Jason Haar wrote: > On 08/17/2010 01:04 PM, John Hardin wrote: > >> You might consider implementing spamhaus zen as an MTA-level hard >> reject DNSBL (I do that, maybe that's why I don't see any pharma >> spam?) - many admins trust it enough to do that, and the sample you >> posted hit on the abuseat CBL, which is a zen feed. >> > As per my initial email, none of the RBLs hit the message when they get > in. More precisely:<SNIP>
Jason, Actually, for the sample you posted, ivmURI had the domain name in the clickable link blacklisted a whole two days BEFORE that spam was sent to you. Likewise, the IP was already in the ivmSIP/24 blacklist for MANY days prior to this... and probably BEFORE this IP was ever used for sending spam. (In fact, ivmSIP/24 WILL block many "zero day" spams, but without the FPs typically associated with most other /24 blacklists) But, then again, I'm obviously biased towards the invaluement lists. Therefore, for a better non-biased evaluation, take the ones which you keep missing and, extremely soon after they are missed... go to http://multirbl.valli.org <visitors?site_id=42154&date=2010-08-16&domain=multirbl.valli.org> and check both the sending IP, and any suspicious domains in the clickable links (I'd have suggested mxtoolbox or dnsstuff... but I know that multirbl.valli.org <visitors?site_id=42154&date=2010-08-16&domain=multirbl.valli.org> will allow for checking the URI in the clickable link against URI blacklists, in addition to the sending IP) If you can do that check literally seconds after your spam filter missed the spam, then you'll likely see which blacklists you aren't using would have blocked it. Of course, some lists might have the item listed, but are of little value due to such lists blocking too much legit mail. So ignore those! But any extreme-low-FP DNSBL that listed those missed spams prior to you receiving the spam should prove VERY worthy of your attention! If the others spams are like your example spam, you should see invaluement coming up over and over... and you might also see one or two other freely available, non-commercial DNSBLs come up as well that might help you (at no cost!), too! -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
