SPEWS and SBL are two opposite extremes. The only time that SBL will
false positive is when they list a hosting company that primarily
engages in providing facilities to spammers. For the most part, these
hosting companies are only fronts that they use to avoid being fully
listed. SBL doesn't ratchet up to larger blocks without proof of
spamming from those blocks. SPEWS tactics are more so for intimidation
of hosting companies when they do this. It's not that I disagree with
intimidation of this type in general, but I wouldn't make use of it on
my own server since my main job is to deliver good E-mail and not
spammer intimidation. If a block of IP's gets onto SBL, the value of
those IP's as a mail source is greatly diminished, and any legitimate
company would take action to fix any problems that were impacting other
customers. SBL will list only static sources and will go all the way
down to a single IP on occasions.
SBL should tag about 20% to 25% of your mail volume (if you have an
average mix of traffic), and their FP rate should be 0.01% if not better
(people do make mistakes). Note my rant about Topica which is listed in
SBL. Topica would be blocked if you did this, but Topica also operates
a spam network and uses hundreds and hundreds of domain names. I
wouldn't be surprised to see them getting demographic information as
well as valid addresses from the Topica site. This is kind of like
protecting your users from something they aren't aware could happen.
Topica is also a frequent source of spam from their lists because they
don't confirm memberships, so spammers can just opt you in. It took me
a while to figure out that SBL was correct on this one...but they are no
doubt.
Maybe someone else can chime in with their opinion on SBL. I'd be
curious to see if anyone has ever seen a clear false positive from them.
Matt
Darrell LaRock wrote:
How aggressive is SBL compared to SPEWS? I know with SPEWS they list a lot
of adjacent net blocks of the spammers... Does SBL employ the same tactics?
Darrell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Tuesday, January 06, 2004 6:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Atriks - Pt.2
Forgive me for repeating myself on this one, but I'm a proponent of
blocking outright on SBL. There's a good reason for spammers to be in
their list, and it's not some community project where anyone and
everyone makes nominations, so it's practically flawless.
Another trick for Green Horse is the following lines in a custom filter
somewhere:
# Green Horse Corporation (SBL12495)
BODY28CONTAINS/img/c.0/
BODY28CONTAINS/img/o.0/
BODY28CONTAINS/img/v.0/
This is just in case they break out into new address space. 28 is my
delete weight plus Declude's negative weight tests (because they tend to
get added in after custom filters and I use SKIPIFWEIGHT functionality).
Matt
Fritz Squib wrote:
Amazing, I knew that I saw a lot more spam coming from individual cable/dsl
modems, but I had no idea...
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495
http://groups.google.com/groups?scoring=dq=atriks.com+group:*abuse*
Fritz
Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net
() ascii ribbon campaign - against html mail
/\- against microsoft attachments
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
