OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Other good RBLs, apart from Zen?

From: Aaron Wolfe (aawolfegmail.com)
Date: Fri May 02 2008 - 13:00:08 CDT

Here are stats on the last 90 million messages I've processed:

Relative effectiveness of spam filtering techniques:

                            Unknown user 31.71% (31.71%) 28536221
                              Greylisted 32.03% (21.87%) 19684139
                               Throttled 20.08% (9.32%) 8389567
                     Relay access denied 0.02% (0.01%) 5783
                   Bogus DNS (Broadcast) 0.02% (0.01%) 5575
              Bogus DNS (RFC 1918 space) 0.14% (0.05%) 48385
                         Spoofed Address 0.58% (0.21%) 192243
                      Unclassified Event 1.88% (0.69%) 622037
                 Temporary Local Problem 0.00% (0.00%) 1384
             Require FQDN sender address 0.01% (0.00%)
4136 reject_non_fqdn_sender
          Require FQDN for HELO hostname 14.14% (5.11%)
4598287 reject_non_fqdn_helo_hostname
         Require DNS for sender's domain 1.26% (0.39%)
352926 reject_unknown_sender_domain
                     Require Reverse DNS 2.71% (0.83%)
747785 reject_unknown_reverse_client_hostname
           Require DNS for HELO hostname 0.12% (0.04%)
33230 reject_unknown_helo_hostname
                 The Spamhaus Block List 33.77% (10.05%)
9044310 reject_rbl_client zen.dnsbl
                  The SpamCop Block List 2.85% (0.56%)
505419 reject_rbl_client bl.spamcop.net
                         PSBL Block List 0.08% (0.01%)
13323 reject_rbl_client psbl.surriel.com
          The Invaluement SIP Block List 32.74% (6.26%)
5635764 reject_rbl_client sip.invaluement.com
     SORBS Dynamic IP Address Block List 1.54% (0.20%)
178267 reject_rbl_client dul.dnsbl.sorbs.net
              SpamRats No PTR Block List 0.87% (0.11%)
98869 reject_rbl_client noptr.spamrats.com
          SpamRats Dynamic IP Block List 1.03% (0.13%)
116433 reject_rbl_client dyna.spamrats.com
                SpamRats SPAM Block List 0.00% (0.00%)
38 reject_rbl_client spam.spamrats.com
                     Lashback Block List 0.09% (0.01%)
9892 reject_rbl_client ubl.unsubscore.com
           UCEPROTECT Level 1 Block List 0.03% (0.00%)
2795 reject_rbl_client dnsbl-1.uceprotect.net
                The HostKarma Block List 0.08% (0.01%)
8913 reject_rbl_client blacklist.junkemailfilter.com

Total messages: 90000978
Total blocked: 78835721 87.59%

These are the checks I do with Postfix before SA, in the order I do them.
The first percentage is the amount of mail block out of what is "left" by
the time the message gets to that check, the second is the percentage of
total mail blocked. Sorry if the formatting is strange. Not all of my
clients use all of the RBL checks, so some RBLs appear less effective than
they really would be if everyone here used them. All clients do use zen,
spamcop, sorbs and Rob McEwen's Invaluement SIP RBL (which is clearly an
awesome list to add behind zen, blocking over 32% of mail that zen misses).
Especially note that the psbl, HostKarma and UCE lists are used only in a
few testing domains so their apparently poor performance is not accurate.
Please do not think I am saying any particular RBL works poorly, this is
just a real world dump of whats happening here.

Hope thats useful to someone :) I could get more specific results from
domains that use specific sets of RBLs if anyone would like.

-Aaron

On Fri, May 2, 2008 at 10:27 AM, Arturo 'Buanzo' Busleiman <
buanzobuanzo.com.ar> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Victor Duchovni wrote:
> | Beyond Zen, your efforts are probably best directed at message content
> | filtering say SpamAssassin with SURBL lookups to filter spam URLs, ...
>
> Thanks everyone for your comments, both on and off-list. I think I'll not
> be adding an extra RBL
> after all. Maybe the German-spam one. I'd really like to find a
> Russian-spam RBL. I get lots of it.
>
> OTOH, I'm using clamsmtp, zen, greylisting and spf. I don't want to use
> amavisd-new or any other
> "everything included" tools. What do you recommend? Of course, I'm
> interested in SpamAssassin. My
> servers are used 99% for relaying to internal mail servers in other
> companies (I'm the smarthost and
> public MX for them), so something like spamc via xfilter in a maildrop
> rules file is not good.
>
> I've read many guides and checked-out the addons page at postfix.org, but
> for my situation, what
> would the group recommend?
>
>
> - --
> Arturo "Buanzo" Busleiman
> Reliable inter-continental Mail Relay Service - Ask me!
> Independent Security Consultant - SANS - OISSG
> http://www.buanzo.com.ar/pro/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIGyTQAlpOsGhXcE0RCtgBAJwNHRSUGkDMiRDv6OJuuGHSMwXXQgCeLbxm
> 7CIZN8bvpS1C+8oAh88OE8E=
> =FPCD
> -----END PGP SIGNATURE-----
>