On Fri, 21 Nov 2003 21:41:23 -0800 John Oliver <[EMAIL PROTECTED]> wrote: > > Here are the dnsbls I use, the order I use them in, and the number of > matches in the current maillog: > > [EMAIL PROTECTED] joliver]$ ./spam.sh > cbl.abuseat.org > 4342 > dynablock.easynet.nl > 1938 > sbl.spamhaus.org > 1146 > dnsbl.sorbs.net > 176 > bl.spamcop.net > 427 > proxies.blackholes.easynet.nl > 3 > list.dsbl.org > 44 > dnsbl.njabl.org > 16 > relays.visi.com > 4 > relays.ordb.org > 3 > dialups.visi.com > 0 > > > cbl.abuseat.org is, hands-down, the highest-hitting dnsbl on all mail > servers I admin.
Maybe, maybe not. Trying to compare DNSBL's by rejection entries in your mail server logs doesn't really tell you much about any DNSBL except the first one. The problem is that once a given message hits one DNSBL, the remaining DNSBL's aren't checked. So, the possible range of hits on the subsequent DNSBL's can only be expressed in upper and lower bounds. Using your data, we know that cbl.abuseat.org hit on 4342 of your messages. If dynablock.easynet.nl is your second DNSBL, we know it hit on some number of messages greater than or equal to 1938, and less than or equal to 6280. Any number in that range is consistent with your data because _if_ all 4342 of the messages that cbl.abuse.org hit were also in dynablock.easynet.nl, you would still have the exact same results in your logs. There's no way to know exactly how many of those 4342 entries are in dynablock.easynet.nl from the data you provided. The further you go down the list, the wider the possible range of hits is. For example, list.dsbl.org has somewhere between 44 and 8076 hits based on your data, and we don't know any more than those upper and lower bounds from your logs. If you really want to compare DNSBL's, you need to set up a separate process to query all of the DNSBL's you are comparing (nearly) simultaneously. I do this by running 'tail -f /var/log/maillog|myscoringscript' where "myscoringscript" is a script that I wrote to extract IP addresses from the log and query all the DNSBL's and tally the results. Actually, since my scripts work with the new email security service I'm developing, they really don't work directly with MTA logs, but if I wanted to do comparisons for a client, I'd modify them to read the MTA's log format. > I'm not aware of any collateral damage, but then, I'm > *very* aggressive, and most of my clients happily use SPEWS ;-) I would > recommend to *not* use bl.spamcop.net at the MTA for a large-scale, > production server... even *they* say not to. It's too easy to game > SpamCop. > I've heard that, too, and I generally tell people that, but they do it anyway. Even you seem to be a "do as I say, not as I do" type on that one, too. In my comparisons, I did also check bonded senders, and I have seen a few hits in both sbl.spamhaus.org and dnsbl.sorbs.net that were bonded senders. I consider that to be pretty serious "collteral damage." Finally, using a local copy of one of the DNSBL's that offers data through rsync is a really good idea. Both cbl.abuseat.org and list.dsbl.org offer rsync data for use with DJB's rbldns. I don't really know if the other DNSBL's offer this or not, so don't assume that they don't just because I didn't mention them. If you get a hit on the local copy of a DNSBL, you'll avoid all remote DNS queries. That can be a big issue if you have a very high volume MTA because the delays for remote DNSBL's can result in a lot of smtp connections staying open for relatively long times, consuming connection resources on the MTA host. -- Who is John Galt? ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
