On Fri, 2006-11-17 at 11:31 -0600, Gilles Detillieux wrote:
On 11/17/2006 10:49 AM, John Lange wrote:
On Fri, 2006-11-17 at 10:22 -0600, Tim Lavoie wrote:
...
So far, so good. No spam in the spambox this morning, at all. Most were caught by the Spamhaus DNS blocklist I already use, but the greylist whacked the remainder.
Would it not make sense to do it in the other order? Greylisting being much less CPU intensive than other spam blocking methods.
I didn't think DNS blocklists were particularly CPU intensive.
I suppose not but I was under the assumption that it had to do more than just a normal DNS lookup. Some of them do lookups based on email content, not just IP based blocking.
Has anyone ever compared the effectiveness and accuracy of the various DNS blocklists? I currently use these 3:
list.dsbl.org relays.ordb.org sbl.spamhaus.org
Since I ruled out using blocklists some time ago its possible things have improved (but I doubt it).
For example, lets say there are some spam bots on an ISPs network. They send out spam relayed through the ISPs mail server. Does this not mean that the ISPs mail server will quickly find itself on a block list?
If the answer is "no", then the blocklist isn't accomplishing anything since no spam is being blocked.
If the answer is "Yes", then my issue is that thousands of innocent mail users on that ISP will be inconvenienced for absolutely no fault of their own.
If on the other hand it is blocking based only on the actual IP of the machine doing the sending then in the short term it might be acceptable. However if the IPs don't expire automatically then you are simply back to blocking innocent people.
This brings up another problem with block lists. What if you get a virus and your machine gets hijacked to send spam? Bingo you are on a blocklist and good luck getting removed especially since the average user is not likely to have any clue they are even on the list.
Effectively you get double victimized. Not only does your computer likely have to be rebuilt but you can no longer send mail.
Or in the case of an ISP, lets say they have a user with an insecure CGI on their web site. Somehow they are relaying mail and again you end up on a block list and its very hard to get off and at the same time everyone else using that machine for mail is victimized.
And it is my understanding that the blocking is frequently done on entire subnets or even entire ISPs. Again, lots of innocent victims of this technique.
Its just my personal opinion but I don't like that particular tactic since it has so many potential pitfalls and does so very little that can't be done with other methods.
I have no doubt that its effective in reducing spam but just because something works doesn't make it the correct approach.
For example we could eliminate all auto accidents by banning cars.
Or more relevantly, here is your perfect spam filter:
iptables -A INPUT --destination-port 25 -j DROP
Guaranteed to eliminate 100% of your spam ;)
John