On 11/17/2006 10:49 AM, John Lange wrote:
On Fri, 2006-11-17 at 10:22 -0600, Tim Lavoie wrote:
...
So far, so good. No spam in the spambox this morning, at all. Most were caught by the Spamhaus DNS blocklist I already use, but the greylist whacked the remainder.
Would it not make sense to do it in the other order? Greylisting being much less CPU intensive than other spam blocking methods.
I didn't think DNS blocklists were particularly CPU intensive. It's when you get into things like content filtering and DCC that you want to pre-screen as much as possible.
On a related note, personally I'm strongly opposed to block lists since:
a) they only work after spam has been sent
Sort of the same problem as signature based anti-virus, anti-spyware, and even many content-based SPAM filters, as well as DCC bulk mail filters. They all still help a great deal against repeat offenders. Given the saturation bombing approach many spammers still use, blocklists still do help. They don't do much against spam attacks distributed over wide botnets, but they still block a fair bit.
b) they catch far to many innocent victims
Are there any credible stats on this? I've never spotted anything that looks like it might be a false positive in my server logs when I've checked. Of course, some of the claimed "innocent victims" are people like that spammer that sued Spamhaus in an Illinois court and got a summary judgment against them.
c) when other methods are applied properly, blocklists only improve results by a very small amount.
"b" being the main reason I don't like them.
John
Has anyone ever compared the effectiveness and accuracy of the various DNS blocklists? I currently use these 3:
list.dsbl.org relays.ordb.org sbl.spamhaus.org
Of these, dsbl.org shows up in my logwatch summaries most often, spamhaus.org occasionally, and ordb.org almost never. I'm assuming sendmail runs the checks in the order you list them, which is why dsbl.org gets almost all of them, but I'm wondering if I put spamhaus.org first, would it get more than dsbl.org gets now?
On a slightly related note, I also virus-scan e-mail using clamav, but I've found that since the U of M installed its FortiGate firewall that also virus-scans e-mail, clamav doesn't seem to catch much other than some phising scams that they include signatures for. It does seem to be a bit quicker on the draw for new outbreaks, though, than the commercial AV scanners like FortiGate and Trend, so I find it's still helpful as an additional line of defense.
Gilles