[SURBL-Discuss] FUN: Help Rob McEwen test his new anti-spam tools!

Rob McEwen rob at PowerViewSystems.com
Fri Apr 27 16:26:52 CEST 2007


FUN PROJECT:

Help Rob McEwen test his new anti-spam tools!

(NOTE: I have been granted official permission from Jeff Chan to make this
announcement on the SURBL list!)

As many already know... I'm one of a **small** handful of organizations with
authority to blacklist and whitelist "at will" on SURBL and I've provided
much administrative assistance to SURBL for years, particularly in
preventing false positives. Of course, my efforts there are miniscule
compared to Jeff Chan's great work! Still, Jeff has thanked me countless
times for my assistance.

Most importantly, I have an "insider's view" and **uncommon expertise** into
what it takes to make a "world class" blacklist and, within the next few
business days, I will be officially releasing my 2 new "Invaluement Spam
Blocklists":

(1) The "Invaluement-URI" blocklist
(much like SURBL & URIBL)

..AND..

(2) The "Invaluement-SIP" blocklist, a Sender's IP blocklist
(a.k.a. an "RBL", like DSBL, SBL, etc.).

SIP = "Sender's IP"

Proverbs 15:22 says, "Without counsel plans fail, but with many advisers
they succeed." NOT that these two lists will be built by committee... but,
along these lines, I sure could use some feedback!

You may be asking:

--WHY SHOULD WE USE THESE LISTS?

--HOW ARE THEY HELPFUL?

--WHAT ARE THESE?

First, if you are already using SURBL & URIBL, continue to do so!

Invaluement-URI will NOT replace SURBL & URIBL as those lists WILL catch
things that Invaluement-URI will miss or not catch as quickly.

However...

**************************************
REGARDING: "Invaluement-URI" blocklist
**************************************

(A) The "Invaluement-URI" blocklist is catching over 1,000 URIs (per week)
minutes, hours, and even days BEFORE surbl or uribl or even uribl-red!

Did you catch that? Let me repeat:

****Invaluement-URI is listing over 1,000 URIs (per week) minutes, hours,
and even days BEFORE surbl or uribl or even uribl-red!****

(If a URI showed up on ANY 1 of these lists, I didn't count it towards that
tally. I ONLY counted items which were not on ANY of those other lists!)

Q: Why? How?

A: Mostly because Invaluement-URI is a "fast reacting" list! Often even
faster than URIBL-RED!!

Q: Why is this important?

A: Because many new series of spams are listed on Invaluement-URI lightening
fast and this will help you block much spam that would otherwise pass
through your spam filtering during those minutes/hours BEFORE the URI is
listed on SURBL or URIBL.

(B) The "False Positive Rate" for Invaluement-URI is extremely low -- and
might even be better than SURBL's already very low FP rate! I have yet to
spot a single egregious FP... and the **few** that I have spotted (and
removed) were VERY questionable to begin with!

NOTE: Being aggressive and fast is easy... but doing such **without** the
FPs is incredibly difficult. Years of programming and analysis went into the
development of these two lists!

(C) Additionally, Invaluement-URI is catching many URIs, particularly
phishes, that **might** NEVER be getting in SURBL or URIBL... or at least
that seems to be the case as several days have gone by without them being
listed.

NOTE: You might ask, "Rob, why haven't **you** placed these into SURBL or
requested them be listed in URIBL?" The answer is simple. In recent weeks,
finishing touches on these new lists have consumed most of my time and
energies. But I do plan to use this knowledge/data to do more submissions to
SURBL & URIBL. However, even then, for various reasons, such submissions
will have to be "hand-submitted" and "hand-checked". Therefore,
Invaluement-URI will STILL haVE the "upper hand" in being a fast-reaction
list.


**************************************
REGARDING: "Invaluement-SIP" blocklist
**************************************

I find that many Sender's IP blocklists (a.k.a. "RBLs"):

(1) tend to catch much spam without FPs, but also seem to have diminishing
returns... sort of an upper limit in their effectiveness... a "glass
ceiling"

...OR...

(2) block much legit mail and/or very credible sources... or even purposely
"punish" sources of legit mail for those ISP's/ESP's who are lacking in
their prevention of spams sent from their network.

So you are "stuck" with one type of Sender's IP blocklist being helpful, but
very limited... and the other type too aggressive to be used, requiring that
you "score" it very, very low in your filtering to prevent FPs... thus
minimizing its effectiveness!

IN CONTRAST... you'll find Invaluement-SIP to be a "best of both worlds"
Sender's IP Blocklist. It is as aggressive and "fast reacting" as many of
the best... listing MANY IPs that are not yet on other RBLs... but NOT
having the high FP rate found on many other "aggressive" IP blacklists.


**************************
REGARDING: BOTH blocklists
**************************

LOW MEMORY FOOTPRINT:

While both are "quick reacting"... both are also "quick expire time" lists.
If a spam hasn't been seen containing that URI or from that Sender's IP for
more than a few weeks, it gets expired and removed. This keeps the "memory
footprint" very low... and this opens up multiple possibilities... like
possible use in spam appliances or even routers which otherwise couldn't
efficiently work with lists that have almost a million or more entries...
many of which are so outdated that they include items practically never seen
"in the wild" anymore.

Additionally, this smaller "footprint" also allows for fast data transfers /
updates. These lists are ONLY available via RSYNC or BIND "zone transfers".
But because the dataset is so relatively small, the updates are (and can
be!) more frequent... allowing my "quick strike" capabilities to help you in
your "real time" spam filtering.

Amazingly I provide **2 minute update frequency** for RSYNC access and 4
minute expire time on zone transfers! (Compare this to some blacklists which
take longer than this just to get to complete a single transfer!)

QUALITY AND DISCERNMENT:

Both lists have an amazing ability to block the very dirty ESPs which are
more "pretenders" who are trying to "look" like legit ESPs, but haven't
really ever sent to a true confirmed opt-in subscriber. Yet, at the same
time, both Invaluement lists are very good at NOT targeting ESPs know to
have sent **some** amount of legit opt-in e-mail.

In other words, e-mail admins probably won't have to use that sledgehammer
as often if they would employ this "surgeon's scalpel".

Additionally, **spammers beware** messages are kept "on file" as "evidence"
for EVERY SINGLE LISTING. In the event of a suspicious listing being
questions by the sender, the intended recipients WILL be contacted to
confirm or deny that they opted in!

Also, MUCH behind the scenes auditing takes place to ensure quality!

***********************************
PRICE: What are the fees for usage?
***********************************

First, these lists are NOT for free. The are available ONLY via RSYNC or
BIND Zone Transfer. The price ranges from $12.50/month to $605/month,
depending on such things as # of users being protected, willingness to allow
us to list you as a subscriber, linking to our website, etc. I expect that
most subscribers will pay either the lowest price, or close to the lowest
price. The higher prices are more for exotic users and VERY large ISPs or
filtering providers. One price procures access to BOTH Invaluement-SIP
**and** Invaluement-URI.

ALSO: No anonymous usage allowed. Payments will be via paypal... but the
basic contact information provided at the time of signup must be legit and
authentic.

****************************
WEEKEND PROJECT INSTRUCTIONS
****************************

For the next 2-4 days, I'll provide FREE access to these lists.

Send me an e-mail with the following:

(1) Name & contact information, including phone number & e-mail address,
company, etc.

(2) Tell me the approximate number of mailboxes/users that your use of this
product will protect if/when you decide to officially subscribe.

(3) Let me know if you need RSYNC access, or Bind Zone Access, or both

(4) Include the IP address that I should grant permission for the access
type specified.

***************************************
STEEP DISCOUNTS IN RETURN FOR TESTING!!
***************************************

The first 10 people who post a thoughtful and detailed analysis of the
results of their testing went will get a special discount if/when they
decide to subscribe. The post must be to either the SpamAssassin list or the
SPAM-L list. Please refrain from further posts on the URIBL & SURBL lists as
I have permission to make this announcement there... but NOT to discuss this
in depth there since those lists are NOT for general spam fighting
techniques/tools.

The first 10 people who spot an egregious FP will get this same discount.
Sent the (munged) URI to my address along with the message it was spotted in
zipped.

SPECIAL DISCOUNT: If you protect less than 100,000 users/boxes, you'll get
the first 6 months at $1/month. If you protect more than 100,000 users,
you'll get the first 6 months at half the regular price (which would first
be calculated depending on other options chosen, THEN the ADDITIONAL
discount applied.

Testing access will be cut off soon after the product is "officially"
released... but these discounts will STILL be obtainable (to be applied to
subsequent months) until the 10 & 10 spots have filled up.

***************************
HOW TO JUDGE/TEST THIS DATA
***************************

Simple.

(1) Does using these lists cause your filtering to block MORE spams than it
otherwise would if you didn't use this list.

(2) Does it do with WITHOUT causing FPs... or is the FP rate low compared to
other such lists.

IMPORTANT: Testing must be done on "live" data and using constantly synced
datalists. Otherwise, you diminish many of the most important the advantages
that set this list apart from others. You can "score" the "hits" low on live
data if you want to test it in a "safe" way. Try to devise a system where
you can examine what both of these lists "hit" on that got overall missed by
your spam filter. Running the lists against recent corpuses will only work
for spotting FPs... but, even then, be sure it wasn't really a "False
Negative"!

Remember, if you are blocking 96% of all spam and use of these two lists
improves your catch rate to 97%... a one percent reduction might not seem
like a lot... but the key percentage is the drop in the spam that your users
SEE!! Therefore, if the amount of spam which gets past your filter through
drops from 4% down to 3%, this is a whopping 25% reduction in the amount of
spam that your users see. That is huge! If someone did that for you, what
would you do in return? You'd hug them... take them out to dinner... thank
them profusely.

I contend that these "Invaluement blacklists" will be "on par" with those
kind of results and you'll find the fees to be low compared to what you are
getting in return.

***************
GETTING STARTED
***************

Contact me, Rob McEwen, today and I'll provide you the access information.

For access, send the requested information to the following:

invaluement at PowerViewSystems.com

(PLEASE - keep discussion about this on the SURBL list to an absolute
minimum. SA and SPAM-L are more appropriate. Or e-mail me directly.)

Rob McEwen
PowerView Systems
invaluement at PowerViewSystems.com





More information about the Discuss mailing list