On 2/14/2017 11:04 PM, Ian Zimmerman wrote:
Given a piece of horrible spam, on which RBL is the sending IP address
likely to appear first?
I want to rationally decide which RBL/s to consult at SMTP time. Afraid
to use all of them, not just due to false positives, but also due to
negative caching in DNS, which could affect the result when the spam is
seen by SA a bit later.
Ian,
(if possible) Start monitoring the sending IPs of barely missed incoming
spam, in real time, as they come in. As soon as possible after the spam
comes in, check that IP on multirbl.valli.org (or mxtoolbox), and see
which RBLs are listing that IP (recognizing that SOME of those are going
to be situations where the IP wasn't blacklisted until seconds after the
spam was received - but many were listed before then)
Throw out the examples where the IP has a good reputation in places like
SenderScore or SenderBase... or where the IP is an MTA of a large/famous
hoster/ISP (but take note of which lists were listing those) - However,
SOME of those listings with decent scores at SenderScore or SenderBase
are appropriately blacklisted, such as a small sender with a massive
security hole where they are suddenly spewing out a massive amount of
spam. But if you notice an RBL hitting on MANY like this - they might be
too aggressive and even worthless - or perhaps more appropriate for low
scoring. There are a few lists which are VERY fast-reacting to new
spams, but have horrific expiration polices and/or are poorly managed -
and would produce many FPs if used in production. But there are some
other lists which are just a little too aggressive for outright
blocking, but are very useful for scoring a few points (or less).
You should then notice about only about ~5-8 lists which rise to the top
- in the checking I described, they seem to have very few FPs (you won't
know for sure until you test them in production) - and they are very
fast reacting. Still, SOME of these are just a little too aggressive for
outright blocking (or scoring at/above threshold) - but are great for
high scoring. But you may not be able to accurately measure their FP
level until you've used them in production for some weeks.
A smaller amount of these RBLs (that rose to the top)... in addition to
being fast-reacting... block much unique spam missed by the other lists
AND have few enough FPs for you to probably feel comfortable outright
blocking (or scoring at/above threshold). You might find ~3-5 such
lists, including zen.spamhaus.org in that elite group.
--
Rob McEwen
