Re: DNSBL Comparison 20091114
On Mon, 16 Nov 2009, rich...@buzzhost.co.uk wrote: safe. BRBL has a high hit rate as well, with a moderate safety rating. Wondered why i wasn't getting anything from mysql.com for over a week, BRBL has them listed :) -- Res "What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Re: balancechecker.zip balancechecker.exe
On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote: > rich...@buzzhost.co.uk schrieb: > > Is anyone else seeing an influx of spam with a zip attachment > > balancechecker.zip? > > > > This contains a windows executable, balancechecker.exe, which appears to > > be testing clean with clam and others. > > > > I'm inclined to think it's *not* clean and is viral. > > > > EXAMPLE > > http://pastebin.com/m730f90e9 > > > > > > I really do not think it is clean. It really sounds like a typical bogus > mail. > > see also here : > http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/ > It is now starting to get picked up and I can see that it was reported at totalvirus on Friday. Yesterday it was passing many checkers as clean, including CLAMAV - which by it's free nature - finds its way into many gateway scanners. This morning, however, is a different tale: balancechecker.exe: Trojan.Zbot-6437 FOUND --- SCAN SUMMARY --- Known viruses: 649889 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB Data read: 0.02 MB (ratio 1.00:1) Time: 2.682 sec (0 m 2 s)
Re: DNSBL Comparison 20091114
On Sun, 2009-11-15 at 20:34 +, Justin Mason wrote: > On Sun, Nov 15, 2009 at 08:53, rich...@buzzhost.co.uk > wrote: > > On Sun, 2009-11-15 at 03:14 -0500, Warren Togami wrote: > >> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e > >> Compare this report to a similar report last month. > >> > >> http://wiki.apache.org/spamassassin/NightlyMassCheck > >> The results below are only as good as the data submitted by nightly > >> masscheck volunteers. Please join us in nightly masschecks to increase > >> the sample size of the corpora so we can have greater confidence in > >> the nightly statistics. > >> > >> http://ruleqa.spamassassin.org/20091114-r836144-n > >> Spam 131399 messages from 18 users > >> Ham 189948 messages from 18 users > >> > >> > >> DNSBL lastexternal by Safety > >> > >> SPAM%HAM%RANK RULE > >> 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * > >> 12.3053% 0.0026% 0.94 RCVD_IN_XBL > >> 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 > >> 80.2578% 0.1485% 0.86 RCVD_IN_PBL > >> 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL > >> 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * > >> 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT > >> 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * > >> > >> Commentary: > >> * PSBL and XBL lead in apparent safety. > >> * ANBREP was added after the October report and has made a surprisingly > >> strong showing in this past month. ANBREP is currently unavailable to > >> the general public. The list owner is thinking about going public with > >> the list, which I would encourage because they are clearly doing > >> something right. It seems he would need a global network of automated > >> mirrors to be able to scale. He would also need listing/delisting > >> policy clearly stated on a web page somewhere. > >> * SEMBLACK consistently has been performing adequately in safety while > >> catching a respectable amount of spam. I personally use this > >> non-default blacklist. > >> * It is clear that the two main blacklists are Spamhaus and BRBL. The > >> Zen combinatoin of Spamhaus zones is extremely effective and generally > >> safe. BRBL has a high hit rate as well, with a moderate safety rating. > >> * HOSTKARMA_BL ranks dead last in safety for the past several weeks in a > >> row, while not being more effective against spam than PSBL, XBL or > >> SEMBLACK. > >> > >> === > >> HOSTKARMA_BL much better as URIBL > >> === > >> SPAM%HAM%RANK RULE > >> 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * > >> > >> Commentary: > >> While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly > >> effective as a URIBL. This is curious as it seems it was not designed > >> to be used as a URIBL. In any case as long our masschecks show good > >> statistics like this, I will personally use this on my own spamassassin > >> server. > >> > >> = > >> SPAMCOP Dangerous? > >> = > >> SPAM%HAM%RANK RULE > >> 17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET * > >> > >> Commentary: > >> Is Spamcop seriously this bad? It consistently has shown a high false > >> positive rates in these past weeks. Was it safer than this in the past > >> to warrant the current high score in spamassassin-3.2.5? > >> > >> Warren Togami > >> wtog...@redhat.com > > > > Is it not a bit flawed to do the metrics on volunteer submissions, given > > the Spamhaus has is said to have a small army of them? It means the data > > cannot be relied upon as any kind of sensible comparison. > > please explain. How would you suggest measuring false positives? > Do you think that volunteer submissions are an accurate way to do them, or do you think that is open to abuse? For example, say I am Steve Linford with a small army of volunteers. I get a few false positives come in from Spamhaus, and a few from SORBS. What is my inclination when I submit the data? It takes only a small amount of research and a trawl through the NANAE archives to get a handle on the problem, and the general abuse and nefarious goings on with DNSBL volunteers. It is fair to say that there is not much love lost. I'm not pretending I have the answers, so it's probably better to take these lists with a large bucket of salt and find how any given DNSBL list works for a given organisation. In a world where presidents and world leaders in America, Zimbabwe and Afghanistan get 'elected' on tainted data, some random RBL 'comparison' list is a trivial by comparison. It must, however, be duly remembered that there are many competing 'sides' in the world of the DNSBL's, each looking to do the other discredit. Perhaps Jim, as you posed the question - you have some strong feelings on the matter that you would like to share?
Re: balancechecker.zip balancechecker.exe
rich...@buzzhost.co.uk schrieb: Is anyone else seeing an influx of spam with a zip attachment balancechecker.zip? This contains a windows executable, balancechecker.exe, which appears to be testing clean with clam and others. I'm inclined to think it's *not* clean and is viral. EXAMPLE http://pastebin.com/m730f90e9 I really do not think it is clean. It really sounds like a typical bogus mail. see also here : http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
Re: DNSBL Comparison 20091114
On 11/15/2009 03:36 PM, Justin Mason wrote: SPAM%HAM%RANK RULE 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * 12.3053% 0.0026% 0.94 RCVD_IN_XBL 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 80.2578% 0.1485% 0.86 RCVD_IN_PBL 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * hi Warren -- any chance you could post the S/O ratios? RANK is a bit "unportable", as it depends on other rules in the ruleset at the time the measurement takes place. --j. I intentionally posted only RANK because it seems to be most influenced by safety, which is the goal of this particular comparison. Warren
Re: Good reasons to dont use RBLs
Luis Daniel Lucio Quiroz wrote: Hi all, Again me, Well, in the security scope i use a principle that states that you souldnt use a lower layer solution to fix a higher one. So SPAM is a Layer 7 problem that is used to fixed with a Layer 3 solution (RBL). I'd like a brainstorm to convince that a RBL solution is not the best stoping SPAM, and we should look for L7 solution such as Bayes. SA has no effect on L3 -- Arvid Asgaard Technologies
Re: DNSBL Comparison 20091114
> SPAM% HAM% RANK RULE > 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * > 12.3053% 0.0026% 0.94 RCVD_IN_XBL > 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 > 80.2578% 0.1485% 0.86 RCVD_IN_PBL > 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL > 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * > 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT > 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * hi Warren -- any chance you could post the S/O ratios? RANK is a bit "unportable", as it depends on other rules in the ruleset at the time the measurement takes place. --j.
Re: DNSBL Comparison 20091114
On Sun, Nov 15, 2009 at 08:53, rich...@buzzhost.co.uk wrote: > On Sun, 2009-11-15 at 03:14 -0500, Warren Togami wrote: >> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e >> Compare this report to a similar report last month. >> >> http://wiki.apache.org/spamassassin/NightlyMassCheck >> The results below are only as good as the data submitted by nightly >> masscheck volunteers. Please join us in nightly masschecks to increase >> the sample size of the corpora so we can have greater confidence in >> the nightly statistics. >> >> http://ruleqa.spamassassin.org/20091114-r836144-n >> Spam 131399 messages from 18 users >> Ham 189948 messages from 18 users >> >> >> DNSBL lastexternal by Safety >> >> SPAM% HAM% RANK RULE >> 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * >> 12.3053% 0.0026% 0.94 RCVD_IN_XBL >> 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 >> 80.2578% 0.1485% 0.86 RCVD_IN_PBL >> 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL >> 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * >> 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT >> 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * >> >> Commentary: >> * PSBL and XBL lead in apparent safety. >> * ANBREP was added after the October report and has made a surprisingly >> strong showing in this past month. ANBREP is currently unavailable to >> the general public. The list owner is thinking about going public with >> the list, which I would encourage because they are clearly doing >> something right. It seems he would need a global network of automated >> mirrors to be able to scale. He would also need listing/delisting >> policy clearly stated on a web page somewhere. >> * SEMBLACK consistently has been performing adequately in safety while >> catching a respectable amount of spam. I personally use this >> non-default blacklist. >> * It is clear that the two main blacklists are Spamhaus and BRBL. The >> Zen combinatoin of Spamhaus zones is extremely effective and generally >> safe. BRBL has a high hit rate as well, with a moderate safety rating. >> * HOSTKARMA_BL ranks dead last in safety for the past several weeks in a >> row, while not being more effective against spam than PSBL, XBL or SEMBLACK. >> >> === >> HOSTKARMA_BL much better as URIBL >> === >> SPAM% HAM% RANK RULE >> 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * >> >> Commentary: >> While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly >> effective as a URIBL. This is curious as it seems it was not designed >> to be used as a URIBL. In any case as long our masschecks show good >> statistics like this, I will personally use this on my own spamassassin >> server. >> >> = >> SPAMCOP Dangerous? >> = >> SPAM% HAM% RANK RULE >> 17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET * >> >> Commentary: >> Is Spamcop seriously this bad? It consistently has shown a high false >> positive rates in these past weeks. Was it safer than this in the past >> to warrant the current high score in spamassassin-3.2.5? >> >> Warren Togami >> wtog...@redhat.com > > Is it not a bit flawed to do the metrics on volunteer submissions, given > the Spamhaus has is said to have a small army of them? It means the data > cannot be relied upon as any kind of sensible comparison. please explain. How would you suggest measuring false positives? -- --j.
Re: balancechecker.zip balancechecker.exe
On søn 15 nov 2009 18:47:49 CET, "rich...@buzzhost.co.uk" wrote http://pastebin.com/m730f90e9 winnow.malware.8163 -- xpoint
Re: Cluster/Clone spamassassin node
* ewreg : > > >We use cfengine to install, configure software and also to check for > >compliance. > > As I see, I can install software over the cfengine. But can I make mirror > with cfengine? I would like to clone some local files to all n-servers. I > think it can't be done with the help of this software. AFAIK you can't. It's a one server to n clients rollout strategie. But there's an enormous number of alternatives starting from rsync to cluster filesystem solutions as others already have pointed out. Another concept may be to have the clients load their config from a database. You can't load everything this way, but it may suffice. It depends on your setup. You may want to let us in on the details and we may be of better help. p...@rick -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
balancechecker.zip balancechecker.exe
Is anyone else seeing an influx of spam with a zip attachment balancechecker.zip? This contains a windows executable, balancechecker.exe, which appears to be testing clean with clam and others. I'm inclined to think it's *not* clean and is viral. EXAMPLE http://pastebin.com/m730f90e9
Re: DNSBL Comparison 20091114
On 11/15/2009 11:00 AM, Marc Perkel wrote: Warren Togami wrote: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e Compare this report to a similar report last month. http://wiki.apache.org/spamassassin/NightlyMassCheck The results below are only as good as the data submitted by nightly masscheck volunteers. Please join us in nightly masschecks to increase the sample size of the corpora so we can have greater confidence in the nightly statistics. http://ruleqa.spamassassin.org/20091114-r836144-n Spam 131399 messages from 18 users Ham 189948 messages from 18 users DNSBL lastexternal by Safety SPAM% HAM% RANK RULE 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * 12.3053% 0.0026% 0.94 RCVD_IN_XBL 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 80.2578% 0.1485% 0.86 RCVD_IN_PBL 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * Commentary: * PSBL and XBL lead in apparent safety. * ANBREP was added after the October report and has made a surprisingly strong showing in this past month. ANBREP is currently unavailable to the general public. The list owner is thinking about going public with the list, which I would encourage because they are clearly doing something right. It seems he would need a global network of automated mirrors to be able to scale. He would also need listing/delisting policy clearly stated on a web page somewhere. * SEMBLACK consistently has been performing adequately in safety while catching a respectable amount of spam. I personally use this non-default blacklist. * It is clear that the two main blacklists are Spamhaus and BRBL. The Zen combinatoin of Spamhaus zones is extremely effective and generally safe. BRBL has a high hit rate as well, with a moderate safety rating. * HOSTKARMA_BL ranks dead last in safety for the past several weeks in a row, while not being more effective against spam than PSBL, XBL or SEMBLACK. === HOSTKARMA_BL much better as URIBL === SPAM% HAM% RANK RULE 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * Commentary: While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly effective as a URIBL. This is curious as it seems it was not designed to be used as a URIBL. In any case as long our masschecks show good statistics like this, I will personally use this on my own spamassassin server. = SPAMCOP Dangerous? = SPAM% HAM% RANK RULE 17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET * Commentary: Is Spamcop seriously this bad? It consistently has shown a high false positive rates in these past weeks. Was it safer than this in the past to warrant the current high score in spamassassin-3.2.5? Warren Togami wtog...@redhat.com All I can say is that if your results were typical then we would be out of business. Your results are inconsistent with two other comparison lists. http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_JMF_BL.html http://ruleqa.spamassassin.org/20091114-r836144-n http://www.intra2net.com/en/support/antispam/index.php Both of these sites show roughly similar FP rates. Both sites show nearly 0% PSBL and ~0.5% HOSTKARMA. http://www.sdsc.edu/~jeff/spam/cbc.html This page says nothing about FP's. I also doubt we are as good of a URIBL as your resukts indicate. I'm thinking we got lucky on your test somehow. Although behind the scenes we do feed a lot of data to other RBL people so maybe it's related somehow. It seems that your list was not meant to be a URIBL, (it isn't documented as such) but Henrik suggested adding that testing rule to our weekly masschecks. The URIBL results have been pretty consistent for weeks now. Yes, perhaps this is luck. Warren
Re: Cluster/Clone spamassassin node
ewreg wrote: >> We use cfengine to install, configure software and also to check for >> compliance. > > As I see, I can install software over the cfengine. But can I make mirror > with cfengine? I would like to clone some local files to all n-servers. I > think it can't be done with the help of this software. rsync? unison? glusterfs? gfs over drdb? A nas with NFS/CIFS mounts? DropBox? s3fs? There are a million ways to share files between multiple servers. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ Technical Blog: https://secure.grepular.com/blog/
Re: Cluster/Clone spamassassin node
>We use cfengine to install, configure software and also to check for >compliance. As I see, I can install software over the cfengine. But can I make mirror with cfengine? I would like to clone some local files to all n-servers. I think it can't be done with the help of this software. TiA, E. -- View this message in context: http://old.nabble.com/Cluster-Clone-spamassassin-node-tp26358800p26360404.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: DNSBL Comparison 20091114
Warren Togami wrote: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e Compare this report to a similar report last month. http://wiki.apache.org/spamassassin/NightlyMassCheck The results below are only as good as the data submitted by nightly masscheck volunteers. Please join us in nightly masschecks to increase the sample size of the corpora so we can have greater confidence in the nightly statistics. http://ruleqa.spamassassin.org/20091114-r836144-n Spam 131399 messages from 18 users Ham 189948 messages from 18 users DNSBL lastexternal by Safety SPAM%HAM%RANK RULE 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * 12.3053% 0.0026% 0.94 RCVD_IN_XBL 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 80.2578% 0.1485% 0.86 RCVD_IN_PBL 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * Commentary: * PSBL and XBL lead in apparent safety. * ANBREP was added after the October report and has made a surprisingly strong showing in this past month. ANBREP is currently unavailable to the general public. The list owner is thinking about going public with the list, which I would encourage because they are clearly doing something right. It seems he would need a global network of automated mirrors to be able to scale. He would also need listing/delisting policy clearly stated on a web page somewhere. * SEMBLACK consistently has been performing adequately in safety while catching a respectable amount of spam. I personally use this non-default blacklist. * It is clear that the two main blacklists are Spamhaus and BRBL. The Zen combinatoin of Spamhaus zones is extremely effective and generally safe. BRBL has a high hit rate as well, with a moderate safety rating. * HOSTKARMA_BL ranks dead last in safety for the past several weeks in a row, while not being more effective against spam than PSBL, XBL or SEMBLACK. === HOSTKARMA_BL much better as URIBL === SPAM%HAM%RANK RULE 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * Commentary: While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly effective as a URIBL. This is curious as it seems it was not designed to be used as a URIBL. In any case as long our masschecks show good statistics like this, I will personally use this on my own spamassassin server. = SPAMCOP Dangerous? = SPAM%HAM%RANK RULE 17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET * Commentary: Is Spamcop seriously this bad? It consistently has shown a high false positive rates in these past weeks. Was it safer than this in the past to warrant the current high score in spamassassin-3.2.5? Warren Togami wtog...@redhat.com All I can say is that if your results were typical then we would be out of business. Your results are inconsistent with two other comparison lists. http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_JMF_BL.html http://www.sdsc.edu/~jeff/spam/cbc.html Additionally results vary depending on where you get your spam from and if the people spamming you are also spamming us. One of the ways we improve results is if someone is using out list then they should also add tarbaby.junkemailfilter.com as their highest MX record because that way the list can pick up those who are spamming you and tune itself to add your spam to our list. I also doubt we are as good of a URIBL as your resukts indicate. I'm thinking we got lucky on your test somehow. Although behind the scenes we do feed a lot of data to other RBL people so maybe it's related somehow. Not to discredit your fine work. All results are interesting. Understanding the results is often the tricky part.
Re: Cluster/Clone spamassassin node
* ewreg : > > Good morning, > > I am preparing env with more then 10 node of spamassassin machine. I am > wonder what kind of software do you use to clone OS and Spamassassin > application to the other machine. I am gonne use Debian, I find FAI but it > won't migrate SA database. So it isn't the best choise. We use cfengine to install, configure software and also to check for compliance. As for databases I recommend using a SQL backend and have the SQL servers in some sort of HA master-slave setup. p...@rick -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
Cluster/Clone spamassassin node
Good morning, I am preparing env with more then 10 node of spamassassin machine. I am wonder what kind of software do you use to clone OS and Spamassassin application to the other machine. I am gonne use Debian, I find FAI but it won't migrate SA database. So it isn't the best choise. What it your experience? Best regards, E. -- View this message in context: http://old.nabble.com/Cluster-Clone-spamassassin-node-tp26358800p26358800.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: DNSBL Comparison 20091114
On Sun, Nov 15, 2009 at 10:08:45AM +0100, Raymond Dijkxhoorn wrote: >>> === >>> HOSTKARMA_BL much better as URIBL >>> === >>> SPAM%HAM%RANK RULE >>> 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * > > How do you check return values? There is a lot inside. If you 'just' use > the default response you get back any spam listed on a freemail platform > and so on. Is there no legitimate mail from those platforms? I tend to > say, yeah right. But for the fairly limited test set it could be the > case. I tried reading this several times, but I'm still not sure what you are getting at. http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/wtogami/20_bug_6212_hostkarma.cf?view=markup Personally URIBL_HOSTKARMA_FRESH_2D is working great here with 0.99 S/O. But as we know, hostkarma results might fluctuate from time to time given it's nature. Anyways, it's a fact that SA mass checks can't measure things accurately, since not everyone uses the REUSE mass check feature. Checking weeks old corpuses against live BLs isn't exactly good science. And things like FRESH_2D are impossible to rate that way.
Re: DNSBL Comparison 20091114
Hi! 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * * It is clear that the two main blacklists are Spamhaus and BRBL. The Zen combinatoin of Spamhaus zones is extremely effective and generally safe. BRBL has a high hit rate as well, with a moderate safety rating. Thats moderate? That you loose 1 legitimate mail over ~ 3000 mails if you start blocking with it ? I think the FP rating should be much much lower and like BRBL they should check and cleanout FP's before it will be taken anything close to serious. === HOSTKARMA_BL much better as URIBL === SPAM%HAM%RANK RULE 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * How do you check return values? There is a lot inside. If you 'just' use the default response you get back any spam listed on a freemail platform and so on. Is there no legitimate mail from those platforms? I tend to say, yeah right. But for the fairly limited test set it could be the case. You have to know whats inside to do proper suggestions. If it works for you, sure, will it work for others. If you care about your inbox i would not jump to these conslusions just now. Just my 2 cents. And yes, Spamcop is doing a bad job (As BL) nowdays, i would not even consider rejecting on MTA with that one. Use it to score, but dont use it to reject. That time is long gone. User reports do have disadvantages ;) Bye, Raymond.
Re: Good reasons to dont use RBLs
Luis Daniel Lucio Quiroz a écrit : > Hi all, > > Again me, Well, in the security scope i use a principle that states that you > souldnt use a lower layer solution to fix a higher one. So SPAM is a Layer 7 > problem that is used to fixed with a Layer 3 solution (RBL). > > I'd like a brainstorm to convince that a RBL solution is not the best stoping > SPAM, and we should look for L7 solution such as Bayes. > If someone tries to guess a working login:pass on your server and does this a thousand times in a short period, you will still let him continue because passwords are L7 and the IP address is at L3? if you want talking about principles, then "defence in depth" suggests using all your levels to block attacks. In short, segment your zones, your diagrams, your reports, but do not segment your defences. When you hear "divide and conquer", divide the problem, not your army. you still want to coordinate your defences so as to increase their efficiency. Besides, spam is at Layer PI (3.1415) ;-p
Re: DNSBL Comparison 20091114
On Sun, 2009-11-15 at 03:14 -0500, Warren Togami wrote: > http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e > Compare this report to a similar report last month. > > http://wiki.apache.org/spamassassin/NightlyMassCheck > The results below are only as good as the data submitted by nightly > masscheck volunteers. Please join us in nightly masschecks to increase > the sample size of the corpora so we can have greater confidence in > the nightly statistics. > > http://ruleqa.spamassassin.org/20091114-r836144-n > Spam 131399 messages from 18 users > Ham 189948 messages from 18 users > > > DNSBL lastexternal by Safety > > SPAM%HAM%RANK RULE > 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * > 12.3053% 0.0026% 0.94 RCVD_IN_XBL > 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 > 80.2578% 0.1485% 0.86 RCVD_IN_PBL > 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL > 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * > 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT > 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * > > Commentary: > * PSBL and XBL lead in apparent safety. > * ANBREP was added after the October report and has made a surprisingly > strong showing in this past month. ANBREP is currently unavailable to > the general public. The list owner is thinking about going public with > the list, which I would encourage because they are clearly doing > something right. It seems he would need a global network of automated > mirrors to be able to scale. He would also need listing/delisting > policy clearly stated on a web page somewhere. > * SEMBLACK consistently has been performing adequately in safety while > catching a respectable amount of spam. I personally use this > non-default blacklist. > * It is clear that the two main blacklists are Spamhaus and BRBL. The > Zen combinatoin of Spamhaus zones is extremely effective and generally > safe. BRBL has a high hit rate as well, with a moderate safety rating. > * HOSTKARMA_BL ranks dead last in safety for the past several weeks in a > row, while not being more effective against spam than PSBL, XBL or SEMBLACK. > > === > HOSTKARMA_BL much better as URIBL > === > SPAM%HAM%RANK RULE > 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * > > Commentary: > While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly > effective as a URIBL. This is curious as it seems it was not designed > to be used as a URIBL. In any case as long our masschecks show good > statistics like this, I will personally use this on my own spamassassin > server. > > = > SPAMCOP Dangerous? > = > SPAM%HAM%RANK RULE > 17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET * > > Commentary: > Is Spamcop seriously this bad? It consistently has shown a high false > positive rates in these past weeks. Was it safer than this in the past > to warrant the current high score in spamassassin-3.2.5? > > Warren Togami > wtog...@redhat.com Is it not a bit flawed to do the metrics on volunteer submissions, given the Spamhaus has is said to have a small army of them? It means the data cannot be relied upon as any kind of sensible comparison.
DNSBL Comparison 20091114
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e Compare this report to a similar report last month. http://wiki.apache.org/spamassassin/NightlyMassCheck The results below are only as good as the data submitted by nightly masscheck volunteers. Please join us in nightly masschecks to increase the sample size of the corpora so we can have greater confidence in the nightly statistics. http://ruleqa.spamassassin.org/20091114-r836144-n Spam 131399 messages from 18 users Ham 189948 messages from 18 users DNSBL lastexternal by Safety SPAM%HAM%RANK RULE 12.8342% 0.0021% 0.94 RCVD_IN_PSBL * 12.3053% 0.0026% 0.94 RCVD_IN_XBL 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2 80.2578% 0.1485% 0.86 RCVD_IN_PBL 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK * 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL * Commentary: * PSBL and XBL lead in apparent safety. * ANBREP was added after the October report and has made a surprisingly strong showing in this past month. ANBREP is currently unavailable to the general public. The list owner is thinking about going public with the list, which I would encourage because they are clearly doing something right. It seems he would need a global network of automated mirrors to be able to scale. He would also need listing/delisting policy clearly stated on a web page somewhere. * SEMBLACK consistently has been performing adequately in safety while catching a respectable amount of spam. I personally use this non-default blacklist. * It is clear that the two main blacklists are Spamhaus and BRBL. The Zen combinatoin of Spamhaus zones is extremely effective and generally safe. BRBL has a high hit rate as well, with a moderate safety rating. * HOSTKARMA_BL ranks dead last in safety for the past several weeks in a row, while not being more effective against spam than PSBL, XBL or SEMBLACK. === HOSTKARMA_BL much better as URIBL === SPAM%HAM%RANK RULE 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL * Commentary: While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly effective as a URIBL. This is curious as it seems it was not designed to be used as a URIBL. In any case as long our masschecks show good statistics like this, I will personally use this on my own spamassassin server. = SPAMCOP Dangerous? = SPAM%HAM%RANK RULE 17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET * Commentary: Is Spamcop seriously this bad? It consistently has shown a high false positive rates in these past weeks. Was it safer than this in the past to warrant the current high score in spamassassin-3.2.5? Warren Togami wtog...@redhat.com