ACME Labs mail filtering tutorial
Tom Anderson
tanderso at oac-design.com
Fri May 27 15:58:43 CEST 2005
----- Original Message -----
From: ".rp" <printer at moveupdate.com>
> Very nice work. Not sure I understand the graphs but I like the texts.
> I have to disagree with you about DNS-RBL's though. I have not had any
> complaints about false rejections from the ones I use.
I agree. Simply choose the DNSBLs that strictly adhere to an objective
policy; ie, they only add a server to their list if they receive a physical
spam from that server, or if the server is an open proxy/relay, or if the
server is otherwise exploitable. Moreover, they should honor removal
requests immediately without question. These lists are very effective.
About 80% of the spam received by Americans and Europeans originate from
only about 200 spam gangs (http://www.spamhaus.org/rokso/index.lasso), and
since they are sending such huge quantities, they end up on these blocklists
rather quickly no matter where they send from. Its only the smaller
operations that only send out a few thousand or million spams that stay off
these lists for awhile. Here are the ones I use:
DNSBLs
sbl-xbl.spamhaus.org
http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
web.dnsbl.sorbs.net
list.dsbl.org
relays.visi.com
RHSBLs
dsn.rfc-ignorant.org
postmaster.rfc-ignorant.org
bogusmx.rfc-ignorant.org
whois.rfc-ignorant.org
By far, Spamhaus is my most prolific matcher, followed by Sorbs. Overnight
from 9pm-7am this morning, spamhaus.org blocked 139 spams, sorbs.net blocked
34, dsbl.org blocked 6, and visi.com blocked 1. During that time,
bogofilter caught 9 spams which got through the blocklists. I had zero
unsures. 9 hams. And I had just 2 false negatives, which were both
identical real estate offers from different Polish addresses. So my
combined effectiveness last night was 99% (198/200), and although I may have
achieved similar results just using bogofilter, I reduced bogofilter's load
by 90%, and I similarly reduced the time needed for me to browse through the
filtered emails before deleting them. Therefore DNSBLs are remarkably
effective.
I've never received a complaint about a false positive, however, I once was
rejected by Spamhaus myself (from someone else's server) on my home Comcast
connection probably because I received a new dynamic IP previously owned by
a worm-laden user. But I received a bounce when that happened clearly
showing why it didn't go through, and when I went to spamhaus.org and
requested removal, I was soon able to send emails to that server again.
Therefore, I see the false positive risk as zero.
> I would also add to your procmail section setting up a phony account that
> has anything sent to it delivered to bogofilter as spam.
Yup, honeypots are a good idea too.
Tom
More information about the Bogofilter
mailing list