Some basic data on the hit rate of the Spamhaus DBL here

May 19, 2016

After my previous exploration of the Spamhaus DBL, I wound up adding it as another DNS blocklist in our overall spam filtering setup. Because we don't have a mandate for it, none of our DNS blocklists apply to all email, only to email for people who have opted in to some amount of server side spam filtering. Because the DBL applies on a per-recipient basis, the comparison I'm going to use here is against the overall recipient count (not the overall message count). I'm also going to use the past nine days, so I can sort of compare this to my estimated hit rate.

So, over the past nine days, we have had:

  • 106,837 accepted MAIL FROMs and 106,835 accepted RCPT TOs, which means that almost all of our accepted messages have been delivered to a single destination address.

  • 29,194 accepted RCPT TOs for IPs listed in one of the Spamhaus DNSBLs. Since these were accepted, these are recipients who have not opted into any amount of our server-side spam filtering.
  • 7,685 accepted RCPT TOs for domains listed in the DBL. A quick check suggests that about 6,390 of these came from IP addresses that were in the Spamhaus DNSBLs.

  • 13,020 RCPT TOs that were rejected because the sender IP was in one of the Spamhaus DNSBLs. This is checked before the DBL.
  • Only 346 RCPT TOs that were rejected because the sender domain was in the DBL.

On the one hand, this doesn't look too great for the DBL; despite my initial estimate, we aren't getting many rejections from checking the DBL. On the other hand, when I look at the source addresses of those rejections, something jumps out right away: just over half of them come from one system.

Specifically, over half of them come from the mail server for another (sub)domain on campus, one where a number of our users have accounts and forward (all of) their email from that system to us. What we've effectively done with the DBL is to add an additional SMTP-time defense to reject forwarded spam. In fact there are a number of 'forwarded from another campus mail system' DBL rejections in the past nine days from other sources.

My personal view is that these rejections are valuable ones (partly because I've observed our commercial anti-spam system not doing so well with forwarded spam in the past). So on the whole I'm happy with what the DBL is doing here, and also happy that now I have better numbers on what it could be doing if more people opted in to server-side spam filtering.

(Despite my bright words here, I'm also disappointed that adding the DBL isn't rejecting more messages. I guess this is partly down to how a lot of spam with DBL domains comes from IPs that are already blocked on their own. Note that we're using the DBL in its most basic and limited mode, where we check it against the MAIL FROM domain; you're really supposed to use it to check domains mentioned in the body of email messages.)


Comments on this page:

By David at 2016-05-20 23:39:34:

My observation is Spamhaus staff applies the DBL with the intent that it supplement the Zen IP block list, not as a replacement or altertative. Presently Spamhaus is not attempting to make the DBL comprehensive and DBL does not intersect/overlap Zen significantly.

In particular they use the DBL where it works against a spammer that changes IPs, but doesn't bother to to change envelope sender or even reuses the rDNS domain names on multiple IP addresses. The stupider end of the spammer spectrum, miscreants who are not much effective in the first place.

I think of the DBL as aspirational preparedness. At some point in the mist enshrouded future IPv6 will become important. A speculative guess is when it costs roughly $70 to purchase one IPv4 address (current market is around $13). With IPv6 the DBL will become the only way to block-list spam origins aside from my favored Draconian method: black-listing entire autonomous systems with the help of CYMRU and applying a handful rDNS and CIDR exceptions. I watch the logs for false positives and find chasing the rare bounced ham (5-10 per year) far more satisfying than accepting and sorting through 20-30 post-DNSBL spam messages each day (500-1000 attempted deliveries per day before the DNSBLs). I despise content filters, none of them work--even Google's is terrible.

Have you tried the Barracuda and Hostkarma DNSBLs? The two combined catch an additional 50% over Zen and I've never seen either generate a false-positive. Barracuda in particular lists more aggressively and is willing to punish lower volume relays that fail to mitigate spammer exploitations. Spamhaus refuses to list "legit" relays even if the ham-to-spam ratio is 1% or lower.

Hostkarma has a RHSBL "example.com.hostkarma.junkemailfilter.com" that catches a bit more than Spamhaus DBL.

Written on 19 May 2016.
« Go does not have atomic variables, only atomic access to variables
Some notes on abusing the pexpect Python module »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu May 19 00:59:48 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.