Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
Chris Santerre wrote:
Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
I don't have very good statistical collection but here are some numbers I get from monitoring my spam levels over the last few days.
420: Messages hitting SURBL with total scores less than 8.5
486: Messages with total scores between 5.0-8.5
86: Messages hitting SURBL and scoring between 5.0-8.5
Not knowing exactly how you calculated your 85%, it is hard to compare my numbers. In fact, I'm not sure that these numbers are in anyway useful but there they are just in case.
Stuart Johnston
Chris Santerre wrote to SURBL Discussion List (E-mail) and Spamassassin-Tal...:
Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
Quick results:
59,672 total spam 53,433 URIBL_* 89.5% 46,786 URIBL_WS 78.4% 41,884 URIBL_OB 70.2% 36,778 URIBL_PJ 61.6% 29,833 URIBL_SC 50.0% 15,748 URIBL_AB 26.4%
At the MTA level, we only outright reject viruses and totally braindead MTAs/invalid users.
- Ryan
-- Ryan Thompson ryan@sasknow.com
SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America
-----Original Message----- From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com] Sent: Wednesday, January 05, 2005 7:16 AM
Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
-----Original Message----- From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com] Sent: Wednesday, January 05, 2005 7:16 AM
Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
Very anecdotal, but of the last 20 messages scored as spam, only 1 of them did not hit on any SURBL's. On a daily basis about 2 or 3 per user, out of an average of 200 to 300 non-spam messages delivered, were diagnosed as non-spam, and were not registered in the SURBL when delievered, but when manually checked later, their offending URL's had been registered in at least one, and often several, SURBL's. SURBL's are definitely workling.
Hi!
Very anecdotal, but of the last 20 messages scored as spam, only 1 of them did not hit on any SURBL's. On a daily basis about 2 or 3 per user, out of an average of 200 to 300 non-spam messages delivered, were diagnosed as non-spam, and were not registered in the SURBL when delievered, but when manually checked later, their offending URL's had been registered in at least one, and often several, SURBL's. SURBL's are definitely workling.
We are working on even getting them added faster. Some parts of WS and some parts of JP are allready updating more often. Some pill spammers wont like this ;)
Its good that you look if its added allready, since only with THOSE submissions we can add more on the lists ... :)
Bye, Raymond
From: "Chris Santerre" csanterre@MerchantsOverseas.com To: "SURBL Discussion List (E-mail)" discuss@lists.surbl.org; "Spamassassin-Talk (E-mail)" spamassassin-users@incubator.apache.org Sent: Wednesday, January 05, 2005 9:15 AM Subject: [SURBL-Discuss] quick poll on SURBL hit %
Just curious as to what average percent of spam people see SURBL hitting.
In
a non scientific manor, I average about 85% or greater hitting SURBL for
all
spam that doesn't get rejected by my MTA. I have a feeling if I clean up
my
results a bit, that number would be even higher.
Chris Santerre
[..]
This is for the last week or so of email (note about 4 days ago I changed the rule name uribl_sbl to uribl_sblxbl (and the zone it pointed to) so those stats are a little off). Also note that for about 3 days I was having massive timeouts trying to resolve names in the multi.surbl.org zone. I have since setup a local copy of that zone.
Ranking of Tests in Blocked Spam: ( 1121 Blocked ) -------------------------------------------------- (top 30 of 715 rules triggered) % 76.8 861 : HTML_MESSAGE % 52.3 586 : MIME_HTML_ONLY % 41.7 467 : URIBL_SBL % 25.2 282 : URIBL_WS_SURBL % 23.0 258 : MPART_ALT_DIFF % 21.4 240 : URIBL_OB_SURBL % 17.8 199 : RATWARE_ZERO_TZ % 17.7 198 : HTML_90_100 % 17.6 197 : URIBL_JP_SURBL % 16.8 188 : DRUGS_ERECTILE % 16.1 180 : MIME_BASE64_TEXT % 16.1 180 : SARE_MULT_RATW_02 % 14.8 166 : MSGID_FROM_MTA_ID % 14.0 157 : MIME_BOUND_DD_DIGITS % 13.2 148 : MIME_HTML_ONLY_MULTI % 12.8 143 : AWL % 12.3 138 : HTML_40_50 % 12.0 135 : BIZ_TLD % 12.0 134 : URIBL_SC_SURBL % 11.6 130 : HTML_30_40 % 10.8 121 : HTML_FONT_BIG % 10.2 114 : DRUGS_ERECTILE_OBFU % 10.2 114 : X_MESSAGE_INFO % 10.1 113 : DRUGS_PAIN % 9.8 110 : LONGWORDS % 9.3 104 : BAYES_99 % 9.2 103 : RCVD_BY_IP % 8.8 99 : HTML_TEXT_AFTER_BODY % 8.7 98 : MIME_QP_LONG_LINE % 8.4 94 : HTML_IMAGE_RATIO_02
Ranking of Tests in Tagged Spam: ( 297 Tagged ) ----------------------------------------------- (top 30 of 322 rules triggered) % 65.3 194 : HTML_MESSAGE % 37.0 110 : MIME_HTML_ONLY % 36.7 109 : URIBL_SBL % 25.6 76 : AWL % 25.3 75 : HTML_90_100 % 15.5 46 : HTML_TEXT_AFTER_BODY % 15.2 45 : HTML_IMAGE_RATIO_02 % 13.8 41 : HTML_TEXT_AFTER_HTML % 12.5 37 : MSGID_FROM_MTA_ID % 11.8 35 : HTML_FONT_BIG % 9.8 29 : HTML_80_90 % 8.8 26 : TO_ADDRESS_EQ_REAL % 7.7 23 : MIME_QP_LONG_LINE % 7.4 22 : BAYES_50 % 7.4 22 : MPART_ALT_DIFF % 7.1 21 : URIBL_WS_SURBL % 6.4 19 : HTML_TAG_EXIST_TBODY % 6.1 18 : HTML_IMAGE_ONLY_16 % 5.1 15 : HTML_IMAGE_ONLY_20 % 5.1 15 : FORGED_RCVD_HELO % 4.7 14 : NO_REAL_NAME % 4.4 13 : HTML_IMAGE_ONLY_12 % 4.4 13 : SARE_HTML_HTML_AFTER % 4.4 13 : HELO_DYNAMIC_IPADDR2 % 4.0 12 : MIME_HTML_MOSTLY % 4.0 12 : RCVD_NUMERIC_HELO % 3.7 11 : DOMAIN_RATIO % 3.7 11 : DATE_IN_FUTURE_12_24 % 3.4 10 : HTML_MIME_NO_HTML_TAG % 3.4 10 : MIME_BASE64_TEXT
-Matt
----- Original Message ----- From: "Matt Egan (hotmail)" mattegan_public@hotmail.com To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Wednesday, January 05, 2005 6:36 PM Subject: Re: [SURBL-Discuss] quick poll on SURBL hit %
[...]
Just more info, on the frontend I block clients listed on sbl-xbl.spamhaus and combined.njabl. I also greylist unknown hostname and generic looking hostnames '(dsl|cable|dialup)". The use of the RBL is probably note unique but the greylisting of certain clients might be something that not many others do which might explain some of the differences in our numbers. (it is very effective)
Also i left out the mail totals:
Totals: ------- 42209 : Mails thereof 79 : INFECTED (1 tenth of 1 percent) 1121 : SPAM Blocked (2.6 %) 297 : SPAM Tagged (7 tenths of 1 percent) 40712 : clean
Average Score SPAM Blocked: 16.05 SPAM Tagged : 5.78
In this same time period
Client host rejected: Greylisted... Try back after 357 seconds. (top 10 of total: 4839) (I don't know how many retried my guess is 75% of these never came back). 171 attbi.com 107 comcast.net 98 ameritech.net 93 pacbell.net 81 charter.com 78 swbell.net 75 dsl-verizon.net 49 mindspring.com 45 verizon.net 39 rr.com blocked using sbl-xbl.spamhaus.org (top 10 of total: 4648) 198 comcast.net 113 rr.com 88 ameritech.net 79 charter.com 79 villner.com 74 pacbell.net 73 dsl-verizon.net 71 attbi.com 63 ohthatsfunny.com 63 swbell.net blocked using combined.njabl.org (top 10 of total: 917) 92 comcast.net 57 rr.com 51 attbi.com 35 bellsouth.net 33 t-dialin.net 31 swbell.net 22 ameritech.net 16 rima-tde.net 15 adelphia.net 13 auna.net
[...]
Ranking of Tests in Blocked Spam: ( 1121 Blocked ) -------------------------------------------------- (top 30 of 715 rules triggered) % 76.8 861 : HTML_MESSAGE % 52.3 586 : MIME_HTML_ONLY % 41.7 467 : URIBL_SBL % 25.2 282 : URIBL_WS_SURBL % 23.0 258 : MPART_ALT_DIFF % 21.4 240 : URIBL_OB_SURBL % 17.8 199 : RATWARE_ZERO_TZ % 17.7 198 : HTML_90_100 % 17.6 197 : URIBL_JP_SURBL % 16.8 188 : DRUGS_ERECTILE % 16.1 180 : MIME_BASE64_TEXT % 16.1 180 : SARE_MULT_RATW_02 % 14.8 166 : MSGID_FROM_MTA_ID % 14.0 157 : MIME_BOUND_DD_DIGITS % 13.2 148 : MIME_HTML_ONLY_MULTI % 12.8 143 : AWL % 12.3 138 : HTML_40_50 % 12.0 135 : BIZ_TLD % 12.0 134 : URIBL_SC_SURBL % 11.6 130 : HTML_30_40 % 10.8 121 : HTML_FONT_BIG % 10.2 114 : DRUGS_ERECTILE_OBFU % 10.2 114 : X_MESSAGE_INFO % 10.1 113 : DRUGS_PAIN % 9.8 110 : LONGWORDS % 9.3 104 : BAYES_99 % 9.2 103 : RCVD_BY_IP % 8.8 99 : HTML_TEXT_AFTER_BODY % 8.7 98 : MIME_QP_LONG_LINE % 8.4 94 : HTML_IMAGE_RATIO_02
Ranking of Tests in Tagged Spam: ( 297 Tagged ) ----------------------------------------------- (top 30 of 322 rules triggered) % 65.3 194 : HTML_MESSAGE % 37.0 110 : MIME_HTML_ONLY % 36.7 109 : URIBL_SBL % 25.6 76 : AWL % 25.3 75 : HTML_90_100 % 15.5 46 : HTML_TEXT_AFTER_BODY % 15.2 45 : HTML_IMAGE_RATIO_02 % 13.8 41 : HTML_TEXT_AFTER_HTML % 12.5 37 : MSGID_FROM_MTA_ID % 11.8 35 : HTML_FONT_BIG % 9.8 29 : HTML_80_90 % 8.8 26 : TO_ADDRESS_EQ_REAL % 7.7 23 : MIME_QP_LONG_LINE % 7.4 22 : BAYES_50 % 7.4 22 : MPART_ALT_DIFF % 7.1 21 : URIBL_WS_SURBL % 6.4 19 : HTML_TAG_EXIST_TBODY % 6.1 18 : HTML_IMAGE_ONLY_16 % 5.1 15 : HTML_IMAGE_ONLY_20 % 5.1 15 : FORGED_RCVD_HELO % 4.7 14 : NO_REAL_NAME % 4.4 13 : HTML_IMAGE_ONLY_12 % 4.4 13 : SARE_HTML_HTML_AFTER % 4.4 13 : HELO_DYNAMIC_IPADDR2 % 4.0 12 : MIME_HTML_MOSTLY % 4.0 12 : RCVD_NUMERIC_HELO % 3.7 11 : DOMAIN_RATIO % 3.7 11 : DATE_IN_FUTURE_12_24 % 3.4 10 : HTML_MIME_NO_HTML_TAG % 3.4 10 : MIME_BASE64_TEXT
-Matt _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Wednesday, January 5, 2005, 4:36:02 PM, Matt (hotmail) wrote:
Also note that for about 3 days I was having massive timeouts trying to resolve names in the multi.surbl.org zone. I have since setup a local copy of that zone.
None of our name servers are having problems and certainly not for three days. Did you perhaps have an error in your DNS configuration?
Jeff C. -- "If it appears in hams, then don't list it."
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org To: "Matt Egan (hotmail)" mattegan_public@hotmail.com Cc: "SURBL Discussion list" discuss@lists.surbl.org Sent: Wednesday, January 05, 2005 10:38 PM Subject: Re: [SURBL-Discuss] quick poll on SURBL hit %
On Wednesday, January 5, 2005, 4:36:02 PM, Matt (hotmail) wrote:
Also note that for about 3 days I was having massive timeouts trying to resolve names in the multi.surbl.org zone. I
have
since setup a local copy of that zone.
None of our name servers are having problems and certainly not for three days. Did you perhaps have an error in your DNS configuration?
Jeff C.
"If it appears in hams, then don't list it."
It could have been a smaller time period (it was last week sometime), I didn't notice it till I started getting complaints about spam. when I dug into it everything looked like it should have been caught but the uribl rules weren't firing in SA. manual dig's showed 10+ second delays (I asked several NS's directly) and spamassassin was giving up after 2 seconds (or whatever the default is I forget). I upped the timeout in SA to 10 seconds at the sacrifice of mail throughput and the rules started firing again. the server has bind running locally and I wasn't having problems resolving anything else. I chalked it up to spammers DDossing the surbl.org zones because it was such an effective measure. decided it was too valuable to not have and opted to run the zone's locally. before I got the rsync approval things seemed to have settled down and my query times were back to normal but I had already setup rbldnsd so I opted to run the zones anyway along with some standard rbl zones that I use.
-Matt
On Wednesday, January 5, 2005, 8:50:07 PM, Matt (hotmail) wrote:
It could have been a smaller time period (it was last week sometime), I didn't notice it till I started getting complaints about spam. when I dug into it everything looked like it should have been caught but the uribl rules weren't firing in SA. manual dig's showed 10+ second delays (I asked several NS's directly) and spamassassin was giving up after 2 seconds (or whatever the default is I forget). I upped the timeout in SA to 10 seconds at the sacrifice of mail throughput and the rules started firing again. the server has bind running locally and I wasn't having problems resolving anything else. I chalked it up to spammers DDossing the surbl.org zones because it was such an effective measure. decided it was too valuable to not have and opted to run the zone's locally. before I got the rsync approval things seemed to have settled down and my query times were back to normal but I had already setup rbldnsd so I opted to run the zones anyway along with some standard rbl zones that I use.
Hmm, if anyone spots problems with name resolution I hope they'll let us know. We didn't have any other reports of solow resolution and several of the people hosting DNS keep an eye on the traffic, as I do. I haven't noticed any attacks on the servers I have stats for.
Note that the SURBL name server stauts page uses a timeout of 10 seconds:
http://www.surbl.org/nameservers-output.html
but every check I've done of the name servers has typically had responses within the ten to say 300 millisecond range. So if you saw 10 second delays it would be useful to know where they came from.
Can you try some of your manual lookups using the SURBL public name servers and let us know what results you get?
Jeff C. -- "If it appears in hams, then don't list it."
From: "Jeff Chan" jeffc@surbl.org Cc: "SURBL Discussion list" discuss@lists.surbl.org Sent: Thursday, January 06, 2005 4:51 AM Subject: Re: [SURBL-Discuss] quick poll on SURBL hit %
Can you try some of your manual lookups using the SURBL public name servers and let us know what results you get?
I wish I had said something...
I just ran down the list asking first for something it had an answer for and then for something it didn't have an answer for. the fastest response was 43 msec the slowest was 147 msec with most sitting in the 70's.
When asking my local copy the average is 5 msec but bind doesn't hold the zone it forwards the request to rbldnsd on port 530 as descrbied in several of the howto's.
[mbegan@nshplmgw01 mbegan]$ dig @a.surbl.org bettergood737.com.multi.surbl.org
; <<>> DiG 9.2.3 <<>> @a.surbl.org bettergood737.com.multi.surbl.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52373 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 0
;; QUESTION SECTION: ;bettergood737.com.multi.surbl.org. IN A
;; ANSWER SECTION: bettergood737.com.multi.surbl.org. 2100 IN A 127.0.0.70
;; Query time: 78 msec ;; SERVER: 208.201.249.252#53(a.surbl.org) ;; WHEN: Thu Jan 6 08:08:14 2005 ;; MSG SIZE rcvd: 291
[mbegan@nshplmgw01 mbegan]$ dig @b.surbl.org bettergood737.com.multi.surbl.org
; <<>> DiG 9.2.3 <<>> @b.surbl.org bettergood737.com.multi.surbl.org ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 11
;; QUESTION SECTION: ;bettergood737.com.multi.surbl.org. IN A
;; ANSWER SECTION: bettergood737.com.multi.surbl.org. 900 IN A 127.0.0.70
;; Query time: 70 msec ;; SERVER: 128.255.17.19#53(b.surbl.org) ;; WHEN: Thu Jan 6 08:09:04 2005 ;; MSG SIZE rcvd: 467
[mbegan@nshplmgw01 mbegan]$ dig bfear.com.multi.surbl.org
; <<>> DiG 9.2.3 <<>> bfear.com.multi.surbl.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57264 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 14
;; QUESTION SECTION: ;bfear.com.multi.surbl.org. IN A
;; ANSWER SECTION: bfear.com.multi.surbl.org. 2100 IN A 127.0.0.118
;; Query time: 8 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 6 08:18:20 2005 ;; MSG SIZE rcvd: 507
On Thursday, January 6, 2005, 6:19:30 AM, Matt (hotmail) wrote:
From: "Jeff Chan" jeffc@surbl.org
Can you try some of your manual lookups using the SURBL public name servers and let us know what results you get?
I wish I had said something...
I just ran down the list asking first for something it had an answer for and then for something it didn't have an answer for. the fastest response was 43 msec the slowest was 147 msec with most sitting in the 70's.
When asking my local copy the average is 5 msec but bind doesn't hold the zone it forwards the request to rbldnsd on port 530 as descrbied in several of the howto's.
[mbegan@nshplmgw01 mbegan]$ dig @a.surbl.org bettergood737.com.multi.surbl.org
; <<>> DiG 9.2.3 <<>> @a.surbl.org bettergood737.com.multi.surbl.org ;; global options: printcmd ;; Got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 52373
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 0
;; QUESTION SECTION: ;bettergood737.com.multi.surbl.org. IN A
;; ANSWER SECTION: bettergood737.com.multi.surbl.org. 2100 IN A 127.0.0.70
;; Query time: 78 msec ;; SERVER: 208.201.249.252#53(a.surbl.org) ;; WHEN: Thu Jan 6 08:08:14 2005 ;; MSG SIZE rcvd: 291
[mbegan@nshplmgw01 mbegan]$ dig @b.surbl.org bettergood737.com.multi.surbl.org
; <<>> DiG 9.2.3 <<>> @b.surbl.org bettergood737.com.multi.surbl.org ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 11
;; QUESTION SECTION: ;bettergood737.com.multi.surbl.org. IN A
;; ANSWER SECTION: bettergood737.com.multi.surbl.org. 900 IN A 127.0.0.70
;; Query time: 70 msec ;; SERVER: 128.255.17.19#53(b.surbl.org) ;; WHEN: Thu Jan 6 08:09:04 2005 ;; MSG SIZE rcvd: 467
[mbegan@nshplmgw01 mbegan]$ dig bfear.com.multi.surbl.org
; <<>> DiG 9.2.3 <<>> bfear.com.multi.surbl.org ;; global options: printcmd ;; Got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 57264
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 14
;; QUESTION SECTION: ;bfear.com.multi.surbl.org. IN A
;; ANSWER SECTION: bfear.com.multi.surbl.org. 2100 IN A 127.0.0.118
;; Query time: 8 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 6 08:18:20 2005 ;; MSG SIZE rcvd: 507
Yep those times all look about right. Anything more than a second is probably aberrant.
Jeff C. -- "If it appears in hams, then don't list it."
Chris Santerre wrote:
Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
This number seems correct for me too.
But what's very interesting is to note that both numbers (detection rate and false positive rate) are quite stable for everybody. This is a measure of the reliability of surbl as a filtering criteria.
Last month I was looking at the URLs hitting messages on our server during 8 months, and I found around 20000 URLs on some millions of spams.
Joe
In message <620A4FF9B83DD511B69900062939D037E0F387@internal.merchantsoverseas.c om>, Chris Santerre writes:
Just curious as to what average percent of spam people see SURBL hitting. In a non scientific manor, I average about 85% or greater hitting SURBL for all spam that doesn't get rejected by my MTA. I have a feeling if I clean up my results a bit, that number would be even higher.
My hit rate is at 83% for December and January.
//Christer
-
Chris Santerre -
Christer Borang -
Gary Funck -
Jeff Chan -
Jose Marcio Martins da Cruz -
Matt Egan (hotmail) -
Raymond Dijkxhoorn -
Ryan Thompson -
Stuart Johnston