RE: best of RBLs without the FPs **a continuation of the "Hotmail on sorbs" thread** **but with a positive solutions-based approach*****
I started a new thread because I felt like we needed a fresh start on this topic. (the previous thread had a lot of ranting and meandering on it... good stuff... but I felt like a fresh start was warranted.) In fact, a good example of positive solutions would be Herb Martin's recent post about using Greylisting and RBLs together where the message is not blocked outright based on RBLs... but, rather, the RBL triggers the greylisting... that was a great example of a good solution! This is the kind of thing I'd like to talk about in this new thread. Personally, I don't feel comfortable with Greylisting and there are some disadvantages to greylisting that many admins can't live with. Therefore, I have another solution. (Of course, RBL-blocking is only one of many tools that I use... SURBL, URIBL, rules, etc... this e-mail deals specifically with how I used RBLs... please, no lectures about how I should be combining RBLs with other methods... I already do that.) First, there is an unfortunately dichotomy... many of the overall good but slightly less FP-safe RBLs are often the best "first-responders" to new sources of spam... like SpamCop, uceprotect, spews, sorbs, five-ten-sg, csma, ahbl, jammconsulting, etc. 2nd, even the best... sbl-xbl, dsbl, njabl ...even these have some strange occasional FPs. For example, sbl-xbl is quick to sometimes list overall good, overall opt-in marketers who are mostly opt-in, but have slightly dirty lists (for example, topica.com lists and ientry.com newsletters are both listed on sbl-xbl, last I checked). Therefore I've seen confirmed opt-in newsletters and list messages which would have been blocked if one were doing outright blocking based on sbl-xbl. A couple of weeks ago, I also spotted a legit airline e-mail which confirmed a REAL flight reservation which would have been blocked by njabl. I looked this up at njabl and, sure enough, a spam had been sent from this legit airline's mail server... but it wasn't promoting travel... it was an obvious malware or virus sent spam which triggered njabl to list that overall legit server. Therefore, this myth that there are somehow perfect RBLs which can be relied upon is just that... a myth. And simply dumping the less-FP safe RBLs removes a valuable tool because so many of these (1) still have overall high percentage catch-rates and (2) are great "1st responders" Therefore, how can one get the best of all words? HERE IS MY SOLUTION: (1) weigh the RBLs according to how FP safe they are (For example, I put five-ten-sg as my "weakest" RBL, and dsbl.org as my "strongest" RBL... with many in between... BTW, I don't recommend anyone using any RBL that is less FP-safe than five-ten-sg, even if weighted "weak") (2) I also add points based on how many RBLs (weak or strong) catch that sending server's IP. The idea here is that any one or two RBLs can be wrong and/or list high-volume source of ham... but if 3, 4, 5+ of the RBLs list that IP, then it has an extremely low chance of being "ham". In fact, I find that it is common for a single less FP-safe RBL to block a high-volume source of legit mail... but it is unusual for a high-volume source of ham to get listed on many RBLs, weak or strong. For this reason, this extra weight added based on a raw # of RBLs is helpful because these less-FP safe RBLs often quickly gang up on a hard-core spammer before the FP-safe RBLs list that spammer. By using this system, I increase the overall score of hits on multiple FP-risky RBLs beyond the regular sum of their scores. (3) Still, occasionally, a large ISP's legit mail server will get listed on multiple RBLs... typically the less-FP safe ones. If I didn't do anything else but what I've described so far, I'd still be in trouble because my system would still block an occasional message from one of THOSE legit servers. But I found a solution here as well. I simply have done an override on my caching DNS server where I nullify the lookups for these RBLs. I base this on research I did lookups on www.senderbase.org for various high volume (5.0+ on their scale) legit sources of mail and then "whitelisted" THOSE ip addresses (or address ranges) as far as my RBL-checking is concerned. Ironically, now that I do this, I really don't personally care if SORBS lists Hotmail. I have all legit hotmail servers whitelisted so I get the best of both worlds. SORBS then can spank hotmail so we will all get less spam as hotmail hopefully adjusts... but I can let other less savvy ISPs who block on SORBS outright be the ones who likewise punish their own users by blocking their user's legit hotmail. (I end up with better filtering as my hit rate stays high and my FP-rate drops lower than my spam filtering competitors) Therefore, I get the "best of both worlds"... I know that sounds selfish.. and it is! But don't think too badly of my, at least I'm "laying it all out on the table" and presenting my strategy for other's to consider following :) In fact, this system has proven tremendously successful! Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
