Hello. Is anyone there?

Jeff Kinz jkinz at kinz.org
Tue Jul 8 16:51:08 EDT 2003


On Tue, Jul 08, 2003 at 01:38:20PM -0400, Steven W. Orr wrote:
> Lots of interesting commentary here.
  Thanks! :-)
> 
> * Why do I use RBL's in the 1st place? Because I would much rather reject 
> mail before it's received than after. If I filter it out after then they 
> know that I have accepted it. 

Unfortunately top shelf spammers (an absurd concept!) will not be
stopped by RBL's since they just change accounts every few hours and use
automated tools to pump those accounts to the max of their limited 
transmission capability. (Try sending out an email to 100 people
if you're a comcast subscriber!)   By using multiple parallel accounts
they achieve large transmission rates from non-RBL'ed sites.

So RBL problem #1: RBL doesn't stop the smartest spammers so you will
                   have to filter on content no matter what you do.

> 
> * Derek Martin said that you have no way of knowing if you've missed 
> important mail. Not true: I get a report every morning showing what 
> senders were rejected. (I just wasn't paying attention.)

Right - which means the RBL technique is failure-prone whenever people are part 
of it. No one pays attention to something they see all the time. So its always 
going to fail.

RBL problem #2: RBL incorrectly rejects large amounts of non-spam.

RBL problem #3: Any possible notice about false positive (see #2), will
                be completely buried in the mass of true-positive
		notices and not be noticed.
> 
> * Jeff Kinz says it's not important to make sure that you are accepted by 
> all RBLs. 

This is a mis-quote or a complete fabrication of what I said.  In the
future please actually quote what I said so it can't be mis-interpreted
unless I write it badly, OK? :-)  Thanks. (There's a fair chance I'll
write it poorly anyway.. :-) 

What I said was (and I'll quote it:)
>On Tue, Jul 08, 2003 at 12:29:08PM -0400, Steven W. Orr wrote:
>> But I really do think that it's somewhat important to find out why easynet
>> thinks that gnhlug.org is a spammer? 
>
>No, its not important to do that because there will always be another
>RBL list somewhere which is also broken, especially since RBL's are
>proliferating at an increasing rate.

So I'm saying that its not that important to correct RBL's which have 
bad information because so many do. (see more on this below).  Why
waste your life yelling at people who aren't going to change your
listing in their RBL anyway?

> I totally disagree on this one. You don't have to be accepted by 
> an RBL but you should at least know why they are rejecting you and to 
> have at least made the effort to try to clear up the conflict. Like I 
> mentioned earlier, some RBLs base themselves on vastly different criteria. 
> Some criteria are acceptable and some are not (to me). For example, I 
> mentioned one RBL that rejects all clients of uunet. Another rejects all 
> dynamic ip addresses. You have to decide what sets are right for you.

Clearly the RBL's which list all of uunet and all dynamic IPs have more
bad information than they have good information about Spam sources.

As Bruce Dawson pointed out today:
>The problem is that easynet.nl (and a number of others) DO NOT remove
>addresses from their lists - regardless of the number or type of requests.
>And a number of others do not validate the requests to list spamming
>addresses.

>So, if your system is coopted by a spam worm, then your system is dead as
>far as these RBLs and internet mail is concerned. Even if you use virus
>protection. Even if you get rid of the open proxy. You can never get off
>their lists.

There are many RBL's and more are popping up as we go forward.  While
some are worse than others, ALL of them have erroneous information in
them that will cause you to throw away real email and at the same time
they don't prevent spam from getting to your system.  Eventually this
will cause RBL's to become un-trusted and eventually less used.  Since
some people have falsely submitted domains/ip's to RBL's to
harm the owners/users of same, and more people continue to do it all
the time, its clear we will never be able to trust the RBL's

I'll admit its nice and easy to say "Oh Ip 192.x.x.x? Sorry, you're spam,
disconnect" before the email can arrive on your site/system.  But this
is one time where taking the easy way out is the wrong way to do it.

For Non-ISP's, using RBL's will ultimately do more harm than good.
(False positives causing missed email)
(ISP's aren't harmed when they block their customer's real email as spam
so they can use an RBL without fear.  Most of them will not lose enough
customers for it to ever be a problem, unfortunately.)

In order to intelligently stop spam you cannot filter on RBL based IP
addresses/domains.  You must filter only on content.  The trials which
the Bogofilter people have run on real email indicate that it more
accurate than any other way of doing it.
(http://bogofilter.sourceforge.net/bogofilter-faq.html)

I really really want to urge everyone who hasn't tried it yet to take a
look at the Bastian based spam-faltering solutions.  It is really the
best solution.

Thanks for your time.


-- 
Jeff Kinz, Open-PC, Emergent Research,  Hudson, MA.  jkinz at kinz.org
copyright 2003.  Use is restricted. Any use is an 
acceptance of the offer at http://www.kinz.org/policy.html.
Don't forget to change your password often.



More information about the gnhlug-discuss mailing list