Re: Backscatter.org used as RBL??

Thu, 06 Aug 2009 15:38:24 -0700 


Mike Cardwell wrote:

Marc Perkel wrote:


Backscatter.org is the worst RBL on the planet. If you use it you 
will get a lot of false positives.



Lets compare backscatterer's recommended usage of their list in your 
favourite MTA against your own recommendation for usage of your 
hostkarma RBL in your favourite MTA:


1.) HostKarma:

deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2

2.) BackScatterer:

deny senders     = :
     dnslists    = ips.backscatterer.org
     log_message = $sender_host_address listed at $dnslist_domain
     message     = Backscatter: $dnslist_text


I would argue, and I expect few would disagree, that you're more 
likely to get a false positive from the first than the second.



Or were you ignoring the large bright red warning signs and usage 
information on http://www.backscatterer.org/ ?


I'll disagree with that.


Of course you will. It's your list I was talking about.


A lot of the backscatterer list is sender address verification calls.
If someone is doing sender address verification then they are
filtering spam and those who filter spam are not sending spam.



"Those who filter spam are not sending spam" - I can't remember the 
last time I used this abbreviation... lol ... gmail? hotmail? yahoo?



On my  system people doing SAV get white listed - not black listed.



Is that why your whitelist is much worse than the dnswl.org one? I 
have a user who gets about 2000 spams a day. I keep a copy of that 
spam in a folder for a week. 14 of the emails in there have JMF_W tags 
on them at the moment and none of them have DNSWL tags.



That's pretty poor considering both lists fire on about the same 
number of emails:


r...@haven:~# zgrep JMF_W /var/log/mail.log.[1234567].gz|wc -l
908
r...@haven:~# zgrep DNSWL /var/log/mail.log.[1234567].gz|wc -l
803
r...@haven:~#

One of the emails was from:

122.56.213.81 (122-56-213-81.mobile.telecom.co.nz)


Although that IP has now graduated from your whitelist to the 
yellowlist. Amazing that an IP like that got into the whitelist in the 
first place. You must have some faulty automated system for populating 
the list.



This might be more accurate:

accept !senders = :
  dnslists    = ips.backscatterer.org



I see. You think "Host sends backscatter" therefore "Host never sends 
spam". An interesting hypothesis.





This might be an advanced concept for you but what I meant was - 
deliberately send spam. Everyone doing sender verification is someone 
who is trying to BLOCK spam, and therefore are the good guys. I also 
track SAV calls and I use it as a WHITE list.

























					Reply via email to