"Gilles" == Gilles Detillieux grdetil@scrc.umanitoba.ca writes:
>> On a related note, personally I'm strongly opposed to block >> lists since: a) they only work after spam has been sent
Gilles> Sort of the same problem as signature based anti-virus, Gilles> anti-spyware, and even many content-based SPAM filters, as Gilles> well as DCC bulk mail filters. They all still help a Gilles> great deal against repeat offenders. Given the saturation Gilles> bombing approach many spammers still use, blocklists still Gilles> do help. They don't do much against spam attacks Gilles> distributed over wide botnets, but they still block a fair Gilles> bit.
I suspect that the lists actually do pretty well even against the botnets, as the blocklist providers are grabbing IPs on the fly from monitors around the net. Some, such as the Spamhaus sbl-xbl list incorporate others, which are also composite lists. Information sharing is a good thing. Picking the last one out of my log, the XBL (exploit block list) dropped it because it was on the CBL list; this latter list only blocks single IPs, not ranges, in this case a bot-infected system in Malaysia. Since these lists are updated quickly, their timeliness is pretty decent.
>> c) when other methods are applied properly, blocklists only >> improve results by a very small amount. "b" being the main >> reason I don't like them. John
Gilles> Has anyone ever compared the effectiveness and accuracy of Gilles> the various DNS blocklists? I currently use these 3:
Gilles> list.dsbl.org relays.ordb.org sbl.spamhaus.org
Gilles> Of these, dsbl.org shows up in my logwatch summaries most Gilles> often, spamhaus.org occasionally, and ordb.org almost Gilles> never. I'm assuming sendmail runs the checks in the order Gilles> you list them, which is why dsbl.org gets almost all of Gilles> them, but I'm wondering if I put spamhaus.org first, would Gilles> it get more than dsbl.org gets now?
I only set up the one, Spamhaus' sbl+xbl, but it drops the vast majority of garbage before other checks (now including greylist) or filtering are used. The SBL and XBL lists are different, so Spamhaus has an entry which lets you hit both with one query. SBL is basically the primary spammers, while the XBL list includes proxies, botnets and etc.
Tim