On 10/12/2010 8:14 PM, Karsten Bräckelmann wrote: > [Added after re-reading: Same request. Which ones do hit, optionaly > which ones don't?]
For the IPs mentioned: 217.23.6.209 204.45.150.196 64.32.6.4 173.234.224.131 184.107.29.11 72.55.165.139 67.159.50.131 174.37.134.225 ...here is a tally of *which* DNSBLs blacklisted these IPs, and how many of these IPs were blacklisted by each DNSBL: (see analysis below this list) NOTE: There were 8 different IPs. So the highest possible score was an "8 out of 8". # of "hits" blacklist name 7 ivmSIP 7 FIVETEN 6 BARRACUDA 6 Tiopan 5 PSBL 4 ivmSIP/24 3 NIXSPAM 3 OSPAM 2 BURNT-TECH 2 EMAILBASURA 2 KEMPTBL 2 SORBS 2 SWINOG 2 WPBL 1 AHBL 1 RATS-Dyna 1 SPAMCANNIBAL 1 SPAMCOP 1 UCEPROTECT1 I tallied this by checking each of those IPs on the mxtoolbox.com web site (one of the more popular free DNSBL looks sites), and gave credit for each hit. Keep in mind that this ranking does NOT take into account the FP rates of each of the lists. For example, ivmSIP and FIVETEN tied for first place. But, of course, ivmSIP is order of magnitudes a higher quality blacklist compared to FiveTen when you factor in a DNSBL's ability to avoid False Positives. Therefore, the BEST lists are the ones which scored high on this list --AND-- which also have low FPs. (for example, the one IP that ivmSIP missed really is a heavily abused IP... but one that also has MUCH legitimate use because it is used by one of the most popular dating sites for Latinos, which has 8 million subscribers. Therefore, MUCH collateral damage might occur from the blacklisting of this IP. Still, this can be a judgment call because sometimes "enough is enough" with some heavily abused IPs that have some legit uses!) Regarding that one IP, the DNSBLs which blacklisted 67.159.50.131 include FiveTen, Ospam, PSBL, and SORBS. Personally, I consider this to be the only False Positive of all the IPs submitted. And, for anyone who agrees with that analysis, this makes ivmSIP the /*only*/ list with a perfect 7 out of 7 score. But, again, considering 67.159.50.131 to be a FP is somewhat of a judgment call. NOTE: What this list is missing are DNSBLs like Zen. Obviously, the reason Zen is missing is because the person who submitted this list of IPs for missed spams probably ALREADY uses Zen-->so those spam /blocked/ by Zen won't show up on his list of /missed/ spams. And other DNSBLs may be in the same situation. For example, I suspect this mail system also uses SpamCop. So why the one SpamCop "hit" in the tally above? Probably because that one IP may not have been in SpamCop at the time the message arrived. (perhaps the same is true for UCE-1 and SORBS?--and would explain their 1 or 2 hits?) Along the same lines, some other DNSBLs that this mail system uses are not going to show up on that list at all, even if very good blacklists, like Zen--due to those DNSBLs already being used for outright blocking on that mail server where these spams were missed. That is the reason some lists are missing or under-represented. -- Rob McEwen http://dnsbl.invaluement.com/ [email protected] +1 (478) 475-9032
