Mabu Posted February 5, 2006 Share Posted February 5, 2006 First and foremost let me say I love Spamcop's RBL and I'm one of the service's biggest boosters to the Internet community. However, I'm beginning to believe it just isn't as effective as it used to be. A little background: I run a dedicated mail server for several hundred clients who include everything from individual/non-commercial users to large corporations, government agencies and several prominent media groups. I consider my customers to be a very good mix of a wide variety of demographics for typical online users. I am very anal about making sure legit mail is not blocked and would prefer to err on the side of caution. I employ no content-based filtering, only RBLs, and I stop about 95% of spam this way. I haven't done a lot of research but my impression is that the current criteria for SCBL is that after x amount of time, blacklisted entries expire from the database. This would explain the ineffectiveness of the RBL over time, as spammers now operate from ever-rotating, very large chunks of DUL IP space that they can move through without much problems from Spamcop. In an attempt to deal with this, I've set up my own Sendmail access-based RBL and here are the stats for the past week: Date, received mail, invalid users, Spamcop caught, Spamhaus caught, my own RBL caught Jan 26 00:00:00, 4648, 1084, 2201, 528, 16132 Jan 27 00:00:00, 4634, 1488, 2280, 608, 16011 Jan 28 00:00:00, 2634, 1086, 2622, 535, 14516 Jan 29 00:00:00, 2654, 1284, 2465, 624, 16172 Jan 30 00:00:00, 5173, 1401, 2577, 645, 15844 Jan 31 00:00:00, 5370, 1490, 3493, 628, 17387 Feb 1 00:00:00, 4997, 1197, 2290, 617, 15640 Feb 2 00:00:00, 5130, 1129, 2782, 778, 18250 Feb 3 00:00:00, 4478, 1119, 2967, 649, 17198 Feb 4 00:00:00, 2823, 788, 2596, 532, 13251 According to the figures above... * This server receives 24,756 daily e-mails on average, of which 19,281 (77.9%) are confirmed spam. * If you consider most invalid user e-mails to be spam or spam bounces, then the UCE rate jumps to around 82% * Spamcop's RBL catches 2627 spams a day or 13.63% of confirmed spam * Spamnaus's RBL catches 614 spams per day * My homebrew RBL catches 16040 spams a day or 83.18% of confirmed spam It looks like my RBL is much more effective than either Spamcop or Spamhaus's efforts. What am I doing differently? Well, I am not removing IPs from the database unless I'm specifically asked. If I'm asked, then I do so without any additional questions. In about five years, I've had maybe 1-2 dozen reports of legitimate mail being blocked, and in every case, I fixed this quickly. In the same period of time, I've probably had a similar amount of legit mail blocked complaints involving both SCBL and Spamhaus. I sometimes do wholesale IP range blocks when I run across a spam I can identify as coming from DUL space. I also have aggressively identified "rogue spam nations" like China, Korea and others and have most of their class Bs RBL'd. If I ever get any requests for removal, I whitelist IP blocks upon request. In fairness, it may be possible that my access-based RBL might be checked first, before Spamcop or Spamhaus (can someone verify this) and this might be a factor in my system statistically seeming far superior to Spamcop. I guess the best way to test this would be to remove my RBL and tabulate some figures alone based on the existing RBLs, but I'm still pretty certain that my system is at least, just as effective and most likely more than SCBL. My feeling is that, it is now no longer an option, but a NECESSITY to PERMANENTLY RBL DUL SPACE that should not have outbound SMTP traffic. AOL and a few responsible ISPs have finally decided to filter port 25 and this has made a tremendously positive impact on the reduction of spam, but others like Mindspring, Verizon, TDE, AT&T, Comcast and others have not taken action. As a result, I think responsible ISPs should just stop accepting mail from their DUL IP space. We need to force these systems into policing their own users' illegal activities. If Spamcop is expiring DUL IP RBL entries, then the service is nowhere near as useful as it needs to be. Comments? Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.