ACME Labs mail filtering tutorial

Tom Anderson tanderso at oac-design.com
Fri May 27 15:58:43 CEST 2005 

----- Original Message ----- 
From: ".rp" <printer at moveupdate.com>
> Very nice work. Not sure I understand the graphs but I like the texts.
> I have to disagree with you about DNS-RBL's though. I have not had any
> complaints about false rejections from the ones I use.

I agree.  Simply choose the DNSBLs that strictly adhere to an objective 
policy; ie, they only add a server to their list if they receive a physical 
spam from that server, or if the server is an open proxy/relay, or if the 
server is otherwise exploitable.  Moreover, they should honor removal 
requests immediately without question.  These lists are very effective. 
About 80% of the spam received by Americans and Europeans originate from 
only about 200 spam gangs (http://www.spamhaus.org/rokso/index.lasso), and 
since they are sending such huge quantities, they end up on these blocklists 
rather quickly no matter where they send from.  Its only the smaller 
operations that only send out a few thousand or million spams that stay off 
these lists for awhile.  Here are the ones I use:

DNSBLs
sbl-xbl.spamhaus.org
http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
web.dnsbl.sorbs.net
list.dsbl.org
relays.visi.com

RHSBLs
dsn.rfc-ignorant.org
postmaster.rfc-ignorant.org
bogusmx.rfc-ignorant.org
whois.rfc-ignorant.org

By far, Spamhaus is my most prolific matcher, followed by Sorbs.  Overnight 
from 9pm-7am this morning, spamhaus.org blocked 139 spams, sorbs.net blocked 
34, dsbl.org blocked 6, and visi.com blocked 1.  During that time, 
bogofilter caught 9 spams which got through the blocklists.  I had zero 
unsures.  9 hams.  And I had just 2 false negatives, which were both 
identical real estate offers from different Polish addresses.  So my 
combined effectiveness last night was 99% (198/200), and although I may have 
achieved similar results just using bogofilter, I reduced bogofilter's load 
by 90%, and I similarly reduced the time needed for me to browse through the 
filtered emails before deleting them.  Therefore DNSBLs are remarkably 
effective.

I've never received a complaint about a false positive, however, I once was 
rejected by Spamhaus myself (from someone else's server) on my home Comcast 
connection probably because I received a new dynamic IP previously owned by 
a worm-laden user.  But I received a bounce when that happened clearly 
showing why it didn't go through, and when I went to spamhaus.org and 
requested removal, I was soon able to send emails to that server again. 
Therefore, I see the false positive risk as zero.

> I would also add to your procmail section setting up a phony account that
> has anything sent to it delivered to bogofilter as spam.

Yup, honeypots are a good idea too.

Tom

More information about the Bogofilter mailing list