[SURBL-Discuss] FP Pattern for sbl-xbl.spamhaus.org

Rob McEwen rob at pvsys.com
Sun Aug 15 18:12:07 CEST 2004


I said:

> Also, I do agree with the philosophy that a little collateral damage from
> legitimate sources is O.K. if the network originally sending the spam is a
> known, flagrant, and unrepentant spam source. (How else are they going to 
> be motivated to clean up their act?)

Jeff responded:

>FWIW this is one thing about Spamhaus and other RBLs that I
>don't like.  I don't believe in punishing innocent IP addresses
>this way in order to pressure ISPs.

When I read Jeff's comment, I realized that I worded my original statement
in a way that could be taken differently that what I intended. To be sure, I
abhor the practices described in this article:

http://www.nwfusion.com/research/2001/0910feat.html

But, at the same time, I don't have a problem when out of every 1,000
e-mails coming from a source like Munged-terra.es, 1 legitimate e-mail gets
blocked along with 999 spam e-mails.

>But we should not start
>flamewars about RBLs here.

Sorry, I didn't mean to start such a ruckus. I have a proposal. I'll
re-configure my filter so that it only blocks those IPs at the MTA level
which are listed on both (1) DSBL (...AND...) (2) listed on at least one of
the two SpamHaus lists.

If a message does not fit this criteria, then I'll allow it through and
(next) filter out messages via SURBL.

After SURBL filtering, out of the remaining messages, I'll then re-check
them using EACH of the following three lists:

(1) list.dsbl.org
(2) xbl.spamhaus.org
(3) sbl.spamhaus.org

(Remember, this will already EXCLUDE those things which are on BOTH
list.dsbl.org and sbl-xbl.spamhaus.org. It will also exclude stuff that was
block by standard SURBL. Therefore, hopefully, what is left over won't be
too huge to analyze.)

Messages then block by any of these three lists will be saved to a folder
corresponding to that list.

After about a week of this, I'll zip each of these folders of messages and
e-mail the zipped files to Jeff, Raymond, Patrik, and anyone else
interested. (I have to be careful here for privacy issues). I'll also
provide my own stats for what I judged to be FPs vs. total spams for each
folder.

Certainly, this won't be a perfect test because my base of users is not as
large as an ISP, for example. But it would be interesting, don't you think? 

This way, we can then let the data speak for itself.

How does that sound?

Rob McEwen 




More information about the Discuss mailing list