Spamhaus says:
From: Rob McEwen rob@pvsys.com To: "'SURBL Discussion list'" discuss@lists.surbl.org Date: Saturday, August 14, 2004, 1:52:26 PM Subject: [SURBL-Discuss] FP Pattern for sbl-xbl.spamhaus.org
RE: FP Pattern for sbl-xbl.spamhaus.org
For a while now, my philosophy has been to use sbl-xbl.spamhaus.org to block at the connection level and not even allow these messages onto my server. Much of the remaining spam filtering is then done by SURBL-checking. However, more recently, I been testing samples of sbl-xbl.spamhaus.org blocked messages and I've noticed two things.
(1) more false positives than I would want to see (though still a very tiny, tiny percentage overall) get blocked by sbl-xbl.spamhaus.org
...and...
(2) those that ARE legitimate tend to be cases where a mistake was made and, by the next day (or later that same day), the offending IP is removed from sbl-xbl.spamhaus.org
Hmmm, this can happen. Also depends on the volume of mail he processes.
I'd be interested in if this is due to SBL or XBL hits. Both can produce FP's, but it brings up a debate as to what's an FP. If an IP has been found sending viruses or spam and is auto-listed by the XBL system (normally due to a compromised box), but that IP also sends non-bad email, it's not a false listing. We error on the side of stopping the 100,000 viruses being sent to users worldwide than to let the fewer legit emails pass.
However, I must admit, I'm drawing sweeping conclusions from very little sampling of data. Therefore, don't take my word for it...
If it's SBL, if he has a cousin in the Chinanet-CQ IP space, or in parts of Brazil Telecom's space, he'll probably see many more FPs as we do have large SBL listings. Also, if he gets email from people hosting on the cheap-spam-friendly networks like New Horizon, CET Networks or OC3, they get all IP space listed.
Rather, is this consistent with anyone else's experience with sbl-xbl.spamhaus.org? The reason I mention this is that, if my initial conclusions are true, there would then be a strong argument for "holding" sbl-xbl.spamhaus.org blocked mail and giving it a "second try" some hours later.
He sure could, many people do greylist with DNSBLs.
Also, if this is true, does anyone have a "feel" for exactly how long "bad" data stays on sbl-xbl.spamhaus.org before it gets removed?
No way to know. Most XBL listed IPs can be "self-removed", SBL mistakes that generate FPs are normally found out by us pretty quickly as either the blocked users or people who use us and like he, check their logs, let us know.
(Recognizing, of course, that SpamHaus is probably the most reliable and respected free RBL in existence and they rarely make mistakes in the first place).
:-)
Any thoughts or suggestions? Has anyone examined their sbl-xbl.spamhaus.org blocked messages lately?
On large ISP type corpses, we still have a tiny fraction of true FPs.
That being said, some places (with little volume or huge cheap bandwidth and lots of CPU) will just use SBL+XBL as a part of a SpamAssassin type formula. They won't toss on it being BL'd, but will want some other spammy trait to push it over the spam-score.
Rob McEwen