RE: FP Pattern for sbl-xbl.spamhaus.org
For a while now, my philosophy has been to use sbl-xbl.spamhaus.org to block at the connection level and not even allow these messages onto my server. Much of the remaining spam filtering is then done by SURBL-checking. However, more recently, I been testing samples of sbl-xbl.spamhaus.org blocked messages and I've noticed two things.
(1) more false positives than I would want to see (though still a very tiny, tiny percentage overall) get blocked by sbl-xbl.spamhaus.org
...and...
(2) those that ARE legitimate tend to be cases where a mistake was made and, by the next day (or later that same day), the offending IP is removed from sbl-xbl.spamhaus.org
However, I must admit, I'm drawing sweeping conclusions from very little sampling of data. Therefore, don't take my word for it... Rather, is this consistent with anyone else's experience with sbl-xbl.spamhaus.org? The reason I mention this is that, if my initial conclusions are true, there would then be a strong argument for "holding" sbl-xbl.spamhaus.org blocked mail and giving it a "second try" some hours later. Also, if this is true, does anyone have a "feel" for exactly how long "bad" data stays on sbl-xbl.spamhaus.org before it gets removed? (Recognizing, of course, that SpamHaus is probably the most reliable and respected free RBL in existence and they rarely make mistakes in the first place).
Any thoughts or suggestions? Has anyone examined their sbl-xbl.spamhaus.org blocked messages lately?
Rob McEwen
Hi!
For a while now, my philosophy has been to use sbl-xbl.spamhaus.org to block at the connection level and not even allow these messages onto my server. Much of the remaining spam filtering is then done by SURBL-checking. However, more recently, I been testing samples of sbl-xbl.spamhaus.org blocked messages and I've noticed two things.
(1) more false positives than I would want to see (though still a very tiny, tiny percentage overall) get blocked by sbl-xbl.spamhaus.org
Any thoughts or suggestions? Has anyone examined their sbl-xbl.spamhaus.org blocked messages lately?
Allthough its a little oftopic here i would rather suggest blocking on MTA level with lists like DSBL, SBL-XBL is a little too wide i think to use on MTA level rejects...
Bye, Raymond
Although its a little oftopic here i would rather suggest blocking on MTA level with lists like DSBL, SBL-XBL is a little too wide i think to use on MTA level rejects...
Bye, Raymond
Thanks for the feedback Raymond.
Interesting... Just yesterday, I started using DSBL-checking on the "client IP" of the message (but AFTER reception of the message, not using the traditional RBL-blocking technique)... and saving these to a folder to examine how many are caught by DSBL (which got past my SBL-XBL block at the MTA level). So far, I have 49 confirmed spams and zero FPs. However, it sounds like I probably should be doing the reverse (blocking on MTA level with DSBL and then filtering client IPs with SBL-XBL and examining anything caught by SBL-XBL for FPs)??
Nevertheless, I'm still interested in answers to the questiona in my original post... only, now I'd love to also get more feedback on FPs in DSBL and, if such even exists, whether these tend to come off the list within a day.
Thanks,
Rob McEwen
Hello Rob,
Although its a little oftopic here i would rather suggest blocking on MTA level with lists like DSBL, SBL-XBL is a little too wide i think to use on MTA level rejects...
Interesting... Just yesterday, I started using DSBL-checking on the "client IP" of the message (but AFTER reception of the message, not using the traditional RBL-blocking technique)... and saving these to a folder to examine how many are caught by DSBL (which got past my SBL-XBL block at the MTA level). So far, I have 49 confirmed spams and zero FPs. However, it sounds like I probably should be doing the reverse (blocking on MTA level with DSBL and then filtering client IPs with SBL-XBL and examining anything caught by SBL-XBL for FPs)??
Yes, most likely that will work out better for you.
Nevertheless, I'm still interested in answers to the questiona in my original post... only, now I'd love to also get more feedback on FPs in DSBL and, if such even exists, whether these tend to come off the list within a day.
I am running with DSBL a long time, very very few FP's yet. The time we have been running with SBL-XBL was different, allmost daily complaints...
Bye, Raymond.
On Saturday, August 14, 2004, 2:03:36 PM, Raymond Dijkxhoorn wrote:
Allthough its a little oftopic here i would rather suggest blocking on MTA level with lists like DSBL, SBL-XBL is a little too wide i think to use on MTA level rejects...
I use sbl-xbl.spamhaus.org, list.dsbl.org, relays.ordb.org for my personal mail, and even some customer servers, though I agree they can sometimes be too aggressive. YMMV.
Jeff C.
On Saturday, August 14, 2004, 1:52:26 PM, Rob McEwen wrote:
if my initial conclusions are true, there would then be a strong argument for "holding" sbl-xbl.spamhaus.org blocked mail and giving it a "second try" some hours later.
An interesting idea if your observation is correct. I've not seen it for my self, but I have not looked either.
Rather than rejecting at the MTA level you could take the messages into SpamAssassin and make sbl-xbl simply another test, but at a much higher processing cost of course.
The key really should be to get spamhaus to improve the quality of their data. If they are "list first, ask questions later" in a few cases, then they should perhaps reconsider their policies.
This is really a more appropriate topic for a general anti-spam discussion, but I've manually forwarded our comments to Larry at Spamhaus.
Jeff C.
At 16:52 2004-08-14 -0400, Rob McEwen wrote:
RE: FP Pattern for sbl-xbl.spamhaus.org
For a while now, my philosophy has been to use sbl-xbl.spamhaus.org to block at the connection level and not even allow these messages onto my server. Much of the remaining spam filtering is then done by SURBL-checking. However, more recently, I been testing samples of sbl-xbl.spamhaus.org blocked messages and I've noticed two things.
(1) more false positives than I would want to see (though still a very tiny, tiny percentage overall) get blocked by sbl-xbl.spamhaus.org
Have you checked if those false positives are in SBL or if they are in XBL?
Patrik
Have you checked if those false positives are in SBL or if they are in XBL?
There were 4 total false positives.
Two of these had a return code of "02". Two of these had a return code of "04". But the latter two were "caught" on the same IP address, so they, perhaps, should be counted as one.
Like I said... the sampling is pitifully small. It is not the amount of FPs that warranted discussion. It was the fact that 100% of the FPs that I happened to find within the past two days ALL showed up "clean" in SpamHaus hours after they were initial blacklisted. This is where I got the idea about checking to see whether this pattern was a fluke or was representative of the overall tendencies.
(Again, I can't say for sure, at this point.)
Rob McEwen
-
Jeff Chan -
Patrik Nilsson -
Raymond Dijkxhoorn -
Rob McEwen