I've been running it since 1:51 Eastern (US) time, yesterday.
>You risk wrongly flagging legitimate email if you make IP queries
>to the DBL.
For now, I'm :) cheating, by mapping one of the (officially)
unused high bits to a negative score, which should wipe out the
positive score for a raw IP URL lookup. Those are rare, plus I've
long killed them on sight (unless skip listed), so that seemed
like a reasonable SHORT term approach (I respect Spamhaus' logic
in implementing things the way they did - they're honoring the
laws of ;) natural selection). As soon as I get a chance,
I'll add a raw IP exclusion option to my filter.
So far, it looks good. It's hitting on about 11% of my spam
(I'm ONLY running it on stuff that has NOT hit on Surbl/Uribl).
It's been averaging about 130 msec to resolve (only a hundred
lookups).
I'll be deploying that to my users, starting this afternoon.
First up will be a brick&mortar business, with far more ham
diversity than my Geek domain. I'll report back later in the
week.
The BIG issue is that apparently this had been planned for a while
(I somehow missed that - SpamNation had an excellent article,
yesterday, which twigged me to it).
The spammers appear to have been ready, because I'm getting big
volume spikes, and a MAJOR shift in payload types, with big jumps
in subsite and shortener spam. Ugh!
Also of interest is a steady increase in the number of RU TLD
domains (59% today, average of 49% last month), with some
containing garbage/low-ascii characters at the end of the URL.
I've been scoring RU at 95% of kill for a while, so those aren't
an issue (for me). Technically, those have been ramping up for a
while.
- "Chip"
