to 
be doing a very good job for me here. Overall I think I use about 6 
different RBL lists.

Andy