Some basic data on the hit rate of the Spamhaus DBL here
After my previous exploration of the Spamhaus DBL, I wound up adding it as another DNS blocklist in our overall spam filtering setup. Because we don't have a mandate for it, none of our DNS blocklists apply to all email, only to email for people who have opted in to some amount of server side spam filtering. Because the DBL applies on a per-recipient basis, the comparison I'm going to use here is against the overall recipient count (not the overall message count). I'm also going to use the past nine days, so I can sort of compare this to my estimated hit rate.
So, over the past nine days, we have had:
- 106,837 accepted
MAIL FROMs and 106,835 accepted
RCPT TOs, which means that almost all of our accepted messages have been delivered to a single destination address.
- 29,194 accepted
RCPT TOs for IPs listed in one of the Spamhaus DNSBLs. Since these were accepted, these are recipients who have not opted into any amount of our server-side spam filtering.
- 7,685 accepted
RCPT TOs for domains listed in the DBL. A quick check suggests that about 6,390 of these came from IP addresses that were in the Spamhaus DNSBLs.
RCPT TOs that were rejected because the sender IP was in one of the Spamhaus DNSBLs. This is checked before the DBL.
- Only 346
RCPT TOs that were rejected because the sender domain was in the DBL.
On the one hand, this doesn't look too great for the DBL; despite my initial estimate, we aren't getting many rejections from checking the DBL. On the other hand, when I look at the source addresses of those rejections, something jumps out right away: just over half of them come from one system.
Specifically, over half of them come from the mail server for another (sub)domain on campus, one where a number of our users have accounts and forward (all of) their email from that system to us. What we've effectively done with the DBL is to add an additional SMTP-time defense to reject forwarded spam. In fact there are a number of 'forwarded from another campus mail system' DBL rejections in the past nine days from other sources.
My personal view is that these rejections are valuable ones (partly because I've observed our commercial anti-spam system not doing so well with forwarded spam in the past). So on the whole I'm happy with what the DBL is doing here, and also happy that now I have better numbers on what it could be doing if more people opted in to server-side spam filtering.
(Despite my bright words here, I'm also disappointed that adding
the DBL isn't rejecting more messages. I guess this is partly down
to how a lot of spam with DBL domains comes from IPs that are already
blocked on their own. Note that we're using the DBL in its most
basic and limited mode, where we check it against the
domain; you're really supposed to use it to check domains mentioned
in the body of email messages.)
Comments on this page:Written on 19 May 2016.