Pedantic niggle: RBL is not a generic term. It's a trademark originally
owned by MAPS and now by Trend Micro. Generic term is DNSBL.
(Yeah, I know, it's like band-aid and kleenex...)
On 14 Feb 2017, at 23:04, Ian Zimmerman wrote:
Given a piece of horrible spam, on which RBL is the sending IP address
likely to appear first?
It depends on the genus of spam, and note that I am NOT recommending the
use of all of these DNSBLs as absolute ban criteria, just answering the
query as asked...
Botspam is all the CBL (a Spamhaus Zen component) does and IPs in the
major botnets usually hit there first. PSBL, SORBS Spam, and NiX Spam
(Manitu) are usually very close behind and sometimes catch IPs that
never show up on CBL/Zen
Snowshoe spam is complicated. The Spamhaus CSS (SBL and hence also Zen
component) is usually pretty swift, but often entirely misses spammers
that PSBL, SORBS Spam, SpamCop or NiX catch.
For other varieties (e.g. direct mainsleaze, sloppy ESPs, bulletproof
ISPs) speed of listing is less important because the sending IPs don't
churn much.
I want to rationally decide which RBL/s to consult at SMTP time.
Afraid
to use all of them,
This is such a local decision that it may not help much to get external
advice. There are hundreds of classical sending-IP DNSBLs available and
using them all in any way would be pointless and dangerous. The spam you
get isn't goingt to look like the spam I get.
