MSRBL

[Bret Miller <br...@wcg.org>]

Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it
in trial now, but thought I'd ask to see if anyone here had an opinion
before doing anything serious with it.

TIA,
Bret

Re: MSRBL

[Dirk Bonengel <di...@bonengel.de>]

John Rudd schrieb:
> Bret Miller wrote:
>>>> On Wednesday 13 December 2006 11:35 am, Bret Miller wrote:
>>>>> Has anyone here tried MSRBL (http://www.msrbl.com/site/)? 
>>> I'm running it
>>>>> in trial now, but thought I'd ask to see if anyone here 
>>> had an opinion
>>>>> before doing anything serious with it.
>>>>>
>>>>> TIA,
>>>>> Bret
>>>> Bret, on my home system I use the MSRBL-Images.hdb and 
>>> MSRBL-Spam.ndb in
>>>> conjunction with Clamav. I have some stats if you're interested.
>>>>
>>>
>>> I'd like to see some stats, please.
>>> I'd also like to hear some opinions on FP numbers, effectiveness etc.
>>
>> I installed the MSRBL ClamAV signatures yesterday for a trial run, not
>> actually doing anything with the results.
>
>
> I'm more interested in the Image signatures it has.  If they're really 
> useful and reliable.  I expect that keeping up with image spam 
> wouldn't be very scalable, but it might at least help reduce some load 
> (since we do virus scanning before letting Spam Assassin see a 
> message) for whichever images are known.
Image signatures just don't work. Only simply spams get caught that way 
(and you'd get those anyway).
Most spam images nowadays are slightly altered so you get different hash 
values from them.
I hackup up a plugin a few months ago (and built my own list) but even 
didn't bother to share it because results were so disappointing.... ;-(

Dirk

Re: MSRBL

[Chris Lear <ch...@laculine.com>]

Bret Miller wrote:
 >> I'm more interested in the Image signatures it has.  If
 >> they're really
 >> useful and reliable.  I expect that keeping up with image
 >> spam wouldn't
 >> be very scalable, but it might at least help reduce some load
 >> (since we
 >> do virus scanning before letting Spam Assassin see a message) for
 >> whichever images are known.
 >>
 >
 > I ran about half a day yesterday with both images and spam signatures.
 > Images hit a whopping 4 messages and spam hit about 40 with 3 FPs, both
 > a very, very low percentage (way under 1%) of spam. ImageInfo does a
 > much better job IMO.

I'm using http://www.sanesecurity.com/clamav/ (on my home domain only at 
the moment) which saves sa some work (clamav runs before sa). About a 
third of the spam that was previously caught by sa is now caught by 
clamav instead. I tried MSRBL, but got very few hits. Sorry - no info 
about false positives, because anything that hits is rejected. I haven't 
heard from anyone, though.
I'm surprised by how effective it is.

Chris

RE: MSRBL

[Bret Miller <br...@wcg.org>]

> I'm more interested in the Image signatures it has.  If 
> they're really 
> useful and reliable.  I expect that keeping up with image 
> spam wouldn't 
> be very scalable, but it might at least help reduce some load 
> (since we 
> do virus scanning before letting Spam Assassin see a message) for 
> whichever images are known.
> 

I ran about half a day yesterday with both images and spam signatures.
Images hit a whopping 4 messages and spam hit about 40 with 3 FPs, both
a very, very low percentage (way under 1%) of spam. ImageInfo does a
much better job IMO.

Bret

Re: MSRBL

[John Rudd <jr...@ucsc.edu>]

Bret Miller wrote:
>>> On Wednesday 13 December 2006 11:35 am, Bret Miller wrote:
>>>> Has anyone here tried MSRBL (http://www.msrbl.com/site/)? 
>> I'm running it
>>>> in trial now, but thought I'd ask to see if anyone here 
>> had an opinion
>>>> before doing anything serious with it.
>>>>
>>>> TIA,
>>>> Bret
>>> Bret, on my home system I use the MSRBL-Images.hdb and 
>> MSRBL-Spam.ndb in
>>> conjunction with Clamav. I have some stats if you're interested.
>>>
>>
>> I'd like to see some stats, please.
>> I'd also like to hear some opinions on FP numbers, effectiveness etc.
> 
> I installed the MSRBL ClamAV signatures yesterday for a trial run, not
> actually doing anything with the results.


I'm more interested in the Image signatures it has.  If they're really 
useful and reliable.  I expect that keeping up with image spam wouldn't 
be very scalable, but it might at least help reduce some load (since we 
do virus scanning before letting Spam Assassin see a message) for 
whichever images are known.

RE: MSRBL

[Bret Miller <br...@wcg.org>]

> > On Wednesday 13 December 2006 11:35 am, Bret Miller wrote:
> > > Has anyone here tried MSRBL (http://www.msrbl.com/site/)? 
> I'm running it
> > > in trial now, but thought I'd ask to see if anyone here 
> had an opinion
> > > before doing anything serious with it.
> > >
> > > TIA,
> > > Bret
> > 
> > Bret, on my home system I use the MSRBL-Images.hdb and 
> MSRBL-Spam.ndb in
> > conjunction with Clamav. I have some stats if you're interested.
> > 
> 
> 
> I'd like to see some stats, please.
> I'd also like to hear some opinions on FP numbers, effectiveness etc.

I installed the MSRBL ClamAV signatures yesterday for a trial run, not
actually doing anything with the results. It hit less spam than I hoped
and had a few FPs. The FPs were all advertising e-mail, but very clearly
from my standpoint were opt-in lists that were very easy to opt-out of,
and could have been valuable to someone. My guess here is that MSRBL
works a lot like SpamCop.net and relies on user submission to determine
what is and isn't spam. That approach can't be relied upon for mail
rejection. I didn't see anything that it hit on that SA wasn't already
catching, so I'm really not convinced it's worth the effort to do.

Bret

RE: MSRBL

[Leon Kolchinsky <lk...@univ.haifa.ac.il>]

> -----Original Message-----
> From: Chris [mailto:cpollock@earthlink.net]
> Sent: Thursday, December 14, 2006 5:55 AM
> To: users@spamassassin.apache.org
> Subject: Re: MSRBL
> 
> On Wednesday 13 December 2006 11:35 am, Bret Miller wrote:
> > Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it
> > in trial now, but thought I'd ask to see if anyone here had an opinion
> > before doing anything serious with it.
> >
> > TIA,
> > Bret
> 
> Bret, on my home system I use the MSRBL-Images.hdb and MSRBL-Spam.ndb in
> conjunction with Clamav. I have some stats if you're interested.
> 


I'd like to see some stats, please.
I'd also like to hear some opinions on FP numbers, effectiveness etc.

> --
> Chris
> http://learn.to/quote


Leon

Re: MSRBL

[Chris <cp...@earthlink.net>]

On Wednesday 13 December 2006 11:35 am, Bret Miller wrote:
> Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it
> in trial now, but thought I'd ask to see if anyone here had an opinion
> before doing anything serious with it.
>
> TIA,
> Bret

Bret, on my home system I use the MSRBL-Images.hdb and MSRBL-Spam.ndb in 
conjunction with Clamav. I have some stats if you're interested.

-- 
Chris
http://learn.to/quote

RE: MSRBL

[Bret Miller <br...@wcg.org>]

> > Has anyone here tried MSRBL (http://www.msrbl.com/site/)? 
> I'm running 
> > it in trial now, but thought I'd ask to see if anyone here had an 
> > opinion before doing anything serious with it.
> 
> I ran it here for a few hours with rblsmtpd and it got 0 hits, which 
> also means 0 FP's on a very busy mail server.
> 
> Didn't do anything for us but I did add it last in the loop 
> for outright 
> blocking.
> 
> It's removed now as I don't need the extra lookup.

I'm beginning to think that myself. It's been running all day without a
single hit. If it doesn't ever hit anything, why use it....

Bret

Re: MSRBL

[Rick Macdougall <ri...@ummm-beer.com>]

Bret Miller wrote:
> Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it
> in trial now, but thought I'd ask to see if anyone here had an opinion
> before doing anything serious with it.

I ran it here for a few hours with rblsmtpd and it got 0 hits, which 
also means 0 FP's on a very busy mail server.

Didn't do anything for us but I did add it last in the loop for outright 
blocking.

It's removed now as I don't need the extra lookup.

YMMV as always.

Regards,

Rick