Hello. Is anyone there?

Steven W. Orr steveo at syslang.net
Tue Jul 8 18:43:53 EDT 2003


On Tuesday, Jul 8th 2003 at 16:51 -0400, quoth Jeff Kinz:

=>On Tue, Jul 08, 2003 at 01:38:20PM -0400, Steven W. Orr wrote:
=>> Lots of interesting commentary here.
=>  Thanks! :-)
=>> 
=>> * Why do I use RBL's in the 1st place? Because I would much rather reject 
=>> mail before it's received than after. If I filter it out after then they 
=>> know that I have accepted it. 
=>
=>Unfortunately top shelf spammers (an absurd concept!) will not be
=>stopped by RBL's since they just change accounts every few hours and use
=>automated tools to pump those accounts to the max of their limited 
=>transmission capability. (Try sending out an email to 100 people
=>if you're a comcast subscriber!)   By using multiple parallel accounts
=>they achieve large transmission rates from non-RBL'ed sites.
=>
=>So RBL problem #1: RBL doesn't stop the smartest spammers so you will
=>                   have to filter on content no matter what you do.

We're in 100% agreement. That's why I use my RBLs, *plus* other traps and 
filters from inside sendmail *plus*  the latest version of spamassassin. 
The amount of spam that actually makes it through is *very* low. But the 
amount that has to be processed by spamassassin is very low to begin with.

Also, the time that it takes for an address to get into lots of the RBL is 
generally pretty low.

=>
=>> 
=>> * Derek Martin said that you have no way of knowing if you've missed 
=>> important mail. Not true: I get a report every morning showing what 
=>> senders were rejected. (I just wasn't paying attention.)
=>
=>Right - which means the RBL technique is failure-prone whenever people
=>are part of it. No one pays attention to something they see all the
=>time. So its always going to fail.
=>
=>RBL problem #2: RBL incorrectly rejects large amounts of non-spam.
=>
=>RBL problem #3: Any possible notice about false positive (see #2), will
=>                be completely buried in the mass of true-positive
=>		notices and not be noticed.

Some RBLs are better than others. This episode underscored a change that I 
will be making to my daily reject analyser to make it more obvious to me 
what domains were rejected.

=>> 
=>> * Jeff Kinz says it's not important to make sure that you are accepted by 
=>> all RBLs. 
=>
=>This is a mis-quote or a complete fabrication of what I said.  In the
=>future please actually quote what I said so it can't be mis-interpreted
=>unless I write it badly, OK? :-)  Thanks. (There's a fair chance I'll
=>write it poorly anyway.. :-) 
=>
=>What I said was (and I'll quote it:)
=>>On Tue, Jul 08, 2003 at 12:29:08PM -0400, Steven W. Orr wrote:
=>>> But I really do think that it's somewhat important to find out why easynet
=>>> thinks that gnhlug.org is a spammer? 
=>>
=>>No, its not important to do that because there will always be another
=>>RBL list somewhere which is also broken, especially since RBL's are
=>>proliferating at an increasing rate.
=>
=>So I'm saying that its not that important to correct RBL's which have 
=>bad information because so many do. (see more on this below).  Why
=>waste your life yelling at people who aren't going to change your
=>listing in their RBL anyway?

Ah, but they all *do* respond to people fixing their problems. Otherwise 
they would all run out of disk space. :-) Seriously, I've never heard of 
an RBL that won't take someone off their list if the problems get 
corrected. I think there was one but they're gone now.

=>
=>> I totally disagree on this one. You don't have to be accepted by 
=>> an RBL but you should at least know why they are rejecting you and to 
=>> have at least made the effort to try to clear up the conflict. Like I 
=>> mentioned earlier, some RBLs base themselves on vastly different criteria. 
=>> Some criteria are acceptable and some are not (to me). For example, I 
=>> mentioned one RBL that rejects all clients of uunet. Another rejects all 
=>> dynamic ip addresses. You have to decide what sets are right for you.
=>
=>Clearly the RBL's which list all of uunet and all dynamic IPs have more
=>bad information than they have good information about Spam sources.
=>
=>As Bruce Dawson pointed out today:
=>>The problem is that easynet.nl (and a number of others) DO NOT remove
=>>addresses from their lists - regardless of the number or type of requests.
=>>And a number of others do not validate the requests to list spamming
=>>addresses.
=>
=>>So, if your system is coopted by a spam worm, then your system is dead as
=>>far as these RBLs and internet mail is concerned. Even if you use virus
=>>protection. Even if you get rid of the open proxy. You can never get off
=>>their lists.
=>
=>There are many RBL's and more are popping up as we go forward.  While
=>some are worse than others, ALL of them have erroneous information in
=>them that will cause you to throw away real email and at the same time
=>they don't prevent spam from getting to your system.  Eventually this
=>will cause RBL's to become un-trusted and eventually less used.  Since
=>some people have falsely submitted domains/ip's to RBL's to
=>harm the owners/users of same, and more people continue to do it all
=>the time, its clear we will never be able to trust the RBL's
=>
=>I'll admit its nice and easy to say "Oh Ip 192.x.x.x? Sorry, you're spam,
=>disconnect" before the email can arrive on your site/system.  But this
=>is one time where taking the easy way out is the wrong way to do it.

Not sure I agree on this one. Apparently this addres *was* ligitimately 
tagged and never made any effort before to be taken off. This is the first 
we've heard f it. Sounds like easynet didn't do anything wrong.

=>For Non-ISP's, using RBL's will ultimately do more harm than good.
=>(False positives causing missed email)
=>(ISP's aren't harmed when they block their customer's real email as spam
=>so they can use an RBL without fear.  Most of them will not lose enough
=>customers for it to ever be a problem, unfortunately.)

No. The amount of mail that I get vs the false positives I've had are so 
incredibly disproportionate as to not even allow me to consider changing 
what I have going currently.

=>In order to intelligently stop spam you cannot filter on RBL based IP
=>addresses/domains.  You must filter only on content.  The trials which
=>the Bogofilter people have run on real email indicate that it more
=>accurate than any other way of doing it.

The spamassassin builtin bayesian seems to be doing a noticably better job 
than previous versions. But my experience is that I do better with my 
sendmail tricks (which you can see at 
http://steveo.syslang.net/sendmail.mc) in conjunction with spamassassin 
than I do with just spamassassin. And spamassassin does a lot more than 
just simple bayesian filtering.

=>(http://bogofilter.sourceforge.net/bogofilter-faq.html)

=>I really really want to urge everyone who hasn't tried it yet to take a
=>look at the Bastian based spam-faltering solutions.  It is really the
=>best solution.

Definitely a good blade on the swiss army knive of mail tricks. :-)


-- 
-Time flies like the wind. Fruit flies like a banana. Stranger things have -
-happened but none stranger than this. Does your driver's license say Organ
-Donor?Black holes are where God divided by zero. Listen to me! We are all-
-individuals! What if this weren't a hypothetical question?
steveo at syslang.net



More information about the gnhlug-discuss mailing list