Re: [Declude.JunkMail] Atriks - Pt.2

[Matthew Bramble]

SPEWS and SBL are two opposite extremes.  The only time that SBL will 
false positive is when they list a hosting company that primarily 
engages in providing facilities to spammers.  For the most part, these 
hosting companies are only fronts that they use to avoid being fully 
listed.  SBL doesn't ratchet up to larger blocks without proof of 
spamming from those blocks.  SPEWS tactics are more so for intimidation 
of hosting companies when they do this.  It's not that I disagree with 
intimidation of this type in general, but I wouldn't make use of it on 
my own server since my main job is to deliver good E-mail and not 
spammer intimidation.  If a block of IP's gets onto SBL, the value of 
those IP's as a mail source is greatly diminished, and any legitimate 
company would take action to fix any problems that were impacting other 
customers.  SBL will list only static sources and will go all the way 
down to a single IP on occasions.

SBL should tag about 20% to 25% of your mail volume (if you have an 
average mix of traffic), and their FP rate should be 0.01% if not better 
(people do make mistakes).  Note my rant about Topica which is listed in 
SBL.  Topica would be blocked if you did this, but Topica also operates 
a spam network and uses hundreds and hundreds of domain names.  I 
wouldn't be surprised to see them getting demographic information as 
well as valid addresses from the Topica site.  This is kind of like 
protecting your users from something they aren't aware could happen.  
Topica is also a frequent source of spam from their lists because they 
don't confirm memberships, so spammers can just opt you in.  It took me 
a while to figure out that SBL was correct on this one...but they are no 
doubt.

Maybe someone else can chime in with their opinion on SBL.  I'd be 
curious to see if anyone has ever seen a clear false positive from them.

Matt

Darrell LaRock wrote:

How aggressive is SBL compared to SPEWS?  I know with SPEWS they list a lot
of adjacent net blocks of the spammers...  Does SBL employ the same tactics?
Darrell

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Tuesday, January 06, 2004 6:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Atriks - Pt.2
Forgive me for repeating myself on this one, but I'm a proponent of 
blocking outright on SBL.  There's a good reason for spammers to be in 
their list, and it's not some community project where anyone and 
everyone makes nominations, so it's practically flawless.

Another trick for Green Horse is the following lines in a custom filter 
somewhere:

# Green Horse Corporation (SBL12495)
BODY        28    CONTAINS    /img/c.0/
BODY        28    CONTAINS    /img/o.0/
BODY        28    CONTAINS    /img/v.0/
This is just in case they break out into new address space.  28 is my 
delete weight plus Declude's negative weight tests (because they tend to 
get added in after custom filters and I use SKIPIFWEIGHT functionality).

Matt

Fritz Squib wrote:

 

Amazing, I knew that I saw a lot more spam coming from individual cable/dsl
modems, but I had no idea...
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495

http://groups.google.com/groups?scoring=d&q=atriks.com+group:*abuse*

Fritz

Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net
()  ascii ribbon campaign - against html mail 
/\                        - against microsoft attachments





---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.