Re: [mailop] How many more RBL's do we really need?

Mon, 29 Aug 2016 07:44:35 -0700 

On 8/29/2016 9:58 AM, Eric Henson wrote:

don’t have false positives: Barracuda RBL



Barracuda's RBL is a very good list... for high scoring... or for 
outright blocking for somewhat small hosters. But if an ISP or hoster 
has more than several thousand mailboxes AND is even moderately 
concerned about FPs, they would probably be happier using Barracuda's 
RBL for high scoring, and not for outright blocking.


Having said that... the age of high quality, virtually-zero FPs... is OVER!


Why? Because compromised mail accounts and hijacked web servers have 
both become a MASSIVE EPIDEMIC in the past few years.



For this reason, I regularly encounter hand-typed legit messages blocked 
by even SpamHaus's Zen list--yet Zen continues to be the best blacklist. 
In pretty much all such cases, those Zen "false positives" (if you can 
even call them that?) were situations where a small-ish legit sender had 
a compromised account that was spewing out much spam, and the ratio of 
spam/ham made the collateral damage very justifiable--and usually the 
blacklisting is short lived, keeping collateral damage to a minimum.



What separates the men from the boys here is NOT which list has zero 
FPs... but instead... which keeps such collateral damage to a minimum, 
via making good judgements about the ratio of spam blocked vs. resulting 
collateral damage--and keeping such listings short-lived, yet WITHOUT 
giving deliberate snowshoe spammers easy-off mechanisms, or too-short 
expire times.



By this very measure, Barracuda's RBL is a great list, but still not 
nearly as good as Zen, and probably too risky for outright blocking by 
larger senders.



And the absolutely zero FP blacklist is now a mythical creature... more 
sys admins in the e-mail industry need to recognize that and recognize 
that an RBL occasionally blocking a relatively few legit messages of a 
compromised sender (as Zen does!) can be a very GOOD thing (as long as 
there is a good balance--unfortunately, unlike Zen, some don't quite 
achieve the best balance!).



Such minimal and well-justified "collateral damage" does much to 
motivate system administrators to clean up their mess and implement 
better procedures to prevent (or more quickly mitigate) compromised 
accounts and other exploits.


--
Rob McEwen


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

























					Reply via email to