Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Wed, 2009-08-19 at 01:06 +0200, mouss wrote:
...
> in short, whatever jeff says, spamhaus is the one. the fundamental
> concept is not "how many spam it blocks", but "how much do I trust it".
> 
Exactly!

Re: Barracuda RBL in first place

[mouss]

Marc Perkel a écrit :
> http://www.sdsc.edu/~jeff/spam/cbc.html
> 
> It appears from Jeff's Blacklists Compared list the Barracuda has
> overtaken spamhaus for the #1 position. Not sure about the accuracy of
> the list as compared to spamhaus but seams reasonably good to me. I
> don't really count apews myself since they are extremely bad, but my
> hostkarma list is next beating out abuseat, sorbs, and uceprotect.
> 
> Thanks to everyone who is helping me with my tarbaby project to catch
> virus bots.
> 
> http://wiki.junkemailfilter.com/index.php/Project_tarbaby
> 
> Congrats to Barracuda!
> 
> 
> 

The deadly difference is: trust. I have never noticed a zen FP. I have
found barracuda FPs few days after I started testing it. and the first
FP I found suggests they use(d?) some automatic filter-then-list
procedure, which is a fundamentally borked approach: the host in
question does relay spam, because it is a forwarder, that recipients
(such as myself) chose to use. so listing it based on content filtering
or on stupid user "hit this is spam button" may be good for a score
based filtering strategy, but isn't good for smtp time rejection.

in short, whatever jeff says, spamhaus is the one. the fundamental
concept is not "how many spam it blocks", but "how much do I trust it".

note that since few days,
reject_non_fqdn_sender
rejects a lot of transactions (and shows many bot-clients to block).

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Tue, 2009-08-18 at 20:02 +0100, Ned Slider wrote:
> LuKreme wrote:
> > On 17-Aug-2009, at 04:24, Ned Slider wrote:
> >> Question - in Postfix do "user unknown" rejections still incur a dns 
> >> RBL lookup, or does the rejection occur before reject_rbl_client?
> > 
> > 
> > HELO/EHLO rejections do not reach RBL, and neither do unknown, as long 
> > as you specify the right order in the smtpd_recipient_restrictions 
> > settings. These should be 'cheapest to most expensive' which means RBLs 
> > should be last.
> > 
> > The order IS important on the restrictions.
> > 
> 
> Indeed, but rejecting unknown local recipients isn't a function of 
> smtpd_*_restrictions. From my observations, it would appear that 
> rejecting unknown local recipients occurs after smtpd_*_restrictions, 
> and thus after any RBL lookups.
> 
> Checking my logs appears to confirm this, where I see spamhaus 
> rejections for mail with an "unknown" local envelope_to address.
> 
> For example:
> 
> Aug 18 14:55:32 Quad postfix/smtpd[12739]: NOQUEUE: reject: RCPT from 
> unknown[77.31.23.91]: 554 5.7.1 Service unavailable; Client host 
> [77.31.23.91] blocked using zen.spamhaus.org; 
> http://www.spamhaus.org/query/bl?ip=77.31.23.91; 
> from= to= proto=ESMTP 
> helo=<77.31.23.91.dynamic.saudi.net.sa>
> 
> where tej875 certainly isn't a known or valid address at that domain.
> 
> 
Depends *where* you put the restriction. If it's sitting in
smtpd_recipient_restrictions, then it will resolve the recipient first
(so any recipient level maps can bite). If you don't require this
behaviour the rbl restriction could be placed in a different restriction
section, for example: smtpd_client_restrictions. 

Re: Barracuda RBL in first place

[Ned Slider]

LuKreme wrote:

On 17-Aug-2009, at 04:24, Ned Slider wrote:
Question - in Postfix do "user unknown" rejections still incur a dns 
RBL lookup, or does the rejection occur before reject_rbl_client?



HELO/EHLO rejections do not reach RBL, and neither do unknown, as long 
as you specify the right order in the smtpd_recipient_restrictions 
settings. These should be 'cheapest to most expensive' which means RBLs 
should be last.


The order IS important on the restrictions.



Indeed, but rejecting unknown local recipients isn't a function of 
smtpd_*_restrictions. From my observations, it would appear that 
rejecting unknown local recipients occurs after smtpd_*_restrictions, 
and thus after any RBL lookups.


Checking my logs appears to confirm this, where I see spamhaus 
rejections for mail with an "unknown" local envelope_to address.


For example:

Aug 18 14:55:32 Quad postfix/smtpd[12739]: NOQUEUE: reject: RCPT from 
unknown[77.31.23.91]: 554 5.7.1 Service unavailable; Client host 
[77.31.23.91] blocked using zen.spamhaus.org; 
http://www.spamhaus.org/query/bl?ip=77.31.23.91; 
from= to= proto=ESMTP 
helo=<77.31.23.91.dynamic.saudi.net.sa>


where tej875 certainly isn't a known or valid address at that domain.

Re: Barracuda RBL in first place

[LuKreme]

On 17-Aug-2009, at 06:38, d.h...@yournetplus.com wrote:

Nope. Only one query to the local spamhaus zone is performed:

http://www.postfix.org/STRESS_README.html#hangup



Oooo, NICE. I'm implementing that right now.

--
Lister: What d'ya think of Betty? Cat: Betty Rubble? Well, I would
go with Betty... but I'd be thinking of Wilma. Lister: This is
crazy. Why are we talking about going to bed with Wilma
Flintstone? Cat: You're right. We're nuts. This is an insane
conversation. Lister: She'll never leave Fred, and we know it.

Re: Barracuda RBL in first place

[LuKreme]

On 17-Aug-2009, at 04:24, Ned Slider wrote:
Question - in Postfix do "user unknown" rejections still incur a dns  
RBL lookup, or does the rejection occur before reject_rbl_client?



HELO/EHLO rejections do not reach RBL, and neither do unknown, as long  
as you specify the right order in the smtpd_recipient_restrictions  
settings. These should be 'cheapest to most expensive' which means  
RBLs should be last.


The order IS important on the restrictions.

--
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.

Re: Barracuda RBL in first place

[Rob McEwen]

Michael Hutchinson wrote:
> So perhaps instead of adding another RBL, maybe some admins need to
> consider adding in some HELO checking / rejection.

Michael,

Your suggestions are wonderful. These techniques will block more spam,
with relatively few FPs, and their implementation doesn't require adding
DNSBLs.

But I'd like to clarify one thing. Whether intended or not, your post
*implies* that the use of such techniques removes the need to add
additional DNSBLs beyond SpamCop and Zen (or something to that effect).

I respectfully disagree for the following reasons:

(a) Your stats mention what you do catch... but don't factor in what
spam you are delivering to the mailbox, some of which may be flying
under your radar. For example, I've had some reluctantly test out the
invaluement lists... "reluctant" because they were convinced that they
were already blocking 99.9% of all spam... but then they were shocked at
how much spam the invaluement lists blocked that was previously not
blocked and unnoticed. (users tend to not complain as much about the
legit-looking spams--especially vertical market stuff in the user's
industry, even when 100% UBE). These previously-missed spams were ones
that HELO filtering techniques (of the kind you mention), and other
things like greylisting, would *not* have blocked.

(b) Some of those who posted invaluement stats on this thread earlier...
are *already* using some or all of the techniques you mentioned (and
more) *before* their filters checks sending-IP DNSBLs.

Obviously, I've personalized this... but a broader point can apply to
any DNSBL. Just because one or more spam filtering techniques are
effective doesn't necessarily make any DNSBL obsolete unless/until that
DNSBL is tested and found to _only_ block spams already blocked by those
other techniques--and assuming FPs are equal--then and only then does
particular filtering methods make a particular DNSBL obsolete.

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Re: Barracuda RBL in first place

[Marc Perkel]

rich...@buzzhost.co.uk wrote:

  I have to agree with LuKreme, my overnight had 446 blocked prior to RBL,
and only 387 by RBL. Again, noted that 'Barracuda' missed 43, 35 of
these Spamhaus caught - so for me Spamhaus is still better than
Barracuda. Also, I was sat in on a phone conference at Barracuda last
year where the motives were made clear; "Long term we intend to charge
for it" (OWTTE).

  


I personally think it would be a mistake if Barracuda started charging
for it. I think that as long as it's free Barracuda is generating good
will. That way they aren't seen as "The Microsoft of Spam" as some big
company that takes from the open source community and gives nothing
back. I don't think they will ever be the "Google of Spam" where most
everyone loves them but how the public feel about a company does make a
different in sales. So if someone here gets tired of doing it
themselves they might go out and buy a Barracuda server.

I know that personally as a small fish in a big pond it works for me. I
give away a lot of stuff. But I see it as cheap advertising. And it
works.

Re: Barracuda RBL in first place

[Benny Pedersen]

On Mon, 17 Aug 2009 14:20:18 +0200, Matus UHLAR - fantomas
 wrote:
>>reject_rbl_client zen.spamhaus.local=127.0.0.10,
>>reject_rbl_client zen.spamhaus.local=127.0.0.11,
>>reject_rbl_client zen.spamhaus.local,
> [...]
> isn't this a bit superflous? the last line should doo all the job

postfix-logwatch can see the zones seperate that way

but since postfix cache the first its not another dns lookup in dns, and
last its local dns

-- 
Benny Pedersen

Re: Barracuda RBL in first place

[d . hill]

Quoting Matus UHLAR - fantomas :


Quoting Matus UHLAR - fantomas :


On 17.08.09 12:07, d.h...@yournetplus.com wrote:

That all depends upon how you have Postfix configured. I have a gateway
set up here and do the RBL lookups late in the
smtpd_recipient_restrictions just before the greylist policy. I.e.:

smtpd_recipient_restrictions =

[...]

   reject_rbl_client zen.spamhaus.local=127.0.0.10,
   reject_rbl_client zen.spamhaus.local=127.0.0.11,
   reject_rbl_client zen.spamhaus.local,

[...]

isn't this a bit superflous? the last line should doo all the job


On 17.08.09 12:38, d.h...@yournetplus.com wrote:

Nope. Only one query to the local spamhaus zone is performed:

http://www.postfix.org/STRESS_README.html#hangup


I am not talking about number of DNS queries made but about the fact that
the last line does all the work for the first two, so the first two lines are
useless...


This is way off-topic and will be my last response. It is explained in  
the link.

Re: Barracuda RBL in first place

[Matus UHLAR - fantomas]

> Quoting Matus UHLAR - fantomas :
>
>> On 17.08.09 12:07, d.h...@yournetplus.com wrote:
>>> That all depends upon how you have Postfix configured. I have a gateway
>>> set up here and do the RBL lookups late in the
>>> smtpd_recipient_restrictions just before the greylist policy. I.e.:
>>>
>>> smtpd_recipient_restrictions =
>> [...]
>>>reject_rbl_client zen.spamhaus.local=127.0.0.10,
>>>reject_rbl_client zen.spamhaus.local=127.0.0.11,
>>>reject_rbl_client zen.spamhaus.local,
>> [...]
>>
>> isn't this a bit superflous? the last line should doo all the job

On 17.08.09 12:38, d.h...@yournetplus.com wrote:
> Nope. Only one query to the local spamhaus zone is performed:
>
> http://www.postfix.org/STRESS_README.html#hangup

I am not talking about number of DNS queries made but about the fact that
the last line does all the work for the first two, so the first two lines are
useless...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)

Re: Barracuda RBL in first place

[d . hill]

Quoting Matus UHLAR - fantomas :


On 17.08.09 12:07, d.h...@yournetplus.com wrote:

That all depends upon how you have Postfix configured. I have a gateway
set up here and do the RBL lookups late in the
smtpd_recipient_restrictions just before the greylist policy. I.e.:

smtpd_recipient_restrictions =

[...]

   reject_rbl_client zen.spamhaus.local=127.0.0.10,
   reject_rbl_client zen.spamhaus.local=127.0.0.11,
   reject_rbl_client zen.spamhaus.local,

[...]

isn't this a bit superflous? the last line should doo all the job


Nope. Only one query to the local spamhaus zone is performed:

http://www.postfix.org/STRESS_README.html#hangup

Re: Barracuda RBL in first place

[Matus UHLAR - fantomas]

On 17.08.09 12:07, d.h...@yournetplus.com wrote:
> That all depends upon how you have Postfix configured. I have a gateway 
> set up here and do the RBL lookups late in the  
> smtpd_recipient_restrictions just before the greylist policy. I.e.:
>
> smtpd_recipient_restrictions =
[...]
>reject_rbl_client zen.spamhaus.local=127.0.0.10,
>reject_rbl_client zen.spamhaus.local=127.0.0.11,
>reject_rbl_client zen.spamhaus.local,
[...]

isn't this a bit superflous? the last line should doo all the job
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

Re: Barracuda RBL in first place

[d . hill]

Quoting Ned Slider :


LuKreme wrote:

On 16-Aug-2009, at 16:55, MySQL Student wrote:

So perhaps instead of adding another RBL, maybe some admins need to
consider adding in some HELO checking / rejection.

Can you explain a bit more here? What are you checking for, that the
host is valid?




That gives me a 46% rejection rate just on HELO/EHLO and a 47%  
rejection rate on unknown users.




I see similar figures and would also recommend using HELO/EHLO  
restrictions. I see around a third of spam hit HELO/EHLO  
restrictions, a third hits commonly forged non-existent recipient  
addresses and a third hits zen.spamhaus.org (checks and rejections  
performed in that order).


Although a dns lookup to zen.spamhaus.org probably isn't that  
expensive, I'm sure they appreciate reducing the load by two thirds  
by pre-filtering as much obvious spam as possible.


Question - in Postfix do "user unknown" rejections still incur a dns  
RBL lookup, or does the rejection occur before reject_rbl_client?


That all depends upon how you have Postfix configured. I have a  
gateway set up here and do the RBL lookups late in the  
smtpd_recipient_restrictions just before the greylist policy. I.e.:


smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_non_fqdn_recipient,
   reject_unauth_destination,
   reject_unverified_recipient,
   check_recipient_access cdb:/usr/local/etc/postfix/skip_filter,
   reject_rbl_client zen.spamhaus.local=127.0.0.10,
   reject_rbl_client zen.spamhaus.local=127.0.0.11,
   reject_rbl_client zen.spamhaus.local,
   reject_rbl_client bl.spamcop.net,
   check_policy_service unix:private/YnP0licy,
   permit

Overall only a very small proportion of spam ever reaches SA -  
typically <1% of rejected mail.

Re: Barracuda RBL in first place

[Ned Slider]

LuKreme wrote:

On 16-Aug-2009, at 16:55, MySQL Student wrote:

So perhaps instead of adding another RBL, maybe some admins need to
consider adding in some HELO checking / rejection.

Can you explain a bit more here? What are you checking for, that the
host is valid?




That gives me a 46% rejection rate just on HELO/EHLO and a 47% rejection 
rate on unknown users.




I see similar figures and would also recommend using HELO/EHLO 
restrictions. I see around a third of spam hit HELO/EHLO restrictions, a 
third hits commonly forged non-existent recipient addresses and a third 
hits zen.spamhaus.org (checks and rejections performed in that order).


Although a dns lookup to zen.spamhaus.org probably isn't that expensive, 
I'm sure they appreciate reducing the load by two thirds by 
pre-filtering as much obvious spam as possible.


Question - in Postfix do "user unknown" rejections still incur a dns RBL 
lookup, or does the rejection occur before reject_rbl_client?


Overall only a very small proportion of spam ever reaches SA - typically 
<1% of rejected mail.

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Mon, 2009-08-17 at 00:51 -0600, LuKreme wrote:
> On 16-Aug-2009, at 16:55, MySQL Student wrote:
> >> So perhaps instead of adding another RBL, maybe some admins need to
> >> consider adding in some HELO checking / rejection.
> > Can you explain a bit more here? What are you checking for, that the
> > host is valid?
> 
> 
> 
> That gives me a 46% rejection rate just on HELO/EHLO and a 47%  
> rejection rate on unknown users.
> 
I have to agree with LuKreme, my overnight had 446 blocked prior to RBL,
and only 387 by RBL. Again, noted that 'Barracuda' missed 43, 35 of
these Spamhaus caught - so for me Spamhaus is still better than
Barracuda. Also, I was sat in on a phone conference at Barracuda last
year where the motives were made clear; "Long term we intend to charge
for it" (OWTTE).


Mon Aug 17 03:59:01 2009

  TOTAL  925
ALLOWED   84
BLOCKED  833

BLOCKED MESSAGE SUMMARY

  PRE DNSBL  446

 NO PTR  283
   SPOOFING  163
 RELAY ATTEMPTS0
  BLOCKED OTHER0
WHITELISTED8

  BLOCKED DNSBL  387

  BBL BARRACUDA  344
   ZEN SPAMHAUS   35
  UCE PROTECT 10
  UCE PROTECT 20
  UCE PROTECT 35
  [UCE PT TOTAL   5]
 SORBS SPAM0
  SORBS EXPLOIT0
UCE SPAMCOP0
UCE SPAMCANIBAL1
  UCE NOMOREFUN0
  INTERNAL LIST2

Re: Barracuda RBL in first place

[LuKreme]

On 16-Aug-2009, at 16:55, MySQL Student wrote:

So perhaps instead of adding another RBL, maybe some admins need to
consider adding in some HELO checking / rejection.

Can you explain a bit more here? What are you checking for, that the
host is valid?




That gives me a 46% rejection rate just on HELO/EHLO and a 47%  
rejection rate on unknown users.


--
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.

OT: RE: Barracuda RBL in first place

[Michael Hutchinson]

> -Original Message-
> From: MySQL Student [mailto:mysqlstud...@gmail.com]
> Sent: Monday, 17 August 2009 10:56 a.m.
> To: SpamAssassin Users List
> Subject: Re: Barracuda RBL in first place
> 
> Hi,
> 
> > So perhaps instead of adding another RBL, maybe some admins need to
> > consider adding in some HELO checking / rejection.
> 
> Can you explain a bit more here? What are you checking for, that the
> host is valid?
> 
> Thanks,
> Alex

Sure. Firstly, the server requires that a HELO command is sent to start
the SMTP session. Without that, the connection will be dropped - this in
itself drops quite a bit of Spam.
Secondly, the argument to the HELO command is checked as to whether it
is in Fully Qualified Domain form - if not, the connection is dropped.
Our clients are all setup for this to work properly.

That's it. We have an additional option: "Require resolvable hostnames"
for HELO arguments, but do not use that.

We have made 6 exceptions for hosts that do not pass the HELO argument
properly, that are out of our control, but known to our network (ie:
trusted via VPN, etc). They haven't relayed any Spam either ;)

Cheers,
Michael Hutchinson

Re: Barracuda RBL in first place

[MySQL Student]

Hi,

> So perhaps instead of adding another RBL, maybe some admins need to
> consider adding in some HELO checking / rejection.

Can you explain a bit more here? What are you checking for, that the
host is valid?

Thanks,
Alex

RE: Barracuda RBL in first place

[d . hill]

Quoting Michael Hutchinson :


Hello All,

Considering all of the interesting information that's being going around
regarding Barracuda, and it's RBL's, I probably wouldn't use it. Not any
time soon. But that's based purely on reputation, and has nothing to do
with hit ratio. Our Spam gateway seems to do just fine without it. We
query 3 RBLs, which get rid of a great deal of Spam:

bl.spamcop.net
zen.spamhaus.org
cbl.abuseat.org


You can remove cbl.abuseat.org as it is incorporated into zen.spamhaus.org.


Everything else (Spam) gets stopped by HELO rejections, Virus Scanning,
Recipient Rejection and Spamassassin Scanning.

Mail Stats since 4th June:
Total Messages Processed: 5281347
RBL Rejected: 60.6 %
HELO Rejected: 27.4 %
Invalid Recipient Rejection: 2.8 %
Viruses (detected by ClamAV, & Kaspersky), and other Spam detected by
Spamassassin: 1.1 %
Clean Messages: 8.1 %

What really makes a difference is the HELO rejections - we never did
this before 4th June, and the amount of Spam that is delivered has
dropped so significantly since then is... quite remarkable. (at a loss
for other words).

So perhaps instead of adding another RBL, maybe some admins need to
consider adding in some HELO checking / rejection.

RE: Barracuda RBL in first place

[Michael Hutchinson]

Hello All,

Considering all of the interesting information that's being going around
regarding Barracuda, and it's RBL's, I probably wouldn't use it. Not any
time soon. But that's based purely on reputation, and has nothing to do
with hit ratio. Our Spam gateway seems to do just fine without it. We
query 3 RBLs, which get rid of a great deal of Spam:

bl.spamcop.net
zen.spamhaus.org
cbl.abuseat.org

Everything else (Spam) gets stopped by HELO rejections, Virus Scanning,
Recipient Rejection and Spamassassin Scanning. 

Mail Stats since 4th June:
Total Messages Processed: 5281347
RBL Rejected: 60.6 %
HELO Rejected: 27.4 %
Invalid Recipient Rejection: 2.8 %
Viruses (detected by ClamAV, & Kaspersky), and other Spam detected by
Spamassassin: 1.1 %
Clean Messages: 8.1 %

What really makes a difference is the HELO rejections - we never did
this before 4th June, and the amount of Spam that is delivered has
dropped so significantly since then is... quite remarkable. (at a loss
for other words).

So perhaps instead of adding another RBL, maybe some admins need to
consider adding in some HELO checking / rejection. 


Thanks and Cheers,
Michael Hutchinson

Re: Barracuda RBL in first place

[Roger Marquis]

well, you have half of it, as any hit shown here by invaluement was
missed by spamhaus.  I can't give you the data for other cases because
it's a short circuit -> 550 type of thing.


That's not an ideal metric.  You really need to test every incoming message
against each RBL (up to 4 or so, to avoid DNS timeouts).  Postfix supports
this with "warn_if_reject" before doing the actual "5XX" reject.  It's the
warnings that yield valid data, or at least they do with large and
representative samples (which IME >= 100K msgs/day).

Roger Marquis

Re: Barracuda RBL in first place

[Benny Pedersen]

On Sat, 15 Aug 2009 13:28:01 -0400, MySQL Student 
wrote:

> Any chance someone has a bit of time to hack on it on this lazy
> Saturday afternoon? :-)

http://www.mikecappella.com/logwatch/

-- 
Benny Pedersen

Re: Barracuda RBL in first place

[MySQL Student]

Hi,

>> What log script do you good people use to generate the list above ? Is it
>> a home brew or one we can download so we can compare our own hits ?
>
> http://www.rulesemporium.com/programs/sa-stats.txt

Any chance someone knows where there is a compatible one that parses
amavisd instead of spamd? I've tried, but guess I don't know enough
perl to get it right.

Any chance someone has a bit of time to hack on it on this lazy
Saturday afternoon? :-)

Thanks,
Alex

Re: Barracuda RBL in first place

[MySQL Student]

Hi,

>                            Unknown user 32.00% (32.00%)            87427696
>                              Greylisted 24.88% (16.92%)            46225401
>                               Throttled 11.03% (5.64%)             15399444
>                     Relay access denied 0.01%  (0.00%)                 7034
>                   Bogus DNS (Broadcast) 0.01%  (0.00%)                11692
>              Bogus DNS (RFC 1918 space) 0.07%  (0.03%)                82135
>                         Spoofed Address 0.26%  (0.12%)               319551
>                      Unclassified Event 0.77%  (0.35%)               949388
>                 Temporary Local Problem 0.01%  (0.00%)                 8165
>             Require FQDN sender address 0.04%  (0.02%)                51022
>          Require FQDN for HELO hostname 8.97%  (4.02%)             10988455

[...]

Can I ask how you produced those stats? They look very helpful.

Thanks,
Alex

OT - my eyes hurt (Re: Barracuda RBL in first place)

[Henrik K]

On Sat, Aug 15, 2009 at 10:02:52AM +0100, --[ UxBoD ]-- wrote:
> - "Marc Perkel"  wrote: 
> > 
> > 
> > Aaron Wolfe wrote: 
> 
> On Fri, Aug 14, 2009 at 11:24 AM, Chris Owen  wrote: 
> 
> On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote: 
> 
> The comparisons on that page are useless. What matters is list policy,
> reliability and reputation.
> 
> SpamHaus is hands down the best dnsbl. While I certainly agree that SpamHaus 
> is very good, I would argue that
> Invalument is currently better.  It certainly stops a lot more spam here and
> I think false positives are still extremely low. Invaluement lists are also 
> the top performers at my site:
> 
> Total messages: 273235355
> Total blocked: 227710956 83.34%
> 
> Unknown user 32.00% (32.00%)87427696
>   Greylisted 24.88% (16.92%)46225401
>Throttled 11.03% (5.64%) 15399444
>  Relay access denied 0.01%  (0.00%) 7034
>Bogus DNS (Broadcast) 0.01%  (0.00%)11692
>   Bogus DNS (RFC 1918 space) 0.07%  (0.03%)82135
>  Spoofed Address 0.26%  (0.12%)   319551
>   Unclassified Event 0.77%  (0.35%)   949388
>  Temporary Local Problem 0.01%  (0.00%) 8165
>  Require FQDN sender address 0.04%  (0.02%)51022
>   Require FQDN for HELO hostname 8.97%  (4.02%) 10988455
>  Require DNS for sender's domain 0.78%  (0.32%)   870643
>  Require Reverse DNS 23.83% (9.65%) 26372877
>Require DNS for HELO hostname 0.20%  (0.06%)   165157
>  The Spamhaus Block List 21.87% (6.74%) 18405091
>   The Invaluement SIP Block List 22.14% (5.33%) 14557404
>The SIP/24 Block List 3.84%  (0.72%)  1965510
>  The Barracuda Reputation Block List 3.89%  (0.70%)  1915628
> (several RBLs not widely used snipped)
> 
> We have several hundred domains and each can use it's own filtering
> options, so not all RBLs/checks are used on all mail.  Checks are
> listed in order applied, so a message dropped by "unknown user" for
> instance is never seen by "greylisted".
> 
> Invalument lists block over 25% of all messages that make it past all
> the checks in front of them, including Spamhaus.  That's massive.
> Barracuda is not used by a majority of clients and is used after the
> others, so the low number is not an indication of poor performance.
> I've actually had pretty good luck with it.
> 
> -Aaron 
> 
> --
> RANK    RULE NAME                       COUNT  %OFMAIL %OFSPAM  %OFHAM
> --
>  1     URIBL_INVALUEMENT               27029    47.58   85.13    0.60
>  2     RCVD_IN_INVALUEMENT             26116    45.81   82.26    0.22
>  3     HTML_MESSAGE                    25184    79.83   79.32   80.48
>  4     BAYES_99                        23445    41.09   73.84    0.12
>  5     RCVD_IN_INVALUEMENT24           23290    40.85   73.35    0.18
>  6     URIBL_BLACK                     22372    39.49   70.46    0.74
>  7     RCVD_IN_JMF_BL                  16845    30.70   53.06    2.74
>  8     URIBL_JP_SURBL                  15962    27.99   50.27    0.12
>  9     DKIM_SIGNED                     12137    37.32   38.23   36.18
>  10     DKIM_VERIFIED                   11051    33.93   34.81   32.84
> 
> Chris
> 
> -
> Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
> President          - Wichita     (316) 858-3000 -    A stupidity tax
> Hubris Communications Inc www.hubris.net 
> - 
> > 
> > Yep Invalument is a good list. But there's no public option to compare it. 
> > 
> What log script do you good people use to generate the list above ? Is it a 
> home brew or one we can download so we can compare our own hits ?
> 

A bit OT but please don't post HTML (Marc!) and make incomprehensible and
full message quotes messages like this. Takes good while to scroll and
understand all this using mutt.

Re: Barracuda RBL in first place

[Yet Another Ninja]

On 8/15/2009 11:02 AM, --[ UxBoD ]-- wrote:

--
RANKRULE NAME   COUNT  %OFMAIL %OFSPAM  %OFHAM
--
 1 URIBL_INVALUEMENT   2702947.58   85.130.60
 2 RCVD_IN_INVALUEMENT 2611645.81   82.260.22
 3 HTML_MESSAGE2518479.83   79.32   80.48
 4 BAYES_992344541.09   73..840.12
 5 RCVD_IN_INVALUEMENT24   2329040.85   73.350.18
 6 URIBL_BLACK 2237239.49   70.460.74
 7 RCVD_IN_JMF_BL  1684530.70   53.062.74
 8 URIBL_JP_SURBL  1596227.99   50.270.12
 9 DKIM_SIGNED 1213737.32   38.23   36.18
 10 DKIM_VERIFIED   1105133.93   34.81   32.84

Chris

-
Chris Owen - Garden City (620) 275-1900 -  Lottery (noun):
President  - Wichita (316) 858-3000 -A stupidity tax
Hubris Communications Inc www.hubris.net - 
Yep Invalument is a good list. But there's no public option to compare it.. 


What log script do you good people use to generate the list above ? Is it a 
home brew or one we can download so we can compare our own hits ?


http://www.rulesemporium.com/programs/sa-stats.txt

Re: Barracuda RBL in first place

[--[ UxBoD ]--]

- "Marc Perkel"  wrote: 
> 
> 
> Aaron Wolfe wrote: 

On Fri, Aug 14, 2009 at 11:24 AM, Chris Owen  wrote: 

On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote: 

The comparisons on that page are useless. What matters is list policy,
reliability and reputation.

SpamHaus is hands down the best dnsbl. While I certainly agree that SpamHaus is 
very good, I would argue that
Invalument is currently better.  It certainly stops a lot more spam here and
I think false positives are still extremely low. Invaluement lists are also the 
top performers at my site:

Total messages: 273235355
Total blocked: 227710956 83.34%

Unknown user 32.00% (32.00%)87427696
  Greylisted 24.88% (16.92%)46225401
   Throttled 11.03% (5.64%) 15399444
 Relay access denied 0.01%  (0.00%) 7034
   Bogus DNS (Broadcast) 0.01%  (0.00%)11692
  Bogus DNS (RFC 1918 space) 0.07%  (0.03%)82135
 Spoofed Address 0.26%  (0.12%)   319551
  Unclassified Event 0.77%  (0.35%)   949388
 Temporary Local Problem 0.01%  (0.00%) 8165
 Require FQDN sender address 0.04%  (0.02%)51022
  Require FQDN for HELO hostname 8.97%  (4.02%) 10988455
 Require DNS for sender's domain 0.78%  (0.32%)   870643
 Require Reverse DNS 23.83% (9.65%) 26372877
   Require DNS for HELO hostname 0.20%  (0.06%)   165157
 The Spamhaus Block List 21.87% (6.74%) 18405091
  The Invaluement SIP Block List 22.14% (5.33%) 14557404
   The SIP/24 Block List 3.84%  (0.72%)  1965510
 The Barracuda Reputation Block List 3.89%  (0.70%)  1915628
(several RBLs not widely used snipped)

We have several hundred domains and each can use it's own filtering
options, so not all RBLs/checks are used on all mail.  Checks are
listed in order applied, so a message dropped by "unknown user" for
instance is never seen by "greylisted".

Invalument lists block over 25% of all messages that make it past all
the checks in front of them, including Spamhaus.  That's massive.
Barracuda is not used by a majority of clients and is used after the
others, so the low number is not an indication of poor performance.
I've actually had pretty good luck with it.

-Aaron 

--
RANK    RULE NAME                       COUNT  %OFMAIL %OFSPAM  %OFHAM
--
 1     URIBL_INVALUEMENT               27029    47.58   85.13    0.60
 2     RCVD_IN_INVALUEMENT             26116    45.81   82.26    0.22
 3     HTML_MESSAGE                    25184    79.83   79.32   80.48
 4     BAYES_99                        23445    41.09   73.84    0.12
 5     RCVD_IN_INVALUEMENT24           23290    40.85   73.35    0.18
 6     URIBL_BLACK                     22372    39.49   70.46    0.74
 7     RCVD_IN_JMF_BL                  16845    30.70   53.06    2.74
 8     URIBL_JP_SURBL                  15962    27.99   50.27    0.12
 9     DKIM_SIGNED                     12137    37.32   38.23   36.18
 10     DKIM_VERIFIED                   11051    33.93   34.81   32.84

Chris

-
Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
President          - Wichita     (316) 858-3000 -    A stupidity tax
Hubris Communications Inc www.hubris.net 
- 
> 
> Yep Invalument is a good list. But there's no public option to compare it. 
> 
What log script do you good people use to generate the list above ? Is it a 
home brew or one we can download so we can compare our own hits ?


-- 
This message has been scanned for viruses and
dangerous content and is believed to be clean.

SplatNIX IT Services :: Innovation through collaboration

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Fri, 2009-08-14 at 16:56 -0700, Marc Perkel wrote:

> My experience is that the barracuda lists are reasonably good. A few
> FP but not a lot.
I get more FP's with Barracuda than I do UCE Protect - which is rather
funny given the slating UCE Protect get.
>  And if they are exceeding spamhaus then even if they were stealing
> their lists they are adding a lot of data spamhaus doesn't have.
A simple collection of stats yourself will show you just how 'good' the
Barracuda list is *not*; This from a simple honeypot domain that sees
around a 1000 connections a day (so it's a very small sample size).
You'll see that Barracuda caught 172 messages, but it still left 14
behind that Spamhaus got. After those two are done, a further 163 were
missed by both of them:


  BLOCKED DNSBL  349

  BBL BARRACUDA  172
   ZEN SPAMHAUS   14
  UCE PROTECT 1   23
  UCE PROTECT 2   31
  UCE PROTECT 30
  [UCE PT TOTAL  54]
 SORBS SPAM0
  SORBS EXPLOIT3
UCE SPAMCOP   52
UCE SPAMCANIBAL1
  UCE NOMOREFUN   47
  INTERNAL LIST6

list of those slipping through all RBL's or caught internally:

Aug 14 08:26:50 IP:8.19.138.12 HELO:top3.topcore.co.uk
HOSTNAME:top3.topcore.co.uk
Aug 14 08:52:10 IP:8.19.138.23 HELO:cd3.createdirect.co.uk
HOSTNAME:cd3.createdirect.co.uk
Aug 14 09:12:48 IP:8.19.138.15 HELO:inn15.innovatenow.co.uk
HOSTNAME:inn15.innovatenow.co.uk
Aug 14 09:31:57 IP:8.19.138.18 HELO:info2.infotide.co.uk
HOSTNAME:info2.infotide.co.uk
Aug 14 10:58:27 IP:8.19.138.12 HELO:top3.topcore.co.uk
HOSTNAME:top3.topcore.co.uk
Aug 14 15:13:25 IP:213.83.66.177
HELO:cluster-c.mailcontroller.altohiway.com
HOSTNAME:clusterc.mailcontroller.co.uk
~
Naturally, I would like to run a collector on a bigger scale, but it is
taking some time to get more traffic in.

> Granted Jeff's list isn't exactly a scientific process but it's te
> only one out there.
But it does not make it reliable in any context. Barracuda are good at
B/S and they use lists like this, NANAE and other 'carefully selected'
groups to spin in - when the reality is rather different. I'm not
interested in the 172 messages they caught on my box, or the 14 that
Spamhaus caught. I'm interested in the 163 they missed and *why* they
missed them.

Re: Barracuda RBL in first place

[Marc Perkel]

Aaron Wolfe wrote:

  On Fri, Aug 14, 2009 at 11:24 AM, Chris Owen wrote:
  
  
On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote:



  The comparisons on that page are useless. What matters is list policy,
reliability and reputation.

SpamHaus is hands down the best dnsbl.
  

While I certainly agree that SpamHaus is very good, I would argue that
Invalument is currently better.  It certainly stops a lot more spam here and
I think false positives are still extremely low.


  
  
Invaluement lists are also the top performers at my site:

Total messages: 273235355
Total blocked: 227710956 83.34%

Unknown user 32.00% (32.00%)87427696
  Greylisted 24.88% (16.92%)46225401
   Throttled 11.03% (5.64%) 15399444
 Relay access denied 0.01%  (0.00%) 7034
   Bogus DNS (Broadcast) 0.01%  (0.00%)11692
  Bogus DNS (RFC 1918 space) 0.07%  (0.03%)82135
 Spoofed Address 0.26%  (0.12%)   319551
  Unclassified Event 0.77%  (0.35%)   949388
 Temporary Local Problem 0.01%  (0.00%) 8165
 Require FQDN sender address 0.04%  (0.02%)51022
  Require FQDN for HELO hostname 8.97%  (4.02%) 10988455
 Require DNS for sender's domain 0.78%  (0.32%)   870643
 Require Reverse DNS 23.83% (9.65%) 26372877
   Require DNS for HELO hostname 0.20%  (0.06%)   165157
 The Spamhaus Block List 21.87% (6.74%) 18405091
  The Invaluement SIP Block List 22.14% (5.33%) 14557404
   The SIP/24 Block List 3.84%  (0.72%)  1965510
 The Barracuda Reputation Block List 3.89%  (0.70%)  1915628
(several RBLs not widely used snipped)

We have several hundred domains and each can use it's own filtering
options, so not all RBLs/checks are used on all mail.  Checks are
listed in order applied, so a message dropped by "unknown user" for
instance is never seen by "greylisted".

Invalument lists block over 25% of all messages that make it past all
the checks in front of them, including Spamhaus.  That's massive.
Barracuda is not used by a majority of clients and is used after the
others, so the low number is not an indication of poor performance.
I've actually had pretty good luck with it.

-Aaron

  
  
--
RANK    RULE NAME                       COUNT  %OFMAIL %OFSPAM  %OFHAM
--
 1     URIBL_INVALUEMENT               27029    47.58   85.13    0.60
 2     RCVD_IN_INVALUEMENT             26116    45.81   82.26    0.22
 3     HTML_MESSAGE                    25184    79.83   79.32   80.48
 4     BAYES_99                        23445    41.09   73.84    0.12
 5     RCVD_IN_INVALUEMENT24           23290    40.85   73.35    0.18
 6     URIBL_BLACK                     22372    39.49   70.46    0.74
 7     RCVD_IN_JMF_BL                  16845    30.70   53.06    2.74
 8     URIBL_JP_SURBL                  15962    27.99   50.27    0.12
 9     DKIM_SIGNED                     12137    37.32   38.23   36.18
 10     DKIM_VERIFIED                   11051    33.93   34.81   32.84

Chris

-
Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
President          - Wichita     (316) 858-3000 -    A stupidity tax
Hubris Communications Inc      www.hubris.net
-






  



Yep Invalument is a good list. But there's no public option to compare
it.

Re: Barracuda RBL in first place

[Aaron Wolfe]

On Fri, Aug 14, 2009 at 9:39 PM, LuKreme wrote:
> On 14-Aug-2009, at 18:44, Aaron Wolfe wrote:
>>
>>                The Spamhaus Block List 21.87% (6.74%)             18405091
>>         The Invaluement SIP Block List 22.14% (5.33%)             14557404
>
>
> What would be interesting is the XOR on these two.

well, you have half of it, as any hit shown here by invaluement was
missed by spamhaus.  I can't give you the data for other cases because
it's a short circuit -> 550 type of thing.

Maybe someone else uses both these as scoring instead of block and can
provide the stats on overlap?

I know Rob's original intent with the Invalument lists was to augment
Spamhaus rather than replace it.  If this is still the case, I
wouldn't be surprised if XOR is mostly true.


>
> I also don't understand what the percentage number in parenthesis is.
>

its the percent of hits vs all messages, including the ones the check
never got to see. not particularly useful.


> --
> Q how do you titillate an ocelot?
> A you oscillate its tit a lot.
>
>

Re: Barracuda RBL in first place

[LuKreme]

On 14-Aug-2009, at 18:44, Aaron Wolfe wrote:
The Spamhaus Block List 21.87% (6.74%)  
18405091
 The Invaluement SIP Block List 22.14% (5.33%)  
14557404



What would be interesting is the XOR on these two.

I also don't understand what the percentage number in parenthesis is.

--
Q how do you titillate an ocelot?
A you oscillate its tit a lot.

Re: Barracuda RBL in first place

[Aaron Wolfe]

On Fri, Aug 14, 2009 at 11:24 AM, Chris Owen wrote:
> On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote:
>
>> The comparisons on that page are useless. What matters is list policy,
>> reliability and reputation.
>>
>> SpamHaus is hands down the best dnsbl.
>
> While I certainly agree that SpamHaus is very good, I would argue that
> Invalument is currently better.  It certainly stops a lot more spam here and
> I think false positives are still extremely low.
>

Invaluement lists are also the top performers at my site:

Total messages: 273235355
Total blocked: 227710956 83.34%

Unknown user 32.00% (32.00%)87427696
  Greylisted 24.88% (16.92%)46225401
   Throttled 11.03% (5.64%) 15399444
 Relay access denied 0.01%  (0.00%) 7034
   Bogus DNS (Broadcast) 0.01%  (0.00%)11692
  Bogus DNS (RFC 1918 space) 0.07%  (0.03%)82135
 Spoofed Address 0.26%  (0.12%)   319551
  Unclassified Event 0.77%  (0.35%)   949388
 Temporary Local Problem 0.01%  (0.00%) 8165
 Require FQDN sender address 0.04%  (0.02%)51022
  Require FQDN for HELO hostname 8.97%  (4.02%) 10988455
 Require DNS for sender's domain 0.78%  (0.32%)   870643
 Require Reverse DNS 23.83% (9.65%) 26372877
   Require DNS for HELO hostname 0.20%  (0.06%)   165157
 The Spamhaus Block List 21.87% (6.74%) 18405091
  The Invaluement SIP Block List 22.14% (5.33%) 14557404
   The SIP/24 Block List 3.84%  (0.72%)  1965510
 The Barracuda Reputation Block List 3.89%  (0.70%)  1915628
(several RBLs not widely used snipped)

We have several hundred domains and each can use it's own filtering
options, so not all RBLs/checks are used on all mail.  Checks are
listed in order applied, so a message dropped by "unknown user" for
instance is never seen by "greylisted".

Invalument lists block over 25% of all messages that make it past all
the checks in front of them, including Spamhaus.  That's massive.
Barracuda is not used by a majority of clients and is used after the
others, so the low number is not an indication of poor performance.
I've actually had pretty good luck with it.

-Aaron

> --
> RANK    RULE NAME                       COUNT  %OFMAIL %OFSPAM  %OFHAM
> --
>  1     URIBL_INVALUEMENT               27029    47.58   85.13    0.60
>  2     RCVD_IN_INVALUEMENT             26116    45.81   82.26    0.22
>  3     HTML_MESSAGE                    25184    79.83   79.32   80.48
>  4     BAYES_99                        23445    41.09   73.84    0.12
>  5     RCVD_IN_INVALUEMENT24           23290    40.85   73.35    0.18
>  6     URIBL_BLACK                     22372    39.49   70.46    0.74
>  7     RCVD_IN_JMF_BL                  16845    30.70   53.06    2.74
>  8     URIBL_JP_SURBL                  15962    27.99   50.27    0.12
>  9     DKIM_SIGNED                     12137    37.32   38.23   36.18
>  10     DKIM_VERIFIED                   11051    33.93   34.81   32.84
>
> Chris
>
> -
> Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
> President          - Wichita     (316) 858-3000 -    A stupidity tax
> Hubris Communications Inc      www.hubris.net
> -
>
>
>
>
>

Re: Barracuda RBL in first place

[Marc Perkel]

rich...@buzzhost.co.uk wrote:

  On Fri, 2009-08-14 at 06:30 -0700, Marc Perkel wrote:
  
  
http://www.sdsc.edu/~jeff/spam/cbc.html

It appears from Jeff's Blacklists Compared list the Barracuda has 
overtaken spamhaus for the #1 position. Not sure about the accuracy of 
the list as compared to spamhaus but seams reasonably good to me. I 
don't really count apews myself since they are extremely bad, but my 
hostkarma list is next beating out abuseat, sorbs, and uceprotect.

Thanks to everyone who is helping me with my tarbaby project to catch 
virus bots.

http://wiki.junkemailfilter.com/index.php/Project_tarbaby

Congrats to Barracuda!

  
  
I suspect that they, in Barracuda 'time honoured tradition' are stealing
Spamhaus data and cobbling it with their own. They sure as hell got
caught out using CBL data last year.

As far a Barracuda 'lists' are concerned I'm far more interested in the
BARRACUDA WHITELIST and, the baby 'pay to spam' emailreg.org they have
cobbled into their boxes.

Plenty of Barracuda customers have the Barracuda 'Reputation' list set
to 'Quarantine' because they feel it lacks accuracy. I won't go on about
how doing this forces a Barracuda to struggle everyone knows that
they are rubbish.

And just to be clear - yes, former Barracuda Support Staff. I walked
away {you could not dream up how the place is run}. MY CHOICE - NOT
THEIRS.

  

My experience is that the barracuda lists are reasonably good. A few FP
but not a lot. And if they are exceeding spamhaus then even if they
were stealing their lists they are adding a lot of data spamhaus
doesn't have. I'm just wondering what they are doing new. A few weeks
ago I was beating them.

Granted Jeff's list isn't exactly a scientific process but it's te only
one out there.

Re: Barracuda RBL in first place

[Marc Perkel]

Mike Cardwell wrote:

Marc Perkel wrote:


http://www.sdsc.edu/~jeff/spam/cbc.html

It appears from Jeff's Blacklists Compared list the Barracuda has 
overtaken spamhaus for the #1 position. Not sure about the accuracy 
of the list as compared to spamhaus but seams reasonably good to me. 
I don't really count apews myself since they are extremely bad, but 
my hostkarma list is next beating out abuseat, sorbs, and uceprotect.


Thanks to everyone who is helping me with my tarbaby project to catch 
virus bots.


http://wiki.junkemailfilter.com/index.php/Project_tarbaby

Congrats to Barracuda!


The comparisons on that page are useless. What matters is list policy, 
reliability and reputation.


SpamHaus is hands down the best dnsbl.

I used to be extremely distrustful of SpamCop, but they seem to be a 
lot more reliable than they used to be and in my list they would come 
second.


Barracuda is way down the list because of its poor reputation, and 
when I tested it last it seemed to generate a fair few false 
positives. I still let spamassassin use it for a small score value 
though.


Hostkarmas whitelist hits on a lot of spam, so that makes me generally 
distrustful of the quality of the contents of all of the hostkarma 
lists. I still use them sensibly in my own SpamAssassin configuration 
though for applying low scores.




I've been cleaning up my white list lately. It's hard getting it right. 
However - I admit that wrongly listed white lists are a lower priority 
than whongly blacklisted.

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Fri, 2009-08-14 at 18:33 +0100, Mike Cardwell wrote:
> rich...@buzzhost.co.uk wrote:
> 
> > I've not laughed so much since I added a low priority mx pointing to
> > 127.0.0.1 .
> 
> Heh. Looks like someone got there before me:
> 
> http://rfc-ignorant.org/tools/lookup.php?domain=buzzhost.co.uk
> 
That's terrible news, I really *won't* sleep this weekend LOL. If that
domain were being used being on the rfc-ignorant 'list' would really
matter so much :-)

Re: Barracuda RBL in first place

[Mike Cardwell]

rich...@buzzhost.co.uk wrote:


I've not laughed so much since I added a low priority mx pointing to
127.0.0.1 .


Heh. Looks like someone got there before me:

http://rfc-ignorant.org/tools/lookup.php?domain=buzzhost.co.uk

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Fri, 2009-08-14 at 09:28 -0600, LuKreme wrote:
> On 14-Aug-2009, at 09:03, Michael Scheidell wrote:
> > my rbl beats everyone.
> 
> It IS very effective at stopping spam. In fact, it stops 100% of spam.
> 
> But it's sorta like the world's greatest ftp site (ftp://127.0.0.1/)  
> which has awesome stuff, but it's all stuff I already have
> 
Now that *is* funny :-) Made my weekend.

I've not laughed so much since I added a low priority mx pointing to
127.0.0.1 .

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Fri, 2009-08-14 at 16:13 +0100, Mike Cardwell wrote:
> Marc Perkel wrote:
> 
> > http://www.sdsc.edu/~jeff/spam/cbc.html
> > 
> > It appears from Jeff's Blacklists Compared list the Barracuda has 
> > overtaken spamhaus for the #1 position. Not sure about the accuracy of 
> > the list as compared to spamhaus but seams reasonably good to me. I 
> > don't really count apews myself since they are extremely bad, but my 
> > hostkarma list is next beating out abuseat, sorbs, and uceprotect.
> > 
> > Thanks to everyone who is helping me with my tarbaby project to catch 
> > virus bots.
> > 
> > http://wiki.junkemailfilter.com/index.php/Project_tarbaby
> > 
> > Congrats to Barracuda!
> 
> The comparisons on that page are useless. What matters is list policy, 
> reliability and reputation.
> 
> SpamHaus is hands down the best dnsbl.
> 
> I used to be extremely distrustful of SpamCop, but they seem to be a lot 
> more reliable than they used to be and in my list they would come second.
> 
> Barracuda is way down the list because of its poor reputation, and when 
> I tested it last it seemed to generate a fair few false positives. I 
> still let spamassassin use it for a small score value though.
> 
> Hostkarmas whitelist hits on a lot of spam, so that makes me generally 
> distrustful of the quality of the contents of all of the hostkarma 
> lists. I still use them sensibly in my own SpamAssassin configuration 
> though for applying low scores.
> 
The final thought I had on this is the Barracuda List is OT. It's not
used in SA and I hope it never will be. The only SA connection is that
Barracuda use SA in their appliances.

The false positive/accuracy is a subject raised time and time again with
the Barracuda List. As for a listing policy I can only say it appears to
be the work of Mickey Mouse. I recall the UK T2, Adam Light, trying to
run through their evidence database to tell a 'spammer' why he was
listed, only to find they actually had no evidence at all from the IP
concerned. Once you cobble this with the listing of Name Servers and the
IP's for the A records of newly registered domains (they seem to make up
'policy' as they go along) it really is all a bit unreliable IMHO.

The reasons they want to big it up is because, as Barracuda's Steve Paeo
said words similar to "The circle of increasing returns ... the more
people we can get to use it, the better our data becomes, so the more
people want to use it". Easy fix, don't use it

Re: Barracuda RBL in first place

[LuKreme]

On 14-Aug-2009, at 09:03, Michael Scheidell wrote:

my rbl beats everyone.


It IS very effective at stopping spam. In fact, it stops 100% of spam.

But it's sorta like the world's greatest ftp site (ftp://127.0.0.1/)  
which has awesome stuff, but it's all stuff I already have


--
I said pretend you've got no money, she just laughed and said, 'Eh
you're so funny.' I said, 'Yeah? Well I can't see anyone else
smiling in here.'

Re: Barracuda RBL in first place

[Chris Owen]

On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote:

The comparisons on that page are useless. What matters is list  
policy, reliability and reputation.


SpamHaus is hands down the best dnsbl.


While I certainly agree that SpamHaus is very good, I would argue that  
Invalument is currently better.  It certainly stops a lot more spam  
here and I think false positives are still extremely low.


--
RANKRULE NAME   COUNT  %OFMAIL %OFSPAM  %OFHAM
--
  1 URIBL_INVALUEMENT   2702947.58   85.130.60
  2 RCVD_IN_INVALUEMENT 2611645.81   82.260.22
  3 HTML_MESSAGE2518479.83   79.32   80.48
  4 BAYES_992344541.09   73.840.12
  5 RCVD_IN_INVALUEMENT24   2329040.85   73.350.18
  6 URIBL_BLACK 2237239.49   70.460.74
  7 RCVD_IN_JMF_BL  1684530.70   53.062.74
  8 URIBL_JP_SURBL  1596227.99   50.270.12
  9 DKIM_SIGNED 1213737.32   38.23   36.18
 10 DKIM_VERIFIED   1105133.93   34.81   32.84

Chris

-
Chris Owen - Garden City (620) 275-1900 -  Lottery (noun):
President  - Wichita (316) 858-3000 -A stupidity tax
Hubris Communications Inc  www.hubris.net
-

Re: Barracuda RBL in first place

[Mike Cardwell]

Marc Perkel wrote:


http://www.sdsc.edu/~jeff/spam/cbc.html

It appears from Jeff's Blacklists Compared list the Barracuda has 
overtaken spamhaus for the #1 position. Not sure about the accuracy of 
the list as compared to spamhaus but seams reasonably good to me. I 
don't really count apews myself since they are extremely bad, but my 
hostkarma list is next beating out abuseat, sorbs, and uceprotect.


Thanks to everyone who is helping me with my tarbaby project to catch 
virus bots.


http://wiki.junkemailfilter.com/index.php/Project_tarbaby

Congrats to Barracuda!


The comparisons on that page are useless. What matters is list policy, 
reliability and reputation.


SpamHaus is hands down the best dnsbl.

I used to be extremely distrustful of SpamCop, but they seem to be a lot 
more reliable than they used to be and in my list they would come second.


Barracuda is way down the list because of its poor reputation, and when 
I tested it last it seemed to generate a fair few false positives. I 
still let spamassassin use it for a small score value though.


Hostkarmas whitelist hits on a lot of spam, so that makes me generally 
distrustful of the quality of the contents of all of the hostkarma 
lists. I still use them sensibly in my own SpamAssassin configuration 
though for applying low scores.


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: Barracuda RBL in first place

[Michael Scheidell]

RW wrote:

But isn't Barracuda considered to be more aggressive than Spamhaus, so
is beating Spamhaus on a BOFH metric, where blocking 0.0.0.0/32
would beat everything, much of an acheivement?
  


my rbl beats everyone.

please find ONE spammer's ipv4 address that isn't listed in 
blocked.secnap.net

(oh, before you use it, google about what its listing criteria is)


--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best Anti-Spam Product 2008, Network Products Guide
   * King of Spam Filters, SC Magazine 2008


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com

_

Re: Barracuda RBL in first place

[RW]

On Fri, 14 Aug 2009 06:30:58 -0700
Marc Perkel  wrote:

> http://www.sdsc.edu/~jeff/spam/cbc.html
> 
> It appears from Jeff's Blacklists Compared list the Barracuda has 
> overtaken spamhaus for the #1 position. Not sure about the accuracy
> of the list as compared to spamhaus but seams reasonably good to me.
> I don't really count apews myself since they are extremely bad, but
> my hostkarma list is next beating out abuseat, sorbs, and uceprotect.
> 
> Thanks to everyone who is helping me with my tarbaby project to catch 
> virus bots.
> 
> http://wiki.junkemailfilter.com/index.php/Project_tarbaby
> 
> Congrats to Barracuda!

But isn't Barracuda considered to be more aggressive than Spamhaus, so
is beating Spamhaus on a BOFH metric, where blocking 0.0.0.0/32
would beat everything, much of an acheivement?

Re: Barracuda RBL in first place

[rich...@buzzhost.co.uk]

On Fri, 2009-08-14 at 06:30 -0700, Marc Perkel wrote:
> http://www.sdsc.edu/~jeff/spam/cbc.html
> 
> It appears from Jeff's Blacklists Compared list the Barracuda has 
> overtaken spamhaus for the #1 position. Not sure about the accuracy of 
> the list as compared to spamhaus but seams reasonably good to me. I 
> don't really count apews myself since they are extremely bad, but my 
> hostkarma list is next beating out abuseat, sorbs, and uceprotect.
> 
> Thanks to everyone who is helping me with my tarbaby project to catch 
> virus bots.
> 
> http://wiki.junkemailfilter.com/index.php/Project_tarbaby
> 
> Congrats to Barracuda!

I suspect that they, in Barracuda 'time honoured tradition' are stealing
Spamhaus data and cobbling it with their own. They sure as hell got
caught out using CBL data last year.

As far a Barracuda 'lists' are concerned I'm far more interested in the
BARRACUDA WHITELIST and, the baby 'pay to spam' emailreg.org they have
cobbled into their boxes.

Plenty of Barracuda customers have the Barracuda 'Reputation' list set
to 'Quarantine' because they feel it lacks accuracy. I won't go on about
how doing this forces a Barracuda to struggle everyone knows that
they are rubbish.

And just to be clear - yes, former Barracuda Support Staff. I walked
away {you could not dream up how the place is run}. MY CHOICE - NOT
THEIRS.