RE: DKIM-Reputation list
Hi Mark, -Original Message- From: Mark Martinec [mailto:mark.martinec...@ijs.si] Sent: Thursday, August 13, 2009 8:06 PM To: users@spamassassin.apache.org Subject: Re: DKIM-Reputation list Tobias, Giampaolo, Bill, and others I'm interested too, thanks in advance I've place it on the web page: http://www.ijs.si/software/amavisd/DKIMrep.pm http://www.ijs.si/software/amavisd/effectiveTLDs.pm ...omissis... I've setup my SA installation to use your DKIMrep plugin. I first attempted putting DKIMrep.pm and effectiveTLDs.pm in my /etc/spamassassin dir, loading them with: loadplugin Mail::SpamAssassin::Plugin::DKIMrep /etc/spamassassin/DKIMrep.pm in init.pre. The DKIMrep.pm loaded fine, but then it complained that the effectiveTLDs.pm file was not in the Mail::SpamAssassin::Plugin stock dir. I had to copy it there to fix this issue. I think it wouldn't be too bad to somehow have a way to specify the full path to effectiveTLDs.pm. Besides, it seems to me that this file lists all the well-known TLDs (for a quite obscure purpose to me). Since this list may suddenly change, I would think to this file more like a config one than code... Thank you, Giampaolo Mark
Re: DKIM-Reputation list
Giampaolo, The DKIMrep.pm loaded fine, but then it complained that the effectiveTLDs.pm file was not in the Mail::SpamAssassin::Plugin stock dir. I had to copy it there to fix this issue. I think it wouldn't be too bad to somehow have a way to specify the full path to effectiveTLDs.pm. Besides, it seems to me that this file lists all the well-known TLDs (for a quite obscure purpose to me). Since this list may suddenly change, I would think to this file more like a config one than code... I know and I agree with you on all accounts, including the obscure purpose. Address the complaint to Florian Sager. There might be a newer version of his work available. Mark
Barracuda RBL in first place
http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda!
Re: Barracuda RBL in first place
On Fri, 14 Aug 2009 06:30:58 -0700 Marc Perkel m...@perkel.com wrote: http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda! But isn't Barracuda considered to be more aggressive than Spamhaus, so is beating Spamhaus on a BOFH metric, where blocking 0.0.0.0/32 would beat everything, much of an acheivement?
Re: Barracuda RBL in first place
On Fri, 2009-08-14 at 06:30 -0700, Marc Perkel wrote: http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda! I suspect that they, in Barracuda 'time honoured tradition' are stealing Spamhaus data and cobbling it with their own. They sure as hell got caught out using CBL data last year. As far a Barracuda 'lists' are concerned I'm far more interested in the BARRACUDA WHITELIST and, the baby 'pay to spam' emailreg.org they have cobbled into their boxes. Plenty of Barracuda customers have the Barracuda 'Reputation' list set to 'Quarantine' because they feel it lacks accuracy. I won't go on about how doing this forces a Barracuda to struggle everyone knows that they are rubbish. And just to be clear - yes, former Barracuda Support Staff. I walked away {you could not dream up how the place is run}. MY CHOICE - NOT THEIRS.
Re: Barracuda RBL in first place
RW wrote: But isn't Barracuda considered to be more aggressive than Spamhaus, so is beating Spamhaus on a BOFH metric, where blocking 0.0.0.0/32 would beat everything, much of an acheivement? my rbl beats everyone. please find ONE spammer's ipv4 address that isn't listed in blocked.secnap.net (oh, before you use it, google about what its listing criteria is) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: Barracuda RBL in first place
Marc Perkel wrote: http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda! The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. I used to be extremely distrustful of SpamCop, but they seem to be a lot more reliable than they used to be and in my list they would come second. Barracuda is way down the list because of its poor reputation, and when I tested it last it seemed to generate a fair few false positives. I still let spamassassin use it for a small score value though. Hostkarmas whitelist hits on a lot of spam, so that makes me generally distrustful of the quality of the contents of all of the hostkarma lists. I still use them sensibly in my own SpamAssassin configuration though for applying low scores. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: Barracuda RBL in first place
On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote: The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. While I certainly agree that SpamHaus is very good, I would argue that Invalument is currently better. It certainly stops a lot more spam here and I think false positives are still extremely low. -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1 URIBL_INVALUEMENT 2702947.58 85.130.60 2 RCVD_IN_INVALUEMENT 2611645.81 82.260.22 3 HTML_MESSAGE2518479.83 79.32 80.48 4 BAYES_992344541.09 73.840.12 5 RCVD_IN_INVALUEMENT24 2329040.85 73.350.18 6 URIBL_BLACK 2237239.49 70.460.74 7 RCVD_IN_JMF_BL 1684530.70 53.062.74 8 URIBL_JP_SURBL 1596227.99 50.270.12 9 DKIM_SIGNED 1213737.32 38.23 36.18 10 DKIM_VERIFIED 1105133.93 34.81 32.84 Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: Barracuda RBL in first place
On 14-Aug-2009, at 09:03, Michael Scheidell wrote: my rbl beats everyone. It IS very effective at stopping spam. In fact, it stops 100% of spam. But it's sorta like the world's greatest ftp site (ftp://127.0.0.1/) which has awesome stuff, but it's all stuff I already have -- I said pretend you've got no money, she just laughed and said, 'Eh you're so funny.' I said, 'Yeah? Well I can't see anyone else smiling in here.'
Re: Barracuda RBL in first place
On Fri, 2009-08-14 at 16:13 +0100, Mike Cardwell wrote: Marc Perkel wrote: http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda! The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. I used to be extremely distrustful of SpamCop, but they seem to be a lot more reliable than they used to be and in my list they would come second. Barracuda is way down the list because of its poor reputation, and when I tested it last it seemed to generate a fair few false positives. I still let spamassassin use it for a small score value though. Hostkarmas whitelist hits on a lot of spam, so that makes me generally distrustful of the quality of the contents of all of the hostkarma lists. I still use them sensibly in my own SpamAssassin configuration though for applying low scores. The final thought I had on this is the Barracuda List is OT. It's not used in SA and I hope it never will be. The only SA connection is that Barracuda use SA in their appliances. The false positive/accuracy is a subject raised time and time again with the Barracuda List. As for a listing policy I can only say it appears to be the work of Mickey Mouse. I recall the UK T2, Adam Light, trying to run through their evidence database to tell a 'spammer' why he was listed, only to find they actually had no evidence at all from the IP concerned. Once you cobble this with the listing of Name Servers and the IP's for the A records of newly registered domains (they seem to make up 'policy' as they go along) it really is all a bit unreliable IMHO. The reasons they want to big it up is because, as Barracuda's Steve Paeo said words similar to The circle of increasing returns ... the more people we can get to use it, the better our data becomes, so the more people want to use it. Easy fix, don't use it
Re: Barracuda RBL in first place
On Fri, 2009-08-14 at 09:28 -0600, LuKreme wrote: On 14-Aug-2009, at 09:03, Michael Scheidell wrote: my rbl beats everyone. It IS very effective at stopping spam. In fact, it stops 100% of spam. But it's sorta like the world's greatest ftp site (ftp://127.0.0.1/) which has awesome stuff, but it's all stuff I already have Now that *is* funny :-) Made my weekend. I've not laughed so much since I added a low priority mx pointing to 127.0.0.1 .
Re: Barracuda RBL in first place
rich...@buzzhost.co.uk wrote: I've not laughed so much since I added a low priority mx pointing to 127.0.0.1 . Heh. Looks like someone got there before me: http://rfc-ignorant.org/tools/lookup.php?domain=buzzhost.co.uk -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Bad performance of Bayes with MySQL cluster
Hi All, I'm running spamassassin 3.2.5 on RHEL 5.3 x86_64. We have three boxes, and all three of them are sharing the same bayes DB using a MySQL cluster, version 7.0.6 (based on 5.1.34). The cluster has 2 datanodes with a quadcore and 4 GB of memory. Everything is working fine, even the AWL in SQL, except for Bayes. The bayes database currently houses a bit less than 500k tokens and the database size is not very big either, as the datanodes have less than 1 GB of storage in use. I've followed the instructions from the Spamassassin wiki, and I also used the supplied bayes_mysql.sql file to create my tables. In case anyone is interested, you can find the cluster.ini and the my.cnf used on the SQL nodes here: http://www.wcborstel.com/web/mysql/my.cnf http://www.wcborstel.com/web/mysql/cluster.ini I've been doing quite a bit of research and so on. First I thought it were the settings of my cluster, as I knew there was a lot to be tuned. Things like query cache sizes, thread cache, table cache, specific NDB settings et cetera. Unfortunately that didn't have seemed to help. I came to the conclusion that the bayes table was simply too heavily used. I have scantimes of 30-200+ seconds with bayes enabled, while I have scantimes under 8 seconds when disabling bayes. Now the problem at the first glance seems to be, from my perspective (please correct me if I'm wrong), the actual queries being done. For every mail being scanned by spamassassin, it seems to be doing the SELECT RPAD(token, 5, ' '), spam_count, ham_count, atime FROM bayes_token query every time. This effectively requesting the entire bayes_token table, which can take up to 10-20 seconds. Now one would think that this is a nice canidate to cache. I would agree, unfortunately the MySQL query cache is not very efficient here, seeing as the atime of a token is being updated continuously. In other words, the cache is pretty much invalid most of the time. My Qcache hits is also very low (I noticed 8k inserts with about 250 cache hits). It seems that the query cache is either not suitable for this or I am doing something majorly wrong :) Here is how I came to my findings. Note I removed some SELECT RPAD rows to avoid spammyness (they show essentially the same as the other rows anyway): mysql show processlist\G *** 1. row *** Id: 1 User: system user Host: db: Command: Daemon Time: 0 State: Waiting for event from ndbcluster Info: NULL FROM bayes_token *** 3. row *** Id: 1464 User: bayes Host: :::1.2.3.4:57082 db: spamd Command: Query Time: 13 State: Sending data Info: SELECT RPAD(token, 5, ' '), spam_count, ham_count, atime FROM bayes_token *** 5. row *** Id: 1479 User: bayes Host: :::1.2.3.4:57133 db: spamd Command: Query Time: 24 State: Searching rows for update Info: UPDATE bayes_token SET atime = '1250259027' WHERE id = '3' AND token IN ('e?5?U','?;?6','?e?F?','? *** 8. row *** Id: 1485 User: bayes Host: :::1.2.3.4:57148 db: spamd Command: Query Time: 18 State: Sending data Info: SELECT RPAD(token, 5, ' '), spam_count, ham_count, atime FROM bayes_token *** 9. row *** Id: 1487 User: bayes Host: :::1.2.3.4:57155 db: spamd Command: Query Time: 18 State: Sending data Info: SELECT RPAD(token, 5, ' '), spam_count, ham_count, atime FROM bayes_token 12 rows in set (0.00 sec) As you can see, row #9 has been executing for 18 seconds already. I was first playing around with trying to create some additional indexes, but I've seen a couple of SELECT queries where the indexes where actually used and that was pretty quick. Now I am by far not a MySQL guru, so again, if anyone has any info in regards to creating additional indexes I would love to hear them. Currently I don't have any indexes other than those provided by the bayes_mysql.sql file. Currently I'm running my mail servers without bayes where they are performing fine. Does anyone have any recommendations or experiences with this? Or perhaps is there more information needed? Also will adding more memory to my datanodes solve anything? Thanks a lot for any feedback. Best regards, Jorn Argelo __ Information from ESET NOD32 Antivirus, version of virus signature database 4336 (20090814) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: Barracuda RBL in first place
On Fri, 2009-08-14 at 18:33 +0100, Mike Cardwell wrote: rich...@buzzhost.co.uk wrote: I've not laughed so much since I added a low priority mx pointing to 127.0.0.1 . Heh. Looks like someone got there before me: http://rfc-ignorant.org/tools/lookup.php?domain=buzzhost.co.uk That's terrible news, I really *won't* sleep this weekend LOL. If that domain were being used being on the rfc-ignorant 'list' would really matter so much :-)
Re: dear friend rule helps block whitehouse spam.
On Fri, 14 Aug 2009 17:15:10 -0400 Michael Scheidell scheid...@secnap.net wrote: being curious, and no one complaining (yet) about the notorious whitehouse spam, I decided to go looking for it in our database. (references: http://www.tigerdroppings.com/rant/messagetopic.asp?p=14637388 http://forums.hannity.com/showthread.php?t=1595811 http://oddcitizen.com/?p=124 or just google for 'whitehouse spam' I couldn't find a single serious link about this on Google, just further oddball bloggers and forum posters, many of whom admitted that they had previously emailed the Whitehouse. Do you have a serious question about SpamAssassin, or are you just trying to make a political point? If it's the latter I'd suggest you take it elsewhere.
Re: Barracuda RBL in first place
Mike Cardwell wrote: Marc Perkel wrote: http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda! The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. I used to be extremely distrustful of SpamCop, but they seem to be a lot more reliable than they used to be and in my list they would come second. Barracuda is way down the list because of its poor reputation, and when I tested it last it seemed to generate a fair few false positives. I still let spamassassin use it for a small score value though. Hostkarmas whitelist hits on a lot of spam, so that makes me generally distrustful of the quality of the contents of all of the hostkarma lists. I still use them sensibly in my own SpamAssassin configuration though for applying low scores. I've been cleaning up my white list lately. It's hard getting it right. However - I admit that wrongly listed white lists are a lower priority than whongly blacklisted.
Re: Barracuda RBL in first place
rich...@buzzhost.co.uk wrote: On Fri, 2009-08-14 at 06:30 -0700, Marc Perkel wrote: http://www.sdsc.edu/~jeff/spam/cbc.html It appears from Jeff's Blacklists Compared list the Barracuda has overtaken spamhaus for the #1 position. Not sure about the accuracy of the list as compared to spamhaus but seams reasonably good to me. I don't really count apews myself since they are extremely bad, but my hostkarma list is next beating out abuseat, sorbs, and uceprotect. Thanks to everyone who is helping me with my tarbaby project to catch virus bots. http://wiki.junkemailfilter.com/index.php/Project_tarbaby Congrats to Barracuda! I suspect that they, in Barracuda 'time honoured tradition' are stealing Spamhaus data and cobbling it with their own. They sure as hell got caught out using CBL data last year. As far a Barracuda 'lists' are concerned I'm far more interested in the BARRACUDA WHITELIST and, the baby 'pay to spam' emailreg.org they have cobbled into their boxes. Plenty of Barracuda customers have the Barracuda 'Reputation' list set to 'Quarantine' because they feel it lacks accuracy. I won't go on about how doing this forces a Barracuda to struggle everyone knows that they are rubbish. And just to be clear - yes, former Barracuda Support Staff. I walked away {you could not dream up how the place is run}. MY CHOICE - NOT THEIRS. My experience is that the barracuda lists are reasonably good. A few FP but not a lot. And if they are exceeding spamhaus then even if they were stealing their lists they are adding a lot of data spamhaus doesn't have. I'm just wondering what they are doing new. A few weeks ago I was beating them. Granted Jeff's list isn't exactly a scientific process but it's te only one out there.
Re: Barracuda RBL in first place
On Fri, Aug 14, 2009 at 11:24 AM, Chris Owenow...@hubris.net wrote: On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote: The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. While I certainly agree that SpamHaus is very good, I would argue that Invalument is currently better. It certainly stops a lot more spam here and I think false positives are still extremely low. Invaluement lists are also the top performers at my site: Total messages: 273235355 Total blocked: 227710956 83.34% Unknown user 32.00% (32.00%)87427696 Greylisted 24.88% (16.92%)46225401 Throttled 11.03% (5.64%) 15399444 Relay access denied 0.01% (0.00%) 7034 Bogus DNS (Broadcast) 0.01% (0.00%)11692 Bogus DNS (RFC 1918 space) 0.07% (0.03%)82135 Spoofed Address 0.26% (0.12%) 319551 Unclassified Event 0.77% (0.35%) 949388 Temporary Local Problem 0.01% (0.00%) 8165 Require FQDN sender address 0.04% (0.02%)51022 Require FQDN for HELO hostname 8.97% (4.02%) 10988455 Require DNS for sender's domain 0.78% (0.32%) 870643 Require Reverse DNS 23.83% (9.65%) 26372877 Require DNS for HELO hostname 0.20% (0.06%) 165157 The Spamhaus Block List 21.87% (6.74%) 18405091 The Invaluement SIP Block List 22.14% (5.33%) 14557404 The SIP/24 Block List 3.84% (0.72%) 1965510 The Barracuda Reputation Block List 3.89% (0.70%) 1915628 (several RBLs not widely used snipped) We have several hundred domains and each can use it's own filtering options, so not all RBLs/checks are used on all mail. Checks are listed in order applied, so a message dropped by unknown user for instance is never seen by greylisted. Invalument lists block over 25% of all messages that make it past all the checks in front of them, including Spamhaus. That's massive. Barracuda is not used by a majority of clients and is used after the others, so the low number is not an indication of poor performance. I've actually had pretty good luck with it. -Aaron -- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1 URIBL_INVALUEMENT 27029 47.58 85.13 0.60 2 RCVD_IN_INVALUEMENT 26116 45.81 82.26 0.22 3 HTML_MESSAGE 25184 79.83 79.32 80.48 4 BAYES_99 23445 41.09 73.84 0.12 5 RCVD_IN_INVALUEMENT24 23290 40.85 73.35 0.18 6 URIBL_BLACK 22372 39.49 70.46 0.74 7 RCVD_IN_JMF_BL 16845 30.70 53.06 2.74 8 URIBL_JP_SURBL 15962 27.99 50.27 0.12 9 DKIM_SIGNED 12137 37.32 38.23 36.18 10 DKIM_VERIFIED 11051 33.93 34.81 32.84 Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 - A stupidity tax Hubris Communications Inc www.hubris.net -
Re: Barracuda RBL in first place
On 14-Aug-2009, at 18:44, Aaron Wolfe wrote: The Spamhaus Block List 21.87% (6.74%) 18405091 The Invaluement SIP Block List 22.14% (5.33%) 14557404 What would be interesting is the XOR on these two. I also don't understand what the percentage number in parenthesis is. -- Q how do you titillate an ocelot? A you oscillate its tit a lot.
Re: giftcardsurveys.us.com
On Thu, 13 Aug 2009, Johnson, S wrote: When I put in the email address of the user that was being sent these survey offers for gift cards I got a message stating please allow 10 days for removal which makes me think they are not legit. That's not necessarily the case. One legitimate reason for claiming a delay like that is if a marketing promotion is already underway materials may already be in the pipeline. Granted, that's more true of physical mail than email, but the procedures in place for electronic marketing may have the same latency. It doesn't automatically mean they're lying about unsubscribing you as quickly as they practically can. However, I agree it's annoying. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- Tomorrow: the 64th anniversary of the end of World War II
Re: Barracuda RBL in first place
On Fri, Aug 14, 2009 at 9:39 PM, LuKremekrem...@kreme.com wrote: On 14-Aug-2009, at 18:44, Aaron Wolfe wrote: The Spamhaus Block List 21.87% (6.74%) 18405091 The Invaluement SIP Block List 22.14% (5.33%) 14557404 What would be interesting is the XOR on these two. well, you have half of it, as any hit shown here by invaluement was missed by spamhaus. I can't give you the data for other cases because it's a short circuit - 550 type of thing. Maybe someone else uses both these as scoring instead of block and can provide the stats on overlap? I know Rob's original intent with the Invalument lists was to augment Spamhaus rather than replace it. If this is still the case, I wouldn't be surprised if XOR is mostly true. I also don't understand what the percentage number in parenthesis is. its the percent of hits vs all messages, including the ones the check never got to see. not particularly useful. -- Q how do you titillate an ocelot? A you oscillate its tit a lot.
Re: Barracuda RBL in first place
Aaron Wolfe wrote: On Fri, Aug 14, 2009 at 11:24 AM, Chris Owenow...@hubris.net wrote: On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote: The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. While I certainly agree that SpamHaus is very good, I would argue that Invalument is currently better. It certainly stops a lot more spam here and I think false positives are still extremely low. Invaluement lists are also the top performers at my site: Total messages: 273235355 Total blocked: 227710956 83.34% Unknown user 32.00% (32.00%)87427696 Greylisted 24.88% (16.92%)46225401 Throttled 11.03% (5.64%) 15399444 Relay access denied 0.01% (0.00%) 7034 Bogus DNS (Broadcast) 0.01% (0.00%)11692 Bogus DNS (RFC 1918 space) 0.07% (0.03%)82135 Spoofed Address 0.26% (0.12%) 319551 Unclassified Event 0.77% (0.35%) 949388 Temporary Local Problem 0.01% (0.00%) 8165 Require FQDN sender address 0.04% (0.02%)51022 Require FQDN for HELO hostname 8.97% (4.02%) 10988455 Require DNS for sender's domain 0.78% (0.32%) 870643 Require Reverse DNS 23.83% (9.65%) 26372877 Require DNS for HELO hostname 0.20% (0.06%) 165157 The Spamhaus Block List 21.87% (6.74%) 18405091 The Invaluement SIP Block List 22.14% (5.33%) 14557404 The SIP/24 Block List 3.84% (0.72%) 1965510 The Barracuda Reputation Block List 3.89% (0.70%) 1915628 (several RBLs not widely used snipped) We have several hundred domains and each can use it's own filtering options, so not all RBLs/checks are used on all mail. Checks are listed in order applied, so a message dropped by "unknown user" for instance is never seen by "greylisted". Invalument lists block over 25% of all messages that make it past all the checks in front of them, including Spamhaus. That's massive. Barracuda is not used by a majority of clients and is used after the others, so the low number is not an indication of poor performance. I've actually had pretty good luck with it. -Aaron -- RANK RULE NAMECOUNT %OFMAIL %OFSPAM %OFHAM -- 1 URIBL_INVALUEMENT27029 47.58 85.13 0.60 2 RCVD_IN_INVALUEMENT 26116 45.81 82.26 0.22 3 HTML_MESSAGE 25184 79.83 79.32 80.48 4 BAYES_9923445 41.09 73.84 0.12 5 RCVD_IN_INVALUEMENT24 23290 40.85 73.35 0.18 6 URIBL_BLACK 22372 39.49 70.46 0.74 7 RCVD_IN_JMF_BL 16845 30.70 53.06 2.74 8 URIBL_JP_SURBL 15962 27.99 50.27 0.12 9 DKIM_SIGNED 12137 37.32 38.23 36.18 10 DKIM_VERIFIED 11051 33.93 34.81 32.84 Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 - A stupidity tax Hubris Communications Inc www.hubris.net - Yep Invalument is a good list. But there's no public option to compare it.
Re: Barracuda RBL in first place
On Fri, 2009-08-14 at 16:56 -0700, Marc Perkel wrote: My experience is that the barracuda lists are reasonably good. A few FP but not a lot. I get more FP's with Barracuda than I do UCE Protect - which is rather funny given the slating UCE Protect get. And if they are exceeding spamhaus then even if they were stealing their lists they are adding a lot of data spamhaus doesn't have. A simple collection of stats yourself will show you just how 'good' the Barracuda list is *not*; This from a simple honeypot domain that sees around a 1000 connections a day (so it's a very small sample size). You'll see that Barracuda caught 172 messages, but it still left 14 behind that Spamhaus got. After those two are done, a further 163 were missed by both of them: BLOCKED DNSBL 349 BBL BARRACUDA 172 ZEN SPAMHAUS 14 UCE PROTECT 1 23 UCE PROTECT 2 31 UCE PROTECT 30 [UCE PT TOTAL 54] SORBS SPAM0 SORBS EXPLOIT3 UCE SPAMCOP 52 UCE SPAMCANIBAL1 UCE NOMOREFUN 47 INTERNAL LIST6 list of those slipping through all RBL's or caught internally: Aug 14 08:26:50 IP:8.19.138.12 HELO:top3.topcore.co.uk HOSTNAME:top3.topcore.co.uk Aug 14 08:52:10 IP:8.19.138.23 HELO:cd3.createdirect.co.uk HOSTNAME:cd3.createdirect.co.uk Aug 14 09:12:48 IP:8.19.138.15 HELO:inn15.innovatenow.co.uk HOSTNAME:inn15.innovatenow.co.uk Aug 14 09:31:57 IP:8.19.138.18 HELO:info2.infotide.co.uk HOSTNAME:info2.infotide.co.uk Aug 14 10:58:27 IP:8.19.138.12 HELO:top3.topcore.co.uk HOSTNAME:top3.topcore.co.uk Aug 14 15:13:25 IP:213.83.66.177 HELO:cluster-c.mailcontroller.altohiway.com HOSTNAME:clusterc.mailcontroller.co.uk ~ Naturally, I would like to run a collector on a bigger scale, but it is taking some time to get more traffic in. Granted Jeff's list isn't exactly a scientific process but it's te only one out there. But it does not make it reliable in any context. Barracuda are good at B/S and they use lists like this, NANAE and other 'carefully selected' groups to spin in - when the reality is rather different. I'm not interested in the 172 messages they caught on my box, or the 14 that Spamhaus caught. I'm interested in the 163 they missed and *why* they missed them.