On 1/11/2012 5:10 PM, David B Funk wrote:
> Problem with all those methods is that they're reactive, will not hit
> until -after- somebody has seen the bad crap and created filers,
> RBL-lists, taught Bayes, etc.
>
> The OP explicitly said that the first spam run was at 06:39 and by
> 06:42 it was hitting RBLs (pretty darned quick by my book;).
> However he has some fussy customers who weren't understanding and
> so was asking for a method of dealing with this. 

This is actually a good argument for having a variety of good IP and URI
DNSBLs. Even the fastest reacting ones are going to update, at most,
once per minute. (and even that is rather rare... I think most
fast-reacting ones update every ~5 minutes.) Even then, public DNSBLs
have to rsync from the master to mirrors before the data is usable.

For this reason, you're going to hit some DNSBLs just seconds after they
updated... others are going to be a little less fresh. This is exactly
why having multiple quality DNSBLs is helpful. If you check 8 different
good ones instead of 2 different good ones (for example), then there is
a greater chance that you'll query one of those mere seconds after it
updated, and where it already had data on a new spam campaign.

Along those lines, with the invaluement blacklists that I manage...
we're soon going to offer a special version whereby we send an alert to
"trigger" subscribers' rsyncs within a couple of seconds after each
invaluement list's last update--thus making that reaction time even
faster--and causing more spam that are at the "tip of the spear" to get
caught.

ALSO: There are OFTEN times when an IP doesn't have a chance to get
caught, but it contains a domain already found on surbl, uribl, ivmURI,
or DBL. Or, times when a domain hadn't had a chance to get caught yet,
but the IP is caught from a previous spam campaign. But if you're not
using all the best DNSBLs, you miss out on some of this!

MORE: And, btw, really good /24 blacklists do _preemptively_ block much
snowshoe spam, from the very 1st spam sent!

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Reply via email to