Rob McEwen wrote:
Aaron Wolfe wrote:
I have 24 hours of data to play with.. at first results seemed
promising. I found over 300,000 hosts that had connected only to my
highest MX and did not issue a quit. But.. of that group:
96.0% are listed on spamhaus (zen, i did not breakdown onto the
individual lists)
2.3% of the hosts *not* listed on spamhaus are listed on Rob McEwen's
ivmSIP list (note that this is over 50% of the remaining hosts, about
10% higher than this list's hit rate with my normal mail flow).
...<snip>...
I'm sure my quick test is not perfect. The remaining 1.7% of hosts
may include some amount of non spam sources (very small if any I would
guess). Also, I ran the RBL checks all at once at the end of the
cycle. so some of the hits were 24 hours old. Some amount of the
remainder were probably on the RBLs at the time they hit my server and
were since removed
Aaron,
Here are my thoughts/observations:
Assuming that you ran these dnsbl checks *after* the 24 hour period
(as I think you are saying...), then I believe that the 96% "also
caught by Zen" would probably be lower, not higher. IPs (from recent
spam!) don't generally expire out of any lists THAT quickly, if at
all. However, in contrast, there is typically a propagation delay
before *some* of these get into DNSBLs. (this delay can vary widely
between dnsbls). So if you ran this test after the fact, you actually
gave Zen some time to "catch up".
You mentioned that, of these "IPs that only connected to the highest
MX" batch, half of the IPs that Zen didn't catch were already on "Rob
McEwen's ivmSIP list". Thanks for the plug!
But I fear that this may accidentally paint an inaccurate picture of
ivmSIP. This seems to imply that half my list is made up of IPs that
would be caught if someone were using the "connected only to the
highest MX" method. (I know you didn't intend to imply this.. but
there is the potential for someone to interpret it that way.) In fact,
just so *others* will know, I should add that there is MUCH spams that
my lists catches which the "IPs that only connected to the highest MX"
method misses.
For example, I took that last 100 ivmSIP catches and ran them against
Zen.
88 of these 100 were already caught by Zen.
Of the 12 left, 3 were caught by widely used and respected dnsbls:
84.79.21.212 (spamcop)
200.66.32.226 (dsbl/psbl)
212.147.5.133 (spamcop & Mark Perkel's "host karma" list)
As shown, of the 12 left, (and of these three), 1 was caught by
Perkel's host karma list, which, therefore, is probably the *only* IP
of these 12 that the "connected only to the highest MX" method would
have caught.
(of those not caught by zen...)
While your stats show that 50% of what the "connected only to the
highest MX" method catches was also caught by ivmSIP. These additional
stats above show that the "connected only to the highest MX" method
catches *only* 8% of the spams that ivmSIP catches (again, of those
not already in Zen.)
Of these twelve, 9 of them are IPs that would NOT have been caught by
ANY reliable FP-safe DNSBLs, nor would these (likely) be caught by the
"connected only to the highest MX" method.
Here are those 9 "uniques" (for anyone to examine/critique):
79.137.219.171
79.137.223.42
79.137.225.194
79.137.231.242
79.137.233.223
79.137.235.210
79.137.235.252
79.137.237.210
213.254.194.26
9 "uniques" out of 100 doesn't sound impressive... and most of these
were already caught by UCEPROTECT's "level 3", but that is UCE's most
FP-risky list... and certainly a list too FP-riskly to outright block
or score high on... UCE even states that this list, "probably will
cause collateral damage to innocent users when used to block email"
But since, in contrast, ivmSIP has an extremely low FP-rate and seeks
to *not* ever create collateral damage, then, unlike UCE-3, when these
IPs show up in ivmSIP, they are safe to outright block (or score very
high, for those who are ultra careful) without fear of FPs.
(of course, during the time it took me to type this message, another
1,142 IPs were added to ivmSIP. This was an 'ad hoc" snapshot... I
suspect that a few of these "uniques" will get into other lists by the
time that some people read this post. But, in the meantime, spams send
from these IPs to those who use ivmSIP have been blocked.)
FINAL NOTE: ivmSIP seeks to be a supplemental list focused mostly on
new series of spams... and purposely skips out on listing spammer's
IPs that have been in circulation for more than X number of
weeks/months... therefore, Zen is going to list many IPs that ivmSIP
isn't even trying to list. So ivmSIP is NOT trying to be a Zen
replacment, but, instead, more of a supplement.
Rob McEwen
Rob - you make a good point about the 24 hours after issue. I can detect
the spambots in almost real time. The combination of the no quit and
only hitting the highest numbered MX takes about 2 minutes. (The
connection inavtivity timeout). Once detected the IP is added to a list
and then on the next 5 minute cycle I have them in my black list ready
for the world to read. What I'm seeing is that I'm blacklisting faster
that Spamhaus is so many of these IPs that overlap 24 hours later might
not overlap if you compared them in real time.