Responsible blocklist usage

Claus v. Wolfhausen c.v.wolfhausen at spamkiller.uceprotect.net
Fri May 8 15:30:18 UTC 2009


Seriously if you want to stop most of the spam with only a very minimal risk

of false positives you will have to use a combination of list, because there
is really *NO BLOCKLIST* which always does 0 False Positives if measured
against an mixed but real mailflow:
 
See: http://stats.uceprotect.net
 
What you see there is the the real mailflow of those UCEPROTECT-customers
that have freely chosen to select "Transmit Statistics and nominate Spammers
 
in their Appliances.
Actually 45 Systems are running the upcoming Release V4.1 in Betatest
and what you see there is their real traffic.
What you can't see yet is the traffic from all other customers that are
still running the latest official Release V4.07
 
This is how we are counting Spamtrap hits and also False positives:
 
All Lists are queried at every connection after RCPT TO:
 
Spamtrap hits (Displayed in green):
Every mail send to a spamtrap is counted as hit for those blocklists that
reports the IP / domain as listed.
 
False positives (Displayed in red):
Every mail send to an existing recipient is counted as false positive for
those blocklists that report the IP / domain as listed and the sender is in 
the recipients automatic or manual whitelist.
 
Counters for the nonexisting (virtual) zone: uceprotect.combined are counted

ONE only according to the description above if any of the 4 real existing
dnsbl-*.uceprotect.net zones would report listed.
 
As you can see the most accurate and effective single blocklist in our
comparison is cbl.abuseat.org but even it would have rejected 14 of 8475031
HAM's last week while catching 73.3% spam.
 
That is excellent for a single blocklist, but you can get a better result
if you are using following combination of lists:
 
Delay any incoming connection which is listed at dnsbl-0.uceprotect.net
aka UCEPROTECT Level 0 with a tempfail (450) after RCPT TO.
This is important because Level 0 is a delaylist, not a blocklist.
Listings there will expire as soon as an Operator has moved them to
UCEPROTECT Level 1 otherwise latest after 3 hours.
 
Block if at least 2 of the following 8 lists are indicating "listed":
 
bl.spamcop.net, cbl.abuseat.org, dnsbl-1.uceprotect.net,
dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net, dnsbl.sorbs.net,
ix.dnsbl.manitu.net and psbl.surriel.com.
 
If you follow my instruction, you will end up with a system that has
as good as no false positives and will block most of all spams.
 
As always YMMV.
 
--
Claus von Wolfhausen
Technical Director
UCEPROTECT-Network
http://www.uceprotect.net
 




More information about the NANOG mailing list