6

There are many black lists out there, with bad and good reputations. Also, some people recommend to use RBL lists only in score-based systems (like spamassassin) while others (including commercial service providers, think Barracuda) extensively use lists to hard block messages before even looking at that.

The problem in using an RBL list to directly discard messages come from false positives, that 99% of the times would otherwise survive a score based system. I'm wondering if there are lists out there that could be put at good use in pre-queue, that have very very low false positives even if they maybe are less effective at catching true spam messages. Such lists would be good, in combination with greylisting, to skim a good part of the mail intake before running it through a content analysis system.

We are currently using only Abuseat's CBL to block SMTP connections, and we're not aware of any false positive introduced by this. Lists from the Spamhaus Project also look promising, but which ones? or all of them (like using ZEN)?

  • Do you use (trust) RBL lists to directly block SMTP sources?
  • Is there any known study on false positives rate or, do you have any experience to report?
  • What lists would you recommend for this kind of filtering?
Luke404
  • 5,708
  • 3
  • 44
  • 58
  • possible duplicate of [Which anti spam DNS blacklists should used?](http://serverfault.com/questions/13670/which-anti-spam-dns-blacklists-should-used) – Justin Scott Jul 29 '10 at 19:18
  • @Justin, that question was about the use of list in general and didn't go into the specific difference between hard dropping and score based systems. This means different criteria for the list selection, score based systems can tolerate some false positives in single lists to achieve overall better results when combining scores. – Luke404 Jul 30 '10 at 07:02

2 Answers2

8

I used to trust RBLs directly. Then I wen't to scoring with policyd-weight which is much safer (but not your question).

I would only trust these RBLs for direct blocking:

  • zen.spamhaus.org (I think it includes the CBL of Abuseat)
  • ix.dnsbl.manitu.net (iX magazine)
  • dnsrbl.swinog.ch (Swiss network operators group)

IMPORTANT: never ever trust anything related to uceprotect. The admin there is totally insane and blocking stuff based on his own "understanding" of what's good or bad (he then generously offers unblocking by payment...).

weeheavy
  • 4,039
  • 1
  • 27
  • 41
  • 1
    +1 for uceprotect: our IT group spoke to him years ago, definitely insane. We had him on speakerphone; I think we recorded the call too, mostly for historical LOL purposes. – gravyface Jul 29 '10 at 11:33
  • 1
    I generally trust `zen.spamhaus.org` for immediate rejection (with a nice, meaningful 5xx error message). If you have a low tolerance for false-positives I'd suggest the scoring approach mentioned above. – voretaq7 Jul 29 '10 at 16:38
  • What about `safe.dnsbl.sorbs.net` ? – Joseph May 27 '15 at 09:30
1

I use zen.spamhaus.org and bl.spamcop.net.

Personally, I don't spend a lot of sleepless nights worrying about spam. It's a never ending battle and there's no perfect solution. There are always going to be some number of legitimate emails that get blocked and some number of spam emails that get through. We archive all spam messages and whitelist any false positives that have been captured. We queue all spam for a day and then dump it.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171