----- Original Message ----- > On 1/11/2012 5:10 PM, David B Funk wrote: > > Problem with all those methods is that they're reactive, will not > > hit > > until -after- somebody has seen the bad crap and created filers, > > RBL-lists, taught Bayes, etc. > > > > The OP explicitly said that the first spam run was at 06:39 and by > > 06:42 it was hitting RBLs (pretty darned quick by my book;). > > However he has some fussy customers who weren't understanding and > > so was asking for a method of dealing with this. > > This is actually a good argument for having a variety of good IP and > URI > DNSBLs. Even the fastest reacting ones are going to update, at most, > once per minute. (and even that is rather rare... I think most > fast-reacting ones update every ~5 minutes.) Even then, public DNSBLs > have to rsync from the master to mirrors before the data is usable. > > For this reason, you're going to hit some DNSBLs just seconds after > they > updated... others are going to be a little less fresh. This is > exactly > why having multiple quality DNSBLs is helpful. If you check 8 > different > good ones instead of 2 different good ones (for example), then there > is > a greater chance that you'll query one of those mere seconds after it > updated, and where it already had data on a new spam campaign. > > Along those lines, with the invaluement blacklists that I manage... > we're soon going to offer a special version whereby we send an alert > to > "trigger" subscribers' rsyncs within a couple of seconds after each > invaluement list's last update--thus making that reaction time even > faster--and causing more spam that are at the "tip of the spear" to > get > caught. > > ALSO: There are OFTEN times when an IP doesn't have a chance to get > caught, but it contains a domain already found on surbl, uribl, > ivmURI, > or DBL. Or, times when a domain hadn't had a chance to get caught > yet, > but the IP is caught from a previous spam campaign. But if you're not > using all the best DNSBLs, you miss out on some of this! > > MORE: And, btw, really good /24 blacklists do _preemptively_ block > much > snowshoe spam, from the very 1st spam sent! > > -- > Rob McEwen > http://dnsbl.invaluement.com/ > r...@invaluement.com > +1 (478) 475-9032 > >
Just to follow up we have seen a huge decrease in the amount of SPAM received since we implemented the Invaluement RBLs. We shall be looking at adding greylisting to our arsenal but we do like to only make one change at a time and hence waited to see how the RBLs worked first. -- Thanks, Phil
