[RndTbl] blocklists (was: Grey-listing in effect on MUUG server)

Tim Lavoie tim at fractaldragon.net
Fri Nov 17 13:39:40 CST 2006 

>>>>> "Gilles" == Gilles Detillieux <grdetil at scrc.umanitoba.ca> writes:

    >> On a related note, personally I'm strongly opposed to block
    >> lists since: a) they only work after spam has been sent

    Gilles> Sort of the same problem as signature based anti-virus,
    Gilles> anti-spyware, and even many content-based SPAM filters, as
    Gilles> well as DCC bulk mail filters.  They all still help a
    Gilles> great deal against repeat offenders. Given the saturation
    Gilles> bombing approach many spammers still use, blocklists still
    Gilles> do help.  They don't do much against spam attacks
    Gilles> distributed over wide botnets, but they still block a fair
    Gilles> bit.

I suspect that the lists actually do pretty well even against the
botnets, as the blocklist providers are grabbing IPs on the fly from
monitors around the net. Some, such as the Spamhaus sbl-xbl list
incorporate others, which are also composite lists. Information
sharing is a good thing. Picking the last one out of my log, the XBL
(exploit block list) dropped it because it was on the CBL list; this
latter list only blocks single IPs, not ranges, in this case a
bot-infected system in Malaysia. Since these lists are updated
quickly, their timeliness is pretty decent.


    >> c) when other methods are applied properly, blocklists only
    >> improve results by a very small amount.  "b" being the main
    >> reason I don't like them.  John

    Gilles> Has anyone ever compared the effectiveness and accuracy of
    Gilles> the various DNS blocklists?  I currently use these 3:

    Gilles> list.dsbl.org relays.ordb.org sbl.spamhaus.org

    Gilles> Of these, dsbl.org shows up in my logwatch summaries most
    Gilles> often, spamhaus.org occasionally, and ordb.org almost
    Gilles> never.  I'm assuming sendmail runs the checks in the order
    Gilles> you list them, which is why dsbl.org gets almost all of
    Gilles> them, but I'm wondering if I put spamhaus.org first, would
    Gilles> it get more than dsbl.org gets now?

I only set up the one, Spamhaus' sbl+xbl, but it drops the vast
majority of garbage before other checks (now including greylist) or
filtering are used. The SBL and XBL lists are different, so Spamhaus
has an entry which lets you hit both with one query. SBL is basically
the primary spammers, while the XBL list includes proxies, botnets and
etc.

        Tim

More information about the Roundtable mailing list